Why Server-to-server Encryption?

As shown in the following figure, messages transmitted to and from other Jabber servers can be intercepted in case client connections (c2s) or connections to other Jabber servers (s2s) are unencrypted. In this situation, it is fairly easy for a cracker or script-kiddie to intercept your users' conversations.

Encryption of both client-to-server (c2s) connections and server-to-server (s2s) connections, on the contrary, do never allow malicious people to read your users' conversations. As can be seen in the third figure, spyholes are indeed gone.

Available Security Methods

XMPP-Core provides encryption and authentication mechanisms:

• TLS is used to secure the stream from tampering and eavesdropping.
• SASL is used to authenticate a stream.

A XMPP compliant server implementation MUST support both TLS and SASL for inter-domain communications. For historical reasons, a compliant implementation SHOULD also support Server Dialback.

Currently Supported by ejabberd

Since ejabberd 1.0.0, connections between servers can user STARTTLS encryption. Two authentication methods are available: Dialback and SASL.

Configuration

1. Update to ejabberd 1.0.0 or newer.
2. Add these lines to ejabberd's configuration file:

   {s2s_use_starttls, true}. 
   {s2s_certfile, "/path/to/ssl.pem"}.

3. Restart ejabberd.
4. From now on, ejabberd will try to use encryption when connecting to another Jabber server. If the other server does not support encryption, ejabberd will fall back to an unencrypted connection.

Compatilibity

The following table lists the results of compatibility testing between ejabberd and other Jabber server implementations. When public Jabber servers are available, they are included so that you can try it yourself. Feel free to add a comment to this page, when you have tested against a not tested server.

Verify if it Works

You can verify if the encryption of server-to-server (s2s) connections is working correctly on your server by performing next steps:

1. Create a new file in the ejabberd source directory with the name checktls.erl and the content:

   -module(checktls).
   -export([check/0]).
   
   check() ->
           check(mnesia:dirty_first(s2s), {0, {plain, 0, []}, {starttls, 0, []}, {unknown, 0, []}}).
   
   check('$end_of_table', Res) ->
           Res;
   
   check(A, {Total, {plain, PN, PL}, {starttls, SN, SL}, {unknown, UN, UL}}) ->
           [C] = mnesia:dirty_read(s2s, A),
           {_From, To} = element(2, C),
           {links, E} = erlang:process_info(element(3, C), links),
           Res = case length(E) of
                   1 -> {Total+1, {plain, PN+1, [To|PL]}, {starttls, SN, SL}, {unknown, UN, UL}};
                   2 -> {Total+1, {plain, PN, PL}, {starttls, SN+1, [To|SL]}, {unknown, UN, UL}};
                   _ -> {Total+1, {plain, PN, PL}, {starttls, SN, SL}, {unknown, UN+1, [To|UL]}}
           end,
           check(mnesia:dirty_next(s2s, A), Res).

2. Recompile ejabberd and install.
3. Open an Erlang console attached to the ejabberd node, or start ejabberd without -detached and similar options.
4. Login to your server with any client, and discover STARTTLS-enabled Jabber servers.
5. Finally, return to the Erlang console and check what servers are currently connected using each connection type:

   (ejabberd2@testing)1> checktls:check().
   {16,
    {plain,5,
           ["jivesoftware.com",
            "jabber.com",
            "tigase.org",
            "jabberes.org",
            "igniterealtime.org"]},
    {starttls,11,
              ["xmpp.ru",
               "amessage.de",
               "im.gentoo.org",
               "bulmalug.net",
               "jabber.ru",
               "psi-im.org",
               "process-one.net",
               "jabberd.org",
               "2on.net",
               "gajim.org",
               "jabber.se"]},
    {unknown,0,[]}}