update on xmpp / jabber

as a short update on the self hosted jabber post I like to add some more security related information.

Various options are available to secure your site even more. Not all are useful, but some might have some impact. If you use IM Observatory to check the status of your installed jabber system you might notice that it will check the TLSA keys of your server.

Basically TLSA records will force clients to use a encrypted connection and only with a certificate that matches the record. But only if the client make knows how to work with that. Some more details in RFC 6698.

Using Let's Encrypt and the fast renewal makes that signing and creation of the records not very easy - special if you want to have everything automated.

I came a cross this posting about lets encrypt and DANE for SMTP Servers and the author explained the problems very well. In addition he spotted the way that will work.

You need to create a 3 1 1 TLSA record that works with persistent private key and allows the public key to change.

In my setup it was easy to adopt his given scripts to create the needed records and after that add them to my DNS.

printf '_5269._tcp.%s. IN TLSA 3 1 1 %s\n' \
        jabber.jalogisch.de \
        $(openssl x509 -in /etc/prosody/certs/jalogisch.de.crt -noout -pubkey |
            openssl pkey -pubin -outform DER |
            openssl dgst -sha256 -binary |
            hexdump -ve '/1 "%02x"')

printf '_5222._tcp.%s. IN TLSA 3 1 1 %s\n' \
        jabber.jalogisch.de \
        $(openssl x509 -in /etc/prosody/certs/jalogisch.de.crt -noout -pubkey |
            openssl pkey -pubin -outform DER |
            openssl dgst -sha256 -binary |
            hexdump -ve '/1 "%02x"')

Now your rating is extra ordinary high and you got some more additional knowledge that might be useful some day.

The xmpp status by IM Observatory will now be A rated:

IM observatory score

Show Comments