43
edits
Difference between revisions of "Securing XMPP"
Jump to navigation
Jump to search
m
ejabberd section: Cosmetic changes
(Use YAML syntax for the ejabberd configuration file snippet.) |
m (ejabberd section: Cosmetic changes) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== | == Clients == | ||
need to add something... | |||
== Servers == | |||
* | An XMPP Server is considered secure when the following (minimum) items are present: | ||
* | * The server is running with a server certificate | ||
* The server is configured to not allow any cleartext communications - S2S and C2S | |||
* The server supports XEP-198 | |||
* ... | |||
== Step1: Get a server certificate== | === Step1: Get a server certificate=== | ||
Let's say you run an XMPP service for <code>example.net</code> (jids of user@example.net), you will need to order a certificate for with a subject or alt-name of <code>example.net</code> (not <code>server.example.net</code>) from your preferred cert provider ([http://startssl.com/ StartSSL] offers free certificates and is quite good). | Let's say you run an XMPP service for <code>example.net</code> (jids of user@example.net), you will need to order a certificate for with a subject or alt-name of <code>example.net</code> (not <code>server.example.net</code>) from your preferred cert provider ([http://startssl.com/ StartSSL] offers free certificates and is quite good). | ||
== Step 2: Disable cleartext connections == | === Step 2: Disable cleartext connections === | ||
These instructions will disable any cleartext communication between servers and client connections. | These instructions will disable any cleartext communication between servers and client connections. | ||
=== ejabberd === | ==== ejabberd ==== | ||
Make sure that your ''ejabberd.yml'' contains the [http://www.process-one.net/docs/ejabberd/guide_en.html#listened-options following settings]. | Make sure that your ''ejabberd.yml'' contains the [http://www.process-one.net/docs/ejabberd/guide_en.html#listened-options following settings]. | ||
* For client- | * For client-to-server connections: | ||
listen: | listen: | ||
- | - | ||
| Line 29: | Line 26: | ||
certfile: "/etc/ejabberd/certificate.pem" | certfile: "/etc/ejabberd/certificate.pem" | ||
* For server- | * For server-to-server connections: | ||
s2s_use_starttls: required | s2s_use_starttls: required | ||
s2s_certfile: "/etc/ejabberd/certificate.pem" | s2s_certfile: "/etc/ejabberd/certificate.pem" | ||
| Line 38: | Line 35: | ||
* Documentation: [https://www.process-one.net/docs/ejabberd/guide_en.html ejabberd Installation and Operation Guide] | * Documentation: [https://www.process-one.net/docs/ejabberd/guide_en.html ejabberd Installation and Operation Guide] | ||
=== Prosody === | ==== Prosody ==== | ||
Ensure that ''prosody.cfg.lua'' contains the following settings in the [https://prosody.im/doc/configure#overview global section] of your config, or under the specific <code>VirtualHost</code> you want to secure: | Ensure that ''prosody.cfg.lua'' contains the following settings in the [https://prosody.im/doc/configure#overview global section] of your config, or under the specific <code>VirtualHost</code> you want to secure: | ||
c2s_require_encryption = true | c2s_require_encryption = true | ||
| Line 48: | Line 45: | ||
* Documentation: [https://prosody.im/doc/security Prosody.IM: Security] | * Documentation: [https://prosody.im/doc/security Prosody.IM: Security] | ||
=== Metronome === | ==== Metronome ==== | ||
In Metronome's latest development tip, encryption requirement is the default setting, as long as TLS capability | In Metronome's latest development tip, encryption requirement is the default setting, as long as TLS capability | ||
is available, and no configuration change is needed. Otherwise ensure that ''metronome.cfg.lua'' contains the | is available, and no configuration change is needed. Otherwise ensure that ''metronome.cfg.lua'' contains the | ||
| Line 60: | Line 57: | ||
* Documentation: [http://www.lightwitch.org/metronome/documentation lightwitch.org/metronome/documentation] | * Documentation: [http://www.lightwitch.org/metronome/documentation lightwitch.org/metronome/documentation] | ||
=== Tigase === | ==== Tigase ==== | ||
See http://www.tigase.org/content/vhost-tls-required for more details: | See http://www.tigase.org/content/vhost-tls-required for more details: | ||
--vhost-tls-required = true | --vhost-tls-required = true | ||
| Line 77: | Line 74: | ||
* Documentation: [http://www.tigase.org/admin-guide Admin guide] | * Documentation: [http://www.tigase.org/admin-guide Admin guide] | ||
=== Openfire === | ==== Openfire ==== | ||
# Open the Openfire administration console | # Open the Openfire administration console | ||
# Go to '''Server Settings''' under '''Server''' | # Go to '''Server Settings''' under '''Server''' | ||
| Line 90: | Line 87: | ||
* Documentation: [http://igniterealtime.org/projects/openfire/documentation.jsp Openfire documentation] | * Documentation: [http://igniterealtime.org/projects/openfire/documentation.jsp Openfire documentation] | ||
== Step 3: Check your XMPP Security == | === Step 3: Check your XMPP Server Security === | ||
[http://xmpp.net/ Test your XMPP security] to be sure. | [http://xmpp.net/ Test your XMPP security] to be sure. | ||
= Encryption Manifesto (archived) = | |||
== Aim: Encrypt All XMPP Connections == | |||
This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days: | |||
* January 4, 2014 - first test day requiring encryption | |||
* February 22, 2014 - second test day | |||
* March 22, 2014 - third test day | |||
* April 19, 2014 - fourth test day | |||
* May 19, 2014 - '''permanent upgrade''' to encrypted network | |||
To achieve this, we need to: | |||
* Encrypt connections between clients and servers (C2S) | |||
* Encrypt server to server connections (S2S) | |||