Difference between revisions of "Securing XMPP"

Jump to navigation Jump to search

Securing XMPP (view source)

Revision as of 13:29, 12 November 2013

1,424 bytes added ,  13:29, 12 November 2013
no edit summary
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Security and Encryption in XMPP=
This page provides instructions for XMPP server administrators to secure XMPP client and server connections.
This page provides instructions for XMPP server administrators to secure XMPP client and server connections.


Line 66: Line 64:
See http://www.tigase.org/content/vhost-tls-required for more details
See http://www.tigase.org/content/vhost-tls-required for more details
  --vhost-tls-required = true
  --vhost-tls-required = true
By default Tigase will read VHosts certificates from ''certs/'' subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in init.properties:
basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem


==Securing connections between XMPP servers==
==Securing connections between XMPP servers==
Line 80: Line 81:
Configuration
Configuration


s2s_secure_auth = true
s2s_insecure_domains = { "gmail.com" } -- Google doesn't support encrypted connections


=== Prosody (secure delegation for running multiple domains) ===  
  c2s_require_encryption = true
  s2s_require_encryption = true
  s2s_secure_auth = true
  s2s_insecure_domains = { "gmail.com" }  -- Google doesn't support encrypted connections
  ssl                    = {
                          key        = "/etc/prosody/certs/example.org.pem";
                          certificate = "/etc/prosody/certs/example.org.pem";
                          cafile      = "/etc/prosody/certs/your-ca-cert(s).pem";
                          dhparam    = "/etc/prosody/certs/dh-2048.pem";
                          ciphers    = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH";
                          options    = {"no_sslv2", "no_sslv3", "no_ticket", "no_compression"};
                          }
 
=== Prosody (secure delegation with DANE) ===  


* DNS: You need to be working with a [http://www.icann.org/en/news/in-focus/dnssec/deployment registrar that supports DNSSEC]
* DNS: You need to be working with a [http://www.icann.org/en/news/in-focus/dnssec/deployment registrar that supports DNSSEC]
Line 107: Line 119:


=== Tigase (single domain) ===
=== Tigase (single domain) ===
???
 
* TLS for s2s connection is enabled by default; no option to configure it as ''required''
* certain domains can be configured to skip TLS for s2s with following configuration (more information: [http://www.tigase.org/content/s2s-skip-tls-hostnames --s2s-skip-tls-hostnames]):
  --s2s-skip-tls-hostnames = domain1,domain2
 
=== Tigase (secure delegation for running multiple domains) ===
=== Tigase (secure delegation for running multiple domains) ===
???
 
* certificate configuration is same as described in section [[#Securing client connections]]
* no support for DANE/DNSSEC
 
=== Openfire ===
=== Openfire ===


???
???
Wojtek
13

edits

Retrieved from "https://wiki.xmpp.org/web/Special:MobileDiff/6327...6332"

Navigation menu