Posts Tagged ‘ tls

How to encrypt jabberd2 communications

Introduction

This guide is going to walkthrough how to enable encrypted communications for jabberd2. There is three parts to this guide, encrypt the client server communications, force encrypted communications, and disable public registration. You can implement as much or as little of this guide as you would like, but it is advised to follow all of the steps. This guide builds upon the setup described in one of my previous posts, how to install and configure japperd2.

Encrypt Connection

The first step is to create a certificate that we can use to encrypt the communications between clients and the server. Depending on your plans for your XMPP server, you may want to get a signed certificate. I’m only interested in encrypting the communications, so I’m going to use a self-signed certificate. Now that we have certificate file, we need to configure jabberd2 to use it to encrypt communications. These configurations can be made in c2s.xml.

This command will open c2s.xml for editing in vi.

sudo vi /etc/jabberd/c2s.xml

Find the id tag under local. Add the two new lines below to the id tag of c2s.xml.

<id realm='yourdomainname.com'
     pemfile='/path/to/ssl/certificate.pem'
     verify-mode='2'
     >yourdomainname.com</id>

Save and close vi. Restart jabberd2.

sudo /etc/init.d/jabberd2 restart

Now test your jabberd2 server, you should be able to connect like normal. Try forcing your XMPP client to use an encrypted connection. If that works, then the server is correctly configured to support encrypted communications.

Force Encryption

After you have configured jabberd2 to support encrypted connections, we can configure the server to force or only accept encrypted connections. This is a good idea if you want ensure that you are using an encrypted connections. This way the server will not accept unencrypted connections.

This command will open c2s.xml for editing in vi.

sudo vi /etc/jabberd/c2s.xml

Find the id tag under local. Add the one new lines below to the id tag of c2s.xml.

<id realm='yourdomainname.com'
     pemfile='/path/to/ssl/certificate.pem'
     verify-mode='2'
     require-starttls='true'</strong>
     >yourdomainname.com</id>

Save and close vi. Restart jabberd2.

sudo /etc/init.d/jabberd2 restart

Now test your jabberd2 server, you should be able to connect like normal. If you XMPP client supports, you could try forcing it to use and unencrypted connection. If now, you could try using a tool like Wireshark to inspect the packets to make sure that everything is encrypted.

Disable Public Registration

The final configuration we are going to cover in this guide is how to turn off public registration. When public registration is turned on or enabled, anybody who connects to your XMPP server will get an account created automatically. So for good reason, we want to disable it.

This command will open c2s.xml for editing in vi.

sudo vi /etc/jabberd/c2s.xml

Add the two new lines below to the id tag of c2s.xml.

<id realm='yourdomainname.com'
     register-enable='false'
     password-change='true'
     pemfile='/path/to/ssl/certificate.pem'
     verify-mode='2'
     require-starttls='true'
     >yourdomainname.com</id>

Save and close vi. Restart jabberd2.

sudo /etc/init.d/jabberd2 restart

Now test your jabberd2 server, you should be able to connect like normal with an existing account. Now try to login with an account that does not exist, make something up. You should not be able to connect with this new account.

Conclusion

We’re done, your jabberd2 server is now much more secure. If you have any problems with some of the configurations above, check your log files and double check the configuration files.