Difference between revisions of "Securing XMPP"

Jump to navigation Jump to search

Securing XMPP (view source)

Revision as of 11:31, 2 April 2018

1,887 bytes added ,  11:31, 2 April 2018
m
→‎Metronome: Correct broken links
(→‎ejabberd: bug report from Klaus Seistrup)
m (→‎Metronome: Correct broken links)
(12 intermediate revisions by 4 users not shown)
Line 1: Line 1:
== Aim: Encrypt All XMPP Connections ==
== Clients ==
need to add something...
 
== Servers ==
An XMPP Server is considered secure when the following (minimum) items are present:
* The server is running with a server certificate
* The server is configured to not allow any cleartext communications - S2S and C2S
* The server supports XEP-198
* ...
 
=== Step1: Get a server certificate===
Let's say you run an XMPP service for <code>example.net</code> (jids of user@example.net), you will need to order a certificate for with a subject or alt-name of <code>example.net</code> (not <code>server.example.net</code>) from your preferred cert provider.
 
=== Step 2: Disable cleartext connections ===
These instructions will disable any cleartext communication between servers and client connections.


This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days:
==== ejabberd ====
* January 4, 2014 - first test day requiring encryption
Make sure that your ''ejabberd.yml'' contains the [http://docs.ejabberd.im/admin/guide/configuration/#listening-ports following settings].
* February 22, 2014 - second test day
* March 22, 2014 - third test day
* April 19, 2014 - fourth test day
* May 19, 2014 - '''permanent upgrade''' to encrypted network


To achieve this, we need to:
* For ejabberd >= 17.12 list all available PEM files in this top-level option
* Encrypt connections between clients and servers (C2S)
certfiles:
* Encrypt server to server connections (S2S)
  - "/etc/ejabberd/*.pem"


== Step1: Get a server certificate==
* For client-to-server connections:
Let's say you run an XMPP service for <code>example.net</code> (jids of user@example.net), you will need to order a certificate for with a subject or alt-name of <code>example.net</code> (not <code>server.example.net</code>) from your preferred cert provider ([http://startssl.com/ StartSSL] offers free certificates and is quite good).
listen:
  -
    port: 5222
    module: ejabberd_c2s
    starttls_required: true
    # For ejabberd < 17.12
    # certfile: "/etc/ejabberd/certificate.pem"


== Step 2: Disable cleartext connections ==
* For server-to-server connections:
These instructions will disable any cleartext communication between servers and client connections.
s2s_use_starttls: required
# For ejabberd < 17.12
# s2s_certfile: "/etc/ejabberd/certificate.pem"


=== ejabberd ===
Further help:
Configure ejabberd.conf
* Homepage: [https://www.ejabberd.im/ ejabberd IM]
% Ordinary client-2-server service
* Chatroom: [xmpp:ejabberd@conference.process-one.net?join ejabberd@conference.process-one.net]
[{5222, ejabberd_c2s, [{access, c2s},
* Documentation: [http://docs.ejabberd.im/admin/guide/ ejabberd Installation and Operation Guide]
starttls_required, {certfile, "/etc/ssl/certs/ejabberd.pem"},
{shaper, c2s_shaper}]},
% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, required}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.


=== Prosody ===
==== Prosody ====
Ensure that ''prosody.cfg.lua'' contains the following settings in the [https://prosody.im/doc/configure#overview global section] of your config, or under the specific <code>VirtualHost</code> you want to secure:
Ensure that ''prosody.cfg.lua'' contains the following settings in the [https://prosody.im/doc/configure#overview global section] of your config, or under the specific <code>VirtualHost</code> you want to secure:
   c2s_require_encryption = true
   c2s_require_encryption = true
Line 34: Line 47:


Further help:
Further help:
* Homepage: [https://prosody.im/ Prosody IM]
* Chatroom: [https://prosody.im/chat/ prosody@conference.prosody.im]
* Chatroom: [https://prosody.im/chat/ prosody@conference.prosody.im]
* Documentation: [https://prosody.im/doc/security Prosody.IM: Security]
* Documentation: [https://prosody.im/doc/security Prosody.IM: Security]


=== Tigase ===
==== Metronome ====
In Metronome's latest development tip, encryption requirement is the default setting, as long as TLS capability
is available, and no configuration change is needed. Otherwise ensure that ''metronome.cfg.lua'' contains the
following settings in the global section of your configuration:
  c2s_require_encryption = true
  s2s_require_encryption = true
 
Further help:
* Homepage: [https://metronome.im Metronome IM]
* Chatroom: [xmpp:grimoire@muc.metronome.im?join grimoire@muc.metronome.im]
* Documentation: [https://metronome.im/documentation metronome.im/documentation]
 
==== Tigase ====
See http://www.tigase.org/content/vhost-tls-required for more details:
See http://www.tigase.org/content/vhost-tls-required for more details:
  --vhost-tls-required = true
  --vhost-tls-required = true
Line 47: Line 73:
  --s2s-skip-tls-hostnames = domain1,domain2
  --s2s-skip-tls-hostnames = domain1,domain2


In order to have improved security Tigase features [http://www.tigase.org/content/hardened-mode 'hardened mode'] which turns off workaround for SSL issues, turns off SSLv2, forces enabling more secure ciphers suites and also forces requirement of StartTLS.
In order to have improved security Tigase features "[http://www.tigase.org/content/hardened-mode hardened mode]" which turns off workaround for SSL issues, turns off SSLv2, forces enabling more secure ciphers suites and also forces requirement of StartTLS.
  --hardened-mode=true
  --hardened-mode=true


=== Openfire ===
Further help:
* Homepage: [http://www.tigase.org/ Tigase.org]
* Documentation: [http://www.tigase.org/admin-guide Admin guide]
 
==== Openfire ====
# Open the Openfire administration console
# Open the Openfire administration console
# Go to '''Server Settings''' under '''Server'''
# Go to '''Server Settings''' under '''Server'''
Line 58: Line 88:
# Done!
# Done!


== Step 3: Check your XMPP Security ==
Further help:
* Homepage: [http://igniterealtime.org/projects/openfire/ Openfire]
* Chatroom: [xmpp:open_chat@conference.igniterealtime.org?join open_chat@conference.igniterealtime.org]
* Documentation: [http://igniterealtime.org/projects/openfire/documentation.jsp Openfire documentation]
 
=== Step 3: Check your XMPP Server Security ===
[http://xmpp.net/ Test your XMPP security] to be sure.
[http://xmpp.net/ Test your XMPP security] to be sure.
= Encryption Manifesto (archived) =
== Aim: Encrypt All XMPP Connections ==
This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days:
* January 4, 2014 - first test day requiring encryption
* February 22, 2014 - second test day
* March 22, 2014 - third test day
* April 19, 2014 - fourth test day
* May 19, 2014 - '''permanent upgrade''' to encrypted network
To achieve this, we need to:
* Encrypt connections between clients and servers (C2S)
* Encrypt server to server connections (S2S)
Maranda
2

edits

Retrieved from "https://wiki.xmpp.org/web/Special:MobileDiff/6365...10091"

Navigation menu