Project

General

Profile

Feature #612

Configure Prosody To Use Forward Secrecy

Added by Daniel Curtis over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
XMPP Server
Target version:
Start date:
05/02/2015
Due date:
% Done:

100%

Estimated time:
0.50 h
Spent time:

Description

This is a guide for setting up forward secrecy with Prosody XMPP server.

Prepare the Environment

  • Make sure the system is up to date:
    apt-get update && apt-get upgrade
    

Harden Prosody

Prosody automatically defaults to use forward secrecy is the host system supports it. However, a DH paramater file is not created during installation.

  • Generate a DH parameter file:
    openssl dhparam -out /etc/prosody/certs/dh-2048.pem
    
  • Now edit the prosody config file:
    nano /etc/prosody/prosody.cfg.lua
    
    • And modify the ssl location:
      ssl = {
              key = "/etc/prosody/certs/prosody.example.com.key";
              certificate = "/etc/prosody/certs/prosody.example.com.crt";
              options = { "no_sslv2", "no_ticket", "no_compression", "no_sslv3" };
              ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA:!PSK:!SRP:!3DES:!aNULL";
              dhparam = "/etc/prosody/certs/dh-2048.pem";
      }
      
    • NOTE: Make sure to have luasec 0.5 or higher for DHE and ECDHE to work properly.

Testing

  • Test the connection with starttls:
    openssl s_client -starttls xmpp -connect prosody.example.com:5269
    
    • Truncated output:
      SSL-Session:
          Protocol  : TLSv1.2
          Cipher    : ECDHE-RSA-AES256-GCM-SHA384
      

Resources

History

#1 Updated by Daniel Curtis over 2 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#2 Updated by Daniel Curtis over 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF