13
edits
(→Openfire: Click is a silly word) |
(→Tigase) |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
== Aim: Encrypt All XMPP Connections == | |||
This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days: | This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days: | ||
Line 9: | Line 9: | ||
To achieve this, we need to: | To achieve this, we need to: | ||
* Encrypt connections between clients and servers ( | * Encrypt connections between clients and servers (C2S) | ||
* Encrypt server to server connections ( | * Encrypt server to server connections (S2S) | ||
== Step1: Get a server certificate== | == Step1: Get a server certificate== | ||
Let's say you run an XMPP service for <code>example. | Let's say you run an XMPP service for <code>example.net</code> (jids of user@example.net), you will need to order a certificate for with a subject or alt-name of <code>example.net</code> (not <code>server.example.net</code>) from your preferred cert provider ([http://startssl.com/ StartSSL] offers free certificates and is quite good). | ||
== Step 2: Configure your DNS == | == Step 2: Configure your DNS == | ||
Ensure that the following DNS records are set: | Ensure that the following DNS records are set: | ||
_xmpp-server._tcp.example. | _xmpp-server._tcp.example.net. 18000 IN SRV 0 5 5269 server.example.net. | ||
server.example.net. 18000 A 10.10.10.10 # you must have an A record for your server. | |||
More informations on [[SRV Records]] page. | |||
You may also want to [[Securing DNS|Secure your DNS with DNSSEC]] | You can test your DNS setup at [http://xmpp.net/ xmpp.net]. | ||
You may also want to [[Securing DNS|Secure your DNS with DNSSEC]]. | |||
== Step 3: Disable cleartext connections == | == Step 3: Disable cleartext connections == | ||
Line 53: | Line 55: | ||
basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem | basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem | ||
TLS for s2s connection is enabled by default; no option to configure it as ''required'' (certain domains can be configured to skip TLS for s2s with following configuration. For more information: [http://www.tigase.org/content/s2s-skip-tls-hostnames --s2s-skip-tls-hostnames]): | |||
--s2s-skip-tls-hostnames = domain1,domain2 | --s2s-skip-tls-hostnames = domain1,domain2 | ||
In order to have improved security Tigase features [http://www.tigase.org/content/hardened-mode 'hardened mode'] which turns off workaround for SSL issues, turns off SSLv2, forces enabling more secure ciphers suites and also forces requirement of StartTLS. | |||
--hardened-mode=true | |||
=== Openfire === | === Openfire === | ||
# Open the Openfire administration console | # Open the Openfire administration console | ||
# Go to '''Server Settings''' under '''Server''' | # Go to '''Server Settings''' under '''Server''' | ||
Line 66: | Line 70: | ||
== Step 4: Check your XMPP Security == | == Step 4: Check your XMPP Security == | ||
[http://xmpp.net Test your XMPP security] to be sure. | [http://xmpp.net/ Test your XMPP security] to be sure. |
edits