[Ach] Config for Prosody XMPP server
chris at debilux.org
chris at debilux.org
Sun Apr 27 13:44:26 CEST 2014
Hi,
I'm using prosody for serving xmpp and now have a working config that I want to be discussed, tested and included in the guide.
I force encryption for s2s and c2s connections with cipher string B and at least TLSv1. There are options to use our own truststore. By default the connection will be established and encrypted wether the certs are trusted and valid or not. I think this a pragmatic approach that brings more security than we have now but doesn't cut down the connectivity as hell.
The test at xmpp.net gives me an A rating with 100, 100, 95, 90.
What do you think?
Kind regards
Chris
- Prosody 0.93 linked against 1.0.1e on FreeBSD 10.0
# Global ssl/tls settings
Force client to server encryption
c2s_require_encryption = true
Force server to server encryption wether certificates are valid and trusted or not
s2s_require_encryption = true
By defining secure domains we force valid certs, our ciphers and protocols for these specific domains. This is disabled by default.
-- s2s_secure_domains = { "jabber.org" }
When secure auth is enabled, only s2s connections with valid and trusted certificates will be accepted. This is disabled by default.
-- s2s_secure_auth = true
By defining insecure domains, we accept invalid and untrusted certs and cert chains or weaker ciphers and protocols for these servers even if s2s_secure_auth is enabled. This should not be activated because it could go down to ssl2 and other weak and broken stuff as long as we get an "encrypted" connection.
-- s2s_insecure_domains = { "google.com" }
Now you have to configure your conenction settings for the main server. You can define your own truststore when you set a file wirh the trusted CAs and a folder with trusted certs.
ssl = {
key = "/usr/local/etc/ssl/xmpp.example.com.key";
certificate = "/usr/local/etc/ssl/xmpp.example.com.io.pem";
-- Define your own truststore
-- cafile = "/usr/local/etc/ssl/ca.pem";
-- Define the path to the certificates that you trust
-- capath = "/usr/local/etc/ssl/";
options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };
verify = { "none", "client_once" };
verifyext = { "lsec_continue", "lsec_ignore_purpose" };
ciphers = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA";
}
If you're running Virtual Hosts for serving other domains you have to specofy this settings for every single vHost. When you don't do this prosody falls back to its defaults.
VirtualHost "example.com"
ssl = {
key = "/usr/local/etc/ssl/example.com.key";
certificate = "/usr/local/etc/ssl/example.com.pem";
options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };
verify = { "none", "client_once" };
verifyext = { "lsec_continue", "lsec_ignore_purpose" };
ciphers = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA";
}
--
E-Mail/Jabber: chris at debilux.org
PGP-Key: 0x62E3232F
Web: http://debilux.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140427/da3184fb/attachment.sig>
More information about the Ach
mailing list