Difference between revisions of "Securing XMPP"
(Use YAML syntax for the ejabberd configuration file snippet.) |
m (ejabberd section: Cosmetic changes) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== | == Clients == | ||
need to add something... | |||
== Servers == | |||
* | An XMPP Server is considered secure when the following (minimum) items are present: | ||
* | * The server is running with a server certificate | ||
* The server is configured to not allow any cleartext communications - S2S and C2S | |||
* The server supports XEP-198 | |||
* ... | |||
== Step1: Get a server certificate== | === Step1: Get a server certificate=== | ||
Let's say you run an XMPP service for <code>example.net</code> (jids of user@example.net), you will need to order a certificate for with a subject or alt-name of <code>example.net</code> (not <code>server.example.net</code>) from your preferred cert provider ([http://startssl.com/ StartSSL] offers free certificates and is quite good). | Let's say you run an XMPP service for <code>example.net</code> (jids of user@example.net), you will need to order a certificate for with a subject or alt-name of <code>example.net</code> (not <code>server.example.net</code>) from your preferred cert provider ([http://startssl.com/ StartSSL] offers free certificates and is quite good). | ||
== Step 2: Disable cleartext connections == | === Step 2: Disable cleartext connections === | ||
These instructions will disable any cleartext communication between servers and client connections. | These instructions will disable any cleartext communication between servers and client connections. | ||
=== ejabberd === | ==== ejabberd ==== | ||
Make sure that your ''ejabberd.yml'' contains the [http://www.process-one.net/docs/ejabberd/guide_en.html#listened-options following settings]. | Make sure that your ''ejabberd.yml'' contains the [http://www.process-one.net/docs/ejabberd/guide_en.html#listened-options following settings]. | ||
* For client- | * For client-to-server connections: | ||
listen: | listen: | ||
- | - | ||
Line 29: | Line 26: | ||
certfile: "/etc/ejabberd/certificate.pem" | certfile: "/etc/ejabberd/certificate.pem" | ||
* For server- | * For server-to-server connections: | ||
s2s_use_starttls: required | s2s_use_starttls: required | ||
s2s_certfile: "/etc/ejabberd/certificate.pem" | s2s_certfile: "/etc/ejabberd/certificate.pem" | ||
Line 38: | Line 35: | ||
* Documentation: [https://www.process-one.net/docs/ejabberd/guide_en.html ejabberd Installation and Operation Guide] | * Documentation: [https://www.process-one.net/docs/ejabberd/guide_en.html ejabberd Installation and Operation Guide] | ||
=== Prosody === | ==== Prosody ==== | ||
Ensure that ''prosody.cfg.lua'' contains the following settings in the [https://prosody.im/doc/configure#overview global section] of your config, or under the specific <code>VirtualHost</code> you want to secure: | Ensure that ''prosody.cfg.lua'' contains the following settings in the [https://prosody.im/doc/configure#overview global section] of your config, or under the specific <code>VirtualHost</code> you want to secure: | ||
c2s_require_encryption = true | c2s_require_encryption = true | ||
Line 48: | Line 45: | ||
* Documentation: [https://prosody.im/doc/security Prosody.IM: Security] | * Documentation: [https://prosody.im/doc/security Prosody.IM: Security] | ||
=== Metronome === | ==== Metronome ==== | ||
In Metronome's latest development tip, encryption requirement is the default setting, as long as TLS capability | In Metronome's latest development tip, encryption requirement is the default setting, as long as TLS capability | ||
is available, and no configuration change is needed. Otherwise ensure that ''metronome.cfg.lua'' contains the | is available, and no configuration change is needed. Otherwise ensure that ''metronome.cfg.lua'' contains the | ||
Line 60: | Line 57: | ||
* Documentation: [http://www.lightwitch.org/metronome/documentation lightwitch.org/metronome/documentation] | * Documentation: [http://www.lightwitch.org/metronome/documentation lightwitch.org/metronome/documentation] | ||
=== Tigase === | ==== Tigase ==== | ||
See http://www.tigase.org/content/vhost-tls-required for more details: | See http://www.tigase.org/content/vhost-tls-required for more details: | ||
--vhost-tls-required = true | --vhost-tls-required = true | ||
Line 77: | Line 74: | ||
* Documentation: [http://www.tigase.org/admin-guide Admin guide] | * Documentation: [http://www.tigase.org/admin-guide Admin guide] | ||
=== Openfire === | ==== Openfire ==== | ||
# Open the Openfire administration console | # Open the Openfire administration console | ||
# Go to '''Server Settings''' under '''Server''' | # Go to '''Server Settings''' under '''Server''' | ||
Line 90: | Line 87: | ||
* Documentation: [http://igniterealtime.org/projects/openfire/documentation.jsp Openfire documentation] | * Documentation: [http://igniterealtime.org/projects/openfire/documentation.jsp Openfire documentation] | ||
== Step 3: Check your XMPP Security == | === Step 3: Check your XMPP Server Security === | ||
[http://xmpp.net/ Test your XMPP security] to be sure. | [http://xmpp.net/ Test your XMPP security] to be sure. | ||
= Encryption Manifesto (archived) = | |||
== Aim: Encrypt All XMPP Connections == | |||
This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days: | |||
* January 4, 2014 - first test day requiring encryption | |||
* February 22, 2014 - second test day | |||
* March 22, 2014 - third test day | |||
* April 19, 2014 - fourth test day | |||
* May 19, 2014 - '''permanent upgrade''' to encrypted network | |||
To achieve this, we need to: | |||
* Encrypt connections between clients and servers (C2S) | |||
* Encrypt server to server connections (S2S) |
Revision as of 12:29, 4 December 2014
Clients
need to add something...
Servers
An XMPP Server is considered secure when the following (minimum) items are present:
- The server is running with a server certificate
- The server is configured to not allow any cleartext communications - S2S and C2S
- The server supports XEP-198
- ...
Step1: Get a server certificate
Let's say you run an XMPP service for example.net
(jids of user@example.net), you will need to order a certificate for with a subject or alt-name of example.net
(not server.example.net
) from your preferred cert provider (StartSSL offers free certificates and is quite good).
Step 2: Disable cleartext connections
These instructions will disable any cleartext communication between servers and client connections.
ejabberd
Make sure that your ejabberd.yml contains the following settings.
- For client-to-server connections:
listen: - port: 5222 module: ejabberd_c2s starttls_required: true certfile: "/etc/ejabberd/certificate.pem"
- For server-to-server connections:
s2s_use_starttls: required s2s_certfile: "/etc/ejabberd/certificate.pem"
Further help:
- Homepage: ejabberd.im
- Chatroom: ejabberd@conference.jabber.ru
- Documentation: ejabberd Installation and Operation Guide
Prosody
Ensure that prosody.cfg.lua contains the following settings in the global section of your config, or under the specific VirtualHost
you want to secure:
c2s_require_encryption = true s2s_require_encryption = true
Further help:
- Homepage: Prosody IM
- Chatroom: prosody@conference.prosody.im
- Documentation: Prosody.IM: Security
Metronome
In Metronome's latest development tip, encryption requirement is the default setting, as long as TLS capability is available, and no configuration change is needed. Otherwise ensure that metronome.cfg.lua contains the following settings in the global section of your configuration:
c2s_require_encryption = true s2s_require_encryption = true
Further help:
- Homepage: Metronome IM
- Chatroom: grimoire@muc.metronome.im
- Documentation: lightwitch.org/metronome/documentation
Tigase
See http://www.tigase.org/content/vhost-tls-required for more details:
--vhost-tls-required = true
By default Tigase will read VHosts certificates from certs/ subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in init.properties:
basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem
TLS for s2s connection is enabled by default; no option to configure it as required (certain domains can be configured to skip TLS for s2s with following configuration. For more information: --s2s-skip-tls-hostnames):
--s2s-skip-tls-hostnames = domain1,domain2
In order to have improved security Tigase features "hardened mode" which turns off workaround for SSL issues, turns off SSLv2, forces enabling more secure ciphers suites and also forces requirement of StartTLS.
--hardened-mode=true
Further help:
- Homepage: Tigase.org
- Documentation: Admin guide
Openfire
- Open the Openfire administration console
- Go to Server Settings under Server
- Then open Security Settings in the list to the left
- Check both radiobuttons labeled Required
- Check the checkbox marked Accept self-signed certificates
- Done!
Further help:
- Homepage: Openfire
- Chatroom: open_chat@conference.igniterealtime.org
- Documentation: Openfire documentation
Step 3: Check your XMPP Server Security
Test your XMPP security to be sure.
Encryption Manifesto (archived)
Aim: Encrypt All XMPP Connections
This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following ubiquitous encryption manifesto test days:
- January 4, 2014 - first test day requiring encryption
- February 22, 2014 - second test day
- March 22, 2014 - third test day
- April 19, 2014 - fourth test day
- May 19, 2014 - permanent upgrade to encrypted network
To achieve this, we need to:
- Encrypt connections between clients and servers (C2S)
- Encrypt server to server connections (S2S)