Changeset - 5d6cebe35306
Parent rev.
Child rev.
[Not reviewed]
0 2 0
Branko Majic (branko) - 10 years ago 2016-01-24 15:52:52
branko@majic.rs
MAR-49: Implemented TLS hardening for XMPP server role.
2 files changed with 4 insertions and 0 deletions:
docs/rolereference.rst
2
roles/xmpp_server/templates/prosody.cfg.lua.j2
2
0 comments (0 inline, 0 general)
docs/rolereference.rst
Show inline comments
 
@@ -652,12 +652,14 @@ destination machine.
 
The role implements the following:
 

			




	
	
	
		
 
* Sets-up the Prosody apt repository.

			




	
	
	
		
 
* Deploys XMPP TLS private key and certificate.

			




	
	
	
		
 
* Installs Prosody.

			




	
	
	
		
 
* Configures Prosody.

			




	
	
	
		
 
* Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers. **Note:**

			




	
	
	
		
 
  older clients may have problems connecting.

			




	
	
	
		
 
* Configures firewall to allow incoming connections to the XMPP server.

			




	
	
	
		
 

			




	
	
	
		
 
Prosody is configured as follows:

			




	
	
	
		
 

			




	
	
	
		
 
* Modules enabled: roster, saslauth, tls, dialback, posix, private, vcard,

			




	
	
	
		
 
  version, uptime, time, ping, pep, register, admin_adhoc, announce, legacyauth.

			




        

    


    
    

    

        

                

                    roles/xmpp_server/templates/prosody.cfg.lua.j2
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -41,12 +41,14 @@ allow_registration = false;

			




	
	
	
		
 

			




	
	
	
		
 
-- These are the SSL/TLS-related settings. If you don't want

			




	
	
	
		
 
-- to use SSL/TLS, you may comment or remove this

			




	
	
	
		
 
ssl = {

			




	
	
	
		
 
  key = "/etc/ssl/private/{{ xmpp_tls_key | basename }}";

			




	
	
	
		
 
  certificate = "/etc/ssl/certs/{{ xmpp_tls_certificate | basename }}";

			




	
	
	
		
 
  prosody = "tlsv1_2";

			




	
	
	
		
 
  ciphers = "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT;"

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 
-- Ports on which to have direct TLS/SSL.

			




	
	
	
		
 
legacy_ssl_ports = { 5223 }

			




	
	
	
		
 

			




	
	
	
		
 
-- Force clients to use encrypted connection.

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.