216
edits
Difference between revisions of "Securing XMPP"
Jump to navigation
Jump to search
m
no edit summary
(→Prosody: Fix config file name, rephrase sentence and link to docs) |
Neustradamus (talk | contribs) m |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days: | This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days: | ||
* January 4, 2014 - first test day requiring encryption | * January 4, 2014 - first test day requiring encryption | ||
* February 22, 2014 - second test day | * February 22, 2014 - second test day | ||
| Line 10: | Line 9: | ||
To achieve this, we need to: | To achieve this, we need to: | ||
* encrypt connections between clients and servers (c2s) | * encrypt connections between clients and servers (c2s) | ||
* encrypt server to server connections (s2s) | * encrypt server to server connections (s2s) | ||
== Step1: Get a server certificate== | == Step1: Get a server certificate== | ||
Let's say you run an XMPP service for <code>example.com</code> (jids of user@example.com), you will need to order a certificate for with a subject or alt-name of <code>example.com</code> (not <code>servername.example.com</code>) from your preferred cert provider ([http://startssl.com/ StartSSL] offers free certificates and is quite good). | |||
Let's say you run an XMPP service for <code>example.com</code> (jids of user@example.com), you will need to order a certificate for with a subject or alt-name of <code>example.com</code> (not <code>servername.example.com</code>) from your preferred cert provider ([http://startssl.com/ StartSSL] offers free certificates and is quite good) | |||
== Step 2: Configure your DNS == | == Step 2: Configure your DNS == | ||
Ensure that the following DNS records are set: | Ensure that the following DNS records are set: | ||
_xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 servername.example.com. | _xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 servername.example.com. | ||
servername.example.com. 18000 A 10.10.10.10 # you must have an A record for your server | servername.example.com. 18000 A 10.10.10.10 # you must have an A record for your server | ||
| Line 27: | Line 22: | ||
You can test your DNS setup at [http://xmpp.net xmpp.net] | You can test your DNS setup at [http://xmpp.net xmpp.net] | ||
== Step 3: | == Step 3: Disable cleartext connections == | ||
These instructions will disable any cleartext communication between servers and client connections. | |||
=== ejabberd === | |||
Configure ejabberd.conf | Configure ejabberd.conf | ||
% Ordinary client-2-server service | % Ordinary client-2-server service | ||
[{5222, ejabberd_c2s, [{access, c2s}, | [{5222, ejabberd_c2s, [{access, c2s}, | ||
| Line 42: | Line 36: | ||
=== Prosody === | === Prosody === | ||
Ensure that ''prosody.cfg.lua'' contains the following settings in the [https://prosody.im/doc/configure#overview global section] of your config, or under the specific <code>VirtualHost</code> you want to secure: | Ensure that ''prosody.cfg.lua'' contains the following settings in the [https://prosody.im/doc/configure#overview global section] of your config, or under the specific <code>VirtualHost</code> you want to secure: | ||
c2s_require_encryption = true | c2s_require_encryption = true | ||
s2s_require_encryption = true | s2s_require_encryption = true | ||
Further help: | Further help: | ||
* Chatroom: [https://prosody.im/chat/ prosody@conference.prosody.im] | * Chatroom: [https://prosody.im/chat/ prosody@conference.prosody.im] | ||
* Documentation: [https://prosody.im/doc/security Prosody.IM: Security] | * Documentation: [https://prosody.im/doc/security Prosody.IM: Security] | ||
=== Tigase === | === Tigase === | ||
See http://www.tigase.org/content/vhost-tls-required for more details: | |||
See http://www.tigase.org/content/vhost-tls-required for more details | |||
--vhost-tls-required = true | --vhost-tls-required = true | ||
By default Tigase will read VHosts certificates from ''certs/'' subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in init.properties: | By default Tigase will read VHosts certificates from ''certs/'' subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in init.properties: | ||
basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem | basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem | ||
| Line 66: | Line 55: | ||
=== Openfire === | === Openfire === | ||
??? | |||
== Step 4: Check your XMPP Security == | |||
[http://xmpp.net Test your XMPP security] to be sure. | |||