[jdev] Securing XMPP

Thijs Alkemade thijs at xnyhps.nl
Wed Aug 28 17:22:06 UTC 2013

On 28 aug. 2013, at 18:33, Peter Saint-Andre <stpeter at stpeter.im> wrote:

> On 8/28/13 10:28 AM, Matthew Wild wrote:
> > On 28 August 2013 17:14, Simon Tennant <simon at buddycloud.com>
> > wrote:
> >> I'm attempting to gather the details in one place on how to
> >> secure XMPP servers C2S and S2S traffic:
> >> 
> >> http://wiki.xmpp.org/web/Securing_XMPP
> > 
> > Only feedback so far: you might want to clarify the "single 
> > domain"/"multiple domain" thing - DANE is not a requirement for 
> > securely hosting multiple domains on a single server. I think that 
> > might confuse people.
> It's a wiki. Feel free to edit. I plan to. :-)
> But yes, you don't need DNSSEC to handle multiple domains. In fact if
> you host just a few domains you could potentially get proper certs for
> all of them. It's when you host a lot of domains that you need some
> other solution. DANE/DNSSEC is great for that, or will be when it is
> more generally available, but IMHO we might need to wait *years* for
> that to happen. Thus the work we've been doing on POSH as an interim
> solution:
> http://datatracker.ietf.org/doc/draft-miller-posh/
> See also the domain name associations spec:
> http://datatracker.ietf.org/doc/draft-ietf-xmpp-dna/
> Matt Miller and I plan to update both of those by the end of next week.
> Peter


Not completely unrelated to this topic, the past couple of days I've been
working on a tool to test the encryption settings of XMPP servers, similar to
the test offered by ssllabs. It applies the same grading algorithm as ssllabs
and I'm working on adding all the warnings and diagnostics provided by that
test, and some more specific to XMPP. The tool itself can be found here:


But it is still rather unpolished.

I have used it to test the encryption used by the list of servers on xmpp.net
and published those reports:



Conclusions are that many offer weak encryption. SSLv2 was deprecated before
the first Jabber server was written and is known to be badly broken. Many
servers offer DES, or even EXPORT DES, which can be cracked in seconds
nowadays. Nearly all servers respect the client's ordering of ciphers, meaning
a badly configured client can end up using those ciphers (and yes, I know
Adium is not free of blame here).

The script tries to determine the cipher a specific client will use, though
this should be taken as an estimation. Specific versions of other components
might influence the results too (version of OpenSSL/NSS/etc. installed).

While I think offering this as a website like https://ssllabs.com a great
option, setting that up securely would be a bit more work then I'm willing to
put into that. The script can take a couple of minutes to run (it has to open
around 30 connections) and with SRV records potentially pointing at any port
on any server, this would be open to abuse. So for now I can test a server
manually and publish the report, I will try to scan the xmpp.net list every
couple of months and those that want to can grab the code themselves.

I hope this helps!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20130828/80f1c282/attachment.pgp>

More information about the JDev mailing list