2
edits
Difference between revisions of "Securing XMPP"
Jump to navigation
Jump to search
m
→Metronome: Correct broken links
(Use YAML syntax for the ejabberd configuration file snippet.) |
m (→Metronome: Correct broken links) |
||
| (7 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
== | == Clients == | ||
need to add something... | |||
== Servers == | |||
* | An XMPP Server is considered secure when the following (minimum) items are present: | ||
* | * The server is running with a server certificate | ||
* | * The server is configured to not allow any cleartext communications - S2S and C2S | ||
* | * The server supports XEP-198 | ||
* ... | |||
=== Step1: Get a server certificate=== | |||
Let's say you run an XMPP service for <code>example.net</code> (jids of user@example.net), you will need to order a certificate for with a subject or alt-name of <code>example.net</code> (not <code>server.example.net</code>) from your preferred cert provider. | |||
== | === Step 2: Disable cleartext connections === | ||
These instructions will disable any cleartext communication between servers and client connections. | |||
== | ==== ejabberd ==== | ||
Make sure that your ''ejabberd.yml'' contains the [http://docs.ejabberd.im/admin/guide/configuration/#listening-ports following settings]. | |||
* For ejabberd >= 17.12 list all available PEM files in this top-level option | |||
certfiles: | |||
- "/etc/ejabberd/*.pem" | |||
* For client- | * For client-to-server connections: | ||
listen: | listen: | ||
- | - | ||
| Line 27: | Line 28: | ||
module: ejabberd_c2s | module: ejabberd_c2s | ||
starttls_required: true | starttls_required: true | ||
certfile: "/etc/ejabberd/certificate.pem" | # For ejabberd < 17.12 | ||
# certfile: "/etc/ejabberd/certificate.pem" | |||
* For server- | * For server-to-server connections: | ||
s2s_use_starttls: required | s2s_use_starttls: required | ||
s2s_certfile: "/etc/ejabberd/certificate.pem" | # For ejabberd < 17.12 | ||
# s2s_certfile: "/etc/ejabberd/certificate.pem" | |||
Further help: | Further help: | ||
* Homepage: [https://ejabberd.im/ ejabberd | * Homepage: [https://www.ejabberd.im/ ejabberd IM] | ||
* Chatroom: [xmpp:ejabberd@conference. | * Chatroom: [xmpp:ejabberd@conference.process-one.net?join ejabberd@conference.process-one.net] | ||
* Documentation: [ | * Documentation: [http://docs.ejabberd.im/admin/guide/ ejabberd Installation and Operation Guide] | ||
=== Prosody === | ==== Prosody ==== | ||
Ensure that ''prosody.cfg.lua'' contains the following settings in the [https://prosody.im/doc/configure#overview global section] of your config, or under the specific <code>VirtualHost</code> you want to secure: | Ensure that ''prosody.cfg.lua'' contains the following settings in the [https://prosody.im/doc/configure#overview global section] of your config, or under the specific <code>VirtualHost</code> you want to secure: | ||
c2s_require_encryption = true | c2s_require_encryption = true | ||
| Line 48: | Line 51: | ||
* Documentation: [https://prosody.im/doc/security Prosody.IM: Security] | * Documentation: [https://prosody.im/doc/security Prosody.IM: Security] | ||
=== Metronome === | ==== Metronome ==== | ||
In Metronome's latest development tip, encryption requirement is the default setting, as long as TLS capability | In Metronome's latest development tip, encryption requirement is the default setting, as long as TLS capability | ||
is available, and no configuration change is needed. Otherwise ensure that ''metronome.cfg.lua'' contains the | is available, and no configuration change is needed. Otherwise ensure that ''metronome.cfg.lua'' contains the | ||
| Line 56: | Line 59: | ||
Further help: | Further help: | ||
* Homepage: [ | * Homepage: [https://metronome.im Metronome IM] | ||
* Chatroom: [xmpp:grimoire@muc.metronome.im?join grimoire@muc.metronome.im] | * Chatroom: [xmpp:grimoire@muc.metronome.im?join grimoire@muc.metronome.im] | ||
* Documentation: [ | * Documentation: [https://metronome.im/documentation metronome.im/documentation] | ||
=== Tigase === | ==== Tigase ==== | ||
See http://www.tigase.org/content/vhost-tls-required for more details: | See http://www.tigase.org/content/vhost-tls-required for more details: | ||
--vhost-tls-required = true | --vhost-tls-required = true | ||
| Line 77: | Line 80: | ||
* Documentation: [http://www.tigase.org/admin-guide Admin guide] | * Documentation: [http://www.tigase.org/admin-guide Admin guide] | ||
=== Openfire === | ==== Openfire ==== | ||
# Open the Openfire administration console | # Open the Openfire administration console | ||
# Go to '''Server Settings''' under '''Server''' | # Go to '''Server Settings''' under '''Server''' | ||
| Line 90: | Line 93: | ||
* Documentation: [http://igniterealtime.org/projects/openfire/documentation.jsp Openfire documentation] | * Documentation: [http://igniterealtime.org/projects/openfire/documentation.jsp Openfire documentation] | ||
== Step 3: Check your XMPP Security == | === Step 3: Check your XMPP Server Security === | ||
[http://xmpp.net/ Test your XMPP security] to be sure. | [http://xmpp.net/ Test your XMPP security] to be sure. | ||
= Encryption Manifesto (archived) = | |||
== Aim: Encrypt All XMPP Connections == | |||
This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days: | |||
* January 4, 2014 - first test day requiring encryption | |||
* February 22, 2014 - second test day | |||
* March 22, 2014 - third test day | |||
* April 19, 2014 - fourth test day | |||
* May 19, 2014 - '''permanent upgrade''' to encrypted network | |||
To achieve this, we need to: | |||
* Encrypt connections between clients and servers (C2S) | |||
* Encrypt server to server connections (S2S) | |||