Difference between revisions of "Securing XMPP"

Jump to navigation Jump to search
(→‎Openfire: Add instructions for Openfire.)
(→‎Openfire: Click is a silly word)
Line 62: Line 62:
# Then open '''Security Settings''' in the list to the left
# Then open '''Security Settings''' in the list to the left
# Check both radiobuttons labeled '''Required'''
# Check both radiobuttons labeled '''Required'''
# Click the checkbox marked ''Accept self-signed certificates''
# Check the checkbox marked ''Accept self-signed certificates''
# Done!
# Done!
== Step 4: Check your XMPP Security ==
== Step 4: Check your XMPP Security ==
[http://xmpp.net Test your XMPP security] to be sure.
[http://xmpp.net Test your XMPP security] to be sure.

Revision as of 00:12, 4 January 2014

Aim: Encrypt All XMPP Connections

This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following ubiquitous encryption manifesto test days:

  • January 4, 2014 - first test day requiring encryption
  • February 22, 2014 - second test day
  • March 22, 2014 - third test day
  • April 19, 2014 - fourth test day
  • May 19, 2014 - permanent upgrade to encrypted network

To achieve this, we need to:

  • Encrypt connections between clients and servers (c2s)
  • Encrypt server to server connections (s2s)

Step1: Get a server certificate

Let's say you run an XMPP service for example.com (jids of user@example.com), you will need to order a certificate for with a subject or alt-name of example.com (not servername.example.com) from your preferred cert provider (StartSSL offers free certificates and is quite good).

Step 2: Configure your DNS

Ensure that the following DNS records are set:

_xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 servername.example.com. 
servername.example.com.        18000  A # you must have an A record for your server

You can test your DNS setup at xmpp.net

You may also want to Secure your DNS with DNSSEC

Step 3: Disable cleartext connections

These instructions will disable any cleartext communication between servers and client connections.


Configure ejabberd.conf

% Ordinary client-2-server service
[{5222, ejabberd_c2s, [{access, c2s},
starttls_required, {certfile, "/etc/ssl/certs/ejabberd.pem"},
{shaper, c2s_shaper}]},
% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, true}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.


Ensure that prosody.cfg.lua contains the following settings in the global section of your config, or under the specific VirtualHost you want to secure:

 c2s_require_encryption = true
 s2s_require_encryption = true

Further help:


See http://www.tigase.org/content/vhost-tls-required for more details:

--vhost-tls-required = true

By default Tigase will read VHosts certificates from certs/ subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in init.properties:

  • TLS for s2s connection is enabled by default; no option to configure it as required (certain domains can be configured to skip TLS for s2s with following configuration. For more information: --s2s-skip-tls-hostnames):
--s2s-skip-tls-hostnames = domain1,domain2


  1. Open the Openfire administration console
  2. Go to Server Settings under Server
  3. Then open Security Settings in the list to the left
  4. Check both radiobuttons labeled Required
  5. Check the checkbox marked Accept self-signed certificates
  6. Done!

Step 4: Check your XMPP Security

Test your XMPP security to be sure.