Why Server-to-server Encryption?
As shown in the following figure, messages transmitted to and from other Jabber servers can be intercepted in case client connections (c2s) or connections to other Jabber servers (s2s) are unencrypted. In this situation, it is fairly easy for a cracker or script-kiddie to intercept your users' conversations.
Encryption of both client-to-server (c2s) connections and server-to-server (s2s) connections, on the contrary, do never allow malicious people to read your users' conversations. As can be seen in the third figure, spyholes are indeed gone.
Available Security Methods
XMPP-Core provides encryption and authentication mechanisms:
- TLS is used to secure the stream from tampering and eavesdropping.
- SASL is used to authenticate a stream.
A XMPP compliant server implementation MUST support both TLS and SASL for inter-domain communications. For historical reasons, a compliant implementation SHOULD also support Server Dialback.
Currently Supported by ejabberd
Since ejabberd 1.0.0, connections between servers can user STARTTLS encryption. Two authentication methods are available: Dialback and SASL.
Configuration
- Update to ejabberd 1.0.0 or newer.
- Add these lines to ejabberd's configuration file:
{s2s_use_starttls, true}. {s2s_certfile, "/path/to/ssl.pem"}.
- Restart ejabberd.
- From now on, ejabberd will try to use encryption when connecting to another Jabber server. If the other server does not support encryption, ejabberd will fall back to an unencrypted connection.
Compatilibity
The following table lists the results of compatibility testing between ejabberd and other Jabber server implementations. When public Jabber servers are available, they are included so that you can try it yourself. Feel free to add a comment to this page, when you have tested against a not tested server.
Server | STARTTLS and Dialback | STARTTLS and SASL |
Antepo OPN | not tested | not tested |
ejabberd | works (jabber.ru, e.jabber.ru) | not tested |
Jabber XCP | not tested | not tested |
jabberd14 | works (amessage.de) | unsupported (on the works) |
jabberd2 | works (im.gentoo.org) | unsupported |
Wildfire | not tested | not tested |
Merak | not tested | unsupported |
Sun Java System Instant Messaging | not tested | not tested |
SoapBox Server | not tested | not tested |
TIMP.NET | not tested | unsupported |
OpenIM | unsupported | not tested |
psycMUVE | unsupported | unsupported |
WPJabber | unsupported | unsupported |
xmppd.py | not tested | unsupported |
Verify if it Works
You can verify if the encryption of server-to-server (s2s) connections is working correctly on your server by performing next steps:
- Create a new file in the ejabberd source directory with the name checktls.erl and the content:
-module(checktls). -export([check/0]). check() -> check(mnesia:dirty_first(s2s), {0, {plain, 0, []}, {starttls, 0, []}, {unknown, 0, []}}). check('$end_of_table', Res) -> Res; check(A, {Total, {plain, PN, PL}, {starttls, SN, SL}, {unknown, UN, UL}}) -> [C] = mnesia:dirty_read(s2s, A), {_From, To} = element(2, C), {links, E} = erlang:process_info(element(3, C), links), Res = case length(E) of 1 -> {Total+1, {plain, PN+1, [To|PL]}, {starttls, SN, SL}, {unknown, UN, UL}}; 2 -> {Total+1, {plain, PN, PL}, {starttls, SN+1, [To|SL]}, {unknown, UN, UL}}; _ -> {Total+1, {plain, PN, PL}, {starttls, SN, SL}, {unknown, UN+1, [To|UL]}} end, check(mnesia:dirty_next(s2s, A), Res).
- Recompile ejabberd and install.
- Open an Erlang console attached to the ejabberd node, or start ejabberd without -detached and similar options.
- Login to your server with any client, and discover STARTTLS-enabled Jabber servers.
- Finally, return to the Erlang console and check what servers are currently connected using each connection type:
(ejabberd2@testing)1> checktls:check(). {16, {plain,5, ["jivesoftware.com", "jabber.com", "tigase.org", "jabberes.org", "igniterealtime.org"]}, {starttls,11, ["xmpp.ru", "amessage.de", "im.gentoo.org", "bulmalug.net", "jabber.ru", "psi-im.org", "process-one.net", "jabberd.org", "2on.net", "gajim.org", "jabber.se"]}, {unknown,0,[]}}
I get an error running checkstls
I get the following error running this function:
Is this due to having an incompatible version of ejabberd? I'm running version 1.1.1.
Small bug, try the new version
Is this due to having an incompatible version of ejabberd? I'm running version 1.1.1.
No, it means at least a server is not yet connected. Try the new version, it includes a new result 'unknown' for servers that are not yet known to be plain or starttls.