43
edits
Difference between revisions of "Securing XMPP"
Jump to navigation
Jump to search
→ejabberd: require TLS
(→Tigase) |
(→ejabberd: require TLS) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 15: | Line 15: | ||
Let's say you run an XMPP service for <code>example.net</code> (jids of user@example.net), you will need to order a certificate for with a subject or alt-name of <code>example.net</code> (not <code>server.example.net</code>) from your preferred cert provider ([http://startssl.com/ StartSSL] offers free certificates and is quite good). | Let's say you run an XMPP service for <code>example.net</code> (jids of user@example.net), you will need to order a certificate for with a subject or alt-name of <code>example.net</code> (not <code>server.example.net</code>) from your preferred cert provider ([http://startssl.com/ StartSSL] offers free certificates and is quite good). | ||
== Step 2 | == Step 2: Disable cleartext connections == | ||
These instructions will disable any cleartext communication between servers and client connections. | These instructions will disable any cleartext communication between servers and client connections. | ||
| Line 36: | Line 25: | ||
{shaper, c2s_shaper}]}, | {shaper, c2s_shaper}]}, | ||
% Use STARTTLS+Dialback for S2S connections | % Use STARTTLS+Dialback for S2S connections | ||
{s2s_use_starttls, | {s2s_use_starttls, require}. | ||
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}. | {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}. | ||
| Line 43: | Line 32: | ||
c2s_require_encryption = true | c2s_require_encryption = true | ||
s2s_require_encryption = true | s2s_require_encryption = true | ||
-- bonus: check certificates are actually valid | |||
s2s_secure_auth = true | |||
Further help: | Further help: | ||
| Line 69: | Line 60: | ||
# Done! | # Done! | ||
== Step | == Step 3: Check your XMPP Security == | ||
[http://xmpp.net/ Test your XMPP security] to be sure. | [http://xmpp.net/ Test your XMPP security] to be sure. | ||