Upgrade ejabberd to the latest TLS security [UPDATE#2, 2014-06-05]

XMPP Grade Aejabberd is a very fine XMPP server. However, it has very few options to configure its SSL and TLS security settings away from the very weak OpenSSL defaults. The TLS Interposer makes securing TLS used by ejabberd a breeze.

Installation

If you have not installed TLS Interposer yet, please do so now using the TLS Interposer installation instructions.

TLS Interposer Configuration

The following description is for ejabberd 2.1.10 on Ubuntu 12.04 LTS; other Linux-based versions and installations should be easy to adapt.

The tail end of /usr/sbin/ejabberd should look as follows:

umask 027
exec $ERL $SNAME $ERLANG_NODE …

Directly before the exec line, add the following two lines (each starts with export, if your browser wraps them, just undo the additional wrapping):

export LD_PRELOAD=/usr/local/lib/libtlsinterposer.so
export TLS_INTERPOSER_CIPHERS='EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS'

The first line activates TLS Interposer; the second line adds support for RC4 (it is the default cipher set without the trailing „:!RC4“), which is needed for Jitsi.

Update 2014-04-07: You can also put these lines into /etc/default/ejabberd (on Ubuntu and other Debian-based systems, will make updates easier) or /usr/sbin/ejabberdctl (for CentOS).

Update 2014-06-05: You can also put the lines at the beginning (line 2) of /usr/sbin/ejabberdctl (e.g. in CentOS). This should not change functionality but might slow down the system startup by a few milliseconds. Also changed the library name to fit the new name the Makefile on github creates.

Other Configuration

The following parameters might already be set, but let’s double-check. Of course, you first need a key and certificate file.

In /etc/ejabberd/ejabberd.cfg, you should also have the following settings in the listen section:

{5222, ejabberd_c2s, [
{access, c2s},
{shaper, c2s_shaper},
{max_stanza_size, 65536},
%%zlib,
starttls_required, {certfile, "/etc/ejabberd/ejabberd.pem"}
]},

This ensures all clients need to connect via STARTTLS, passwords and messages can only be passed in encrypted form. Further down, outside the listen section, you should also have:

{s2s_use_starttls, true}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

For server-to-server communication, STARTTLS currently needs to remain optional. An unscientific study shows about 1/3 of the other servers cannot use STARTTLS, among them Google. For most uses, s2s communication thus cannot be forced to use TLS. If you want at least some privacy for s2s communication, your users have to use OTR.

Now, you too should get an A ranking on xmpp.net. It should look similar to mine.

9 Gedanken zu „Upgrade ejabberd to the latest TLS security [UPDATE#2, 2014-06-05]

  1. frank.einstein

    Hi, I use ejabberd 2.1.13 on CentOS and I can’t reproduce your tutorial, can you please give me a hand of help?

    my jabber is serghei@jabber.ru
    please add me and let me know how to secure my xmpp server, I will appreciate a lot your effort and I can even pay you if is necessary.

    ps, for moment I use jabber.ru because my own server isn’t secured enough.

    • Marcel Waldvogel Autor des Beitrages

      Frank,

      thank you for the interest. As I do not have a CentOS installation right now, I’ll get in touch with you to identify the problem and report the result here for the community.

      • dsp3

        Hi Marcel,
        I have centos 6.5 and am also having issues. I have installed TLS Interposer. However, the lines where you need to add code do not exist in /usr/sbin/ejabberdctl (umask 027 & exec $ERL $SNAME $ERLANG_NODE)
        Running ejabberd 2.1.13
        Thanks

    • Marcel Waldvogel Autor des Beitrages

      A new version is on github, which does not rely on the libssl.so.1.0.0 filename (which is different in CentOS). The current version may map two versions of the SSL library into memory, but it seems cleaner than to determine and hardcode the SSL version number at compile time.

  2. dsp3

    Could you check /usr/sbin/ejabberdctl on CentOS as umask 027 doesn’t exist in this file, so not sure where to add export LD_PRELOAD=/usr/local/lib/tlsinterposer.so
    The version of TLS Interposer builds.

    • Marcel Waldvogel Autor des Beitrages

      I don’t have access to a working ejabberd on CentOS. Near the end of the file should be a line that contains exec $ERL…. Insert it before this line.

      If there is no particular line which is suitable, you can also add it as the second line of the file. This might slow down the startup by a few milliseconds but should make no difference otherwise.

  3. dsp3

    Thanks for the update. I have it working.
    There are some build errors on CentOS, but it does work. Error during make install:
    make install
    mkdir -p /usr/local/lib
    install -p -m755 libtlsinterposer.so /usr/local/lib/libtlsinterposer.so.1.1.0
    ln -s libtlsinterposer.so.1.1.0 /usr/local/lib/libtlsinterposer.so.1
    ln: creating symbolic link `/usr/local/lib/libtlsinterposer.so.1′: File exists
    make: *** [install] Error 1
    Thanks for you efforts.

  4. dsp3

    On Ubuntu with ejabberd 2.1.10 I needed to add export LD_PRELOAD to the end of /etc/default/ejabberd rather than /usr/sbin/ejabberd to get ejabberd to preload tlsinterposer.so
    But it works! 🙂

Schreibe einen Kommentar