Difference between revisions of "Securing XMPP"
(→Prosody: Remove s2s_insecure_domains, it has no effect here, and add link to docs) |
(→Prosody: Fix config file name, rephrase sentence and link to docs) |
||
| Line 43: | Line 43: | ||
=== Prosody === | === Prosody === | ||
Ensure that prosody. | Ensure that ''prosody.cfg.lua'' contains the following settings in the [https://prosody.im/doc/configure#overview global section] of your config, or under the specific <code>VirtualHost</code> you want to secure: | ||
c2s_require_encryption = true | c2s_require_encryption = true | ||
Revision as of 19:32, 21 November 2013
Aim: Encrypt All XMPP Connections
This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following ubiquitous encryption manifesto test days:
- January 4, 2014 - first test day requiring encryption
- February 22, 2014 - second test day
- March 22, 2014 - third test day
- April 19, 2014 - fourth test day
- May 19, 2014 - permanent upgrade to encrypted network
To achieve this, we need to:
- encrypt connections between clients and servers (c2s)
- encrypt server to server connections (s2s)
Step1: Get a server certificate
Let's say you run an XMPP service for example.com (jids of user@example.com), you will need to order a certificate for with a subject or alt-name of example.com (not servername.example.com) from your preferred cert provider (StartSSL offers free certificates and is quite good)
Step 2: Configure your DNS
Ensure that the following DNS records are set:
_xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 servername.example.com. servername.example.com. 18000 A 10.10.10.10 # you must have an A record for your server
You can test your DNS setup at xmpp.net
Step 3: Only permit encrypted connections
eJabberd
Configure ejabberd.conf
% Ordinary client-2-server service
[{5222, ejabberd_c2s, [{access, c2s},
starttls_required, {certfile, "/etc/ssl/certs/ejabberd.pem"},
{shaper, c2s_shaper}]},
% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, true}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
Prosody
Ensure that prosody.cfg.lua contains the following settings in the global section of your config, or under the specific VirtualHost you want to secure:
c2s_require_encryption = true s2s_require_encryption = true
Further help:
- Chatroom: prosody@conference.prosody.im
- Documentation: Prosody.IM: Security
Tigase
See http://www.tigase.org/content/vhost-tls-required for more details
--vhost-tls-required = true
By default Tigase will read VHosts certificates from certs/ subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in init.properties:
basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem
- TLS for s2s connection is enabled by default; no option to configure it as required (certain domains can be configured to skip TLS for s2s with following configuration. For more information: --s2s-skip-tls-hostnames):
--s2s-skip-tls-hostnames = domain1,domain2
Openfire
???