13
edits
(4 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
This page provides instructions for XMPP server administrators to secure XMPP client and server connections. | This page provides instructions for XMPP server administrators to secure XMPP client and server connections. | ||
Line 66: | Line 64: | ||
See http://www.tigase.org/content/vhost-tls-required for more details | See http://www.tigase.org/content/vhost-tls-required for more details | ||
--vhost-tls-required = true | --vhost-tls-required = true | ||
By default Tigase will read VHosts certificates from ''certs/'' subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in init.properties: | |||
basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem | |||
==Securing connections between XMPP servers== | ==Securing connections between XMPP servers== | ||
Line 80: | Line 81: | ||
Configuration | Configuration | ||
=== Prosody (secure delegation | c2s_require_encryption = true | ||
s2s_require_encryption = true | |||
s2s_secure_auth = true | |||
s2s_insecure_domains = { "gmail.com" } -- Google doesn't support encrypted connections | |||
ssl = { | |||
key = "/etc/prosody/certs/example.org.pem"; | |||
certificate = "/etc/prosody/certs/example.org.pem"; | |||
cafile = "/etc/prosody/certs/your-ca-cert(s).pem"; | |||
dhparam = "/etc/prosody/certs/dh-2048.pem"; | |||
ciphers = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH"; | |||
options = {"no_sslv2", "no_sslv3", "no_ticket", "no_compression"}; | |||
} | |||
=== Prosody (secure delegation with DANE) === | |||
* DNS: You need to be working with a [http://www.icann.org/en/news/in-focus/dnssec/deployment registrar that supports DNSSEC] | * DNS: You need to be working with a [http://www.icann.org/en/news/in-focus/dnssec/deployment registrar that supports DNSSEC] | ||
Line 107: | Line 119: | ||
=== Tigase (single domain) === | === Tigase (single domain) === | ||
* TLS for s2s connection is enabled by default; no option to configure it as ''required'' | |||
* certain domains can be configured to skip TLS for s2s with following configuration (more information: [http://www.tigase.org/content/s2s-skip-tls-hostnames --s2s-skip-tls-hostnames]): | |||
--s2s-skip-tls-hostnames = domain1,domain2 | |||
=== Tigase (secure delegation for running multiple domains) === | === Tigase (secure delegation for running multiple domains) === | ||
* certificate configuration is same as described in section [[#Securing client connections]] | |||
* no support for DANE/DNSSEC | |||
=== Openfire === | === Openfire === | ||
??? | ??? |
edits