Securing XMPP

From XMPP WIKI
Revision as of 13:23, 28 August 2013 by Imaginator (Talk) (Created page with "=Security and Encryption in XMPP= This page covers how to secure XMPP client and server connections. ==Aim== * encrypted connections between clients and servers * encrypted se...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Security and Encryption in XMPP

This page covers how to secure XMPP client and server connections.

Aim

  • encrypted connections between clients and servers
  • encrypted server to server connections
  • encryption working for virtual hosted XMPP environments (more than one domain per server)

Background

XMPP does not encrypt connections by default (like maintaining your server using telnet instead of ssh). This page will show you how to enable encryption for your user's connections. This page covers using SSL certificates to encrypt and identify remote domains.

Get a server certificate

we will use example.com for this example

  • order a certificate for example.com (not servername.example.com) from your CA. StartCom offers free certificates.

Configure your DNS

Ensure that the following DNS records are set:

_xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 servername.example.com. 
servername.example.com.        18000  A 10.10.10.10 # you must have an A record for your server

You can test your DNS setup at http://protocol.buddycloud.com

Securing client connections

Unless you have a very good reason, there's really no good reason to have clients connecting in clear text to their XMPP server (like using telnet instead of ssh to maintain your server)

The following settings ensure that only encrypted connections are accepted.

eJabberd

% Ordinary client-2-server service
[{5222, ejabberd_c2s, [{access, c2s},
starttls_required, {certfile, "/etc/ssl/certs/ejabberd.pem"},
{shaper, c2s_shaper}]},

Prosody

modules_enabled = {
   -- Other modules
   "tls"; -- Enable mod_tls
}
c2s_require_encryption = true

Tigase

See http://www.tigase.org/content/vhost-tls-required for more details

--vhost-tls-required = true