[liberationtech] New secure XMPP server

[Mikael Nordfeldth]

2013-12-29 22:04 skrev Anthony Papillion:
> I'm definitely open to supporting XEP-0198. I'm not sure there's a
> plugin for the server I'm using (OpenFire) that supports it though. 
> I'll
> look around.

I thought OpenFire had problems with chained certificates[1], such as 
the ones I'm using with intermediate CAcert class3 cert.

This causes my server's TLS connections to an OpenFire server to be 
regarded as insecure and (since there's no bidirectional server link 
support in OpenFire) the replying server connection is made in 
cleartext.

My XMPP server's using Prosody[2]. That's so far the best XMPP server 
software I've found, especially if the goal - as with your setup - is to 
be secure. (best feature imho is server-specific 
verify-by-certificate-hash support the in latest versions, for servers 
with trusted admins but untrusted CAs or self-signed certs)

Prosody also defaults to sane, recommended encryption settings, have 
insecure SSL versions, prefer TLSv1.2 etc. (except that there are 
problems with GNU/Linux distributions like Ubuntu where Canonical etc. 
disable TLSv1.2 in their system libs).


As long as the chained certificates bug is still present, I would 
recommend scouting around for other serverside solutions than OpenFire. 
And it's dead-simple to configure Prosody, you essentially just need 
your certificates, vhost name and possible conference server setup. Not 
sure about any migration solutions with OpenFire->foo, though, but 
there's migration script for ejabberd->Prosody at least. So look around 
:)


[1] http://issues.igniterealtime.org/browse/OF-405
[2] https://prosody.im/

-- 
Mikael Nordfeldth
http://blog.mmn-o.se/
XMPP/mail: mmn at hethane.se