Majic Projects
Majic Ansible Roles
Go to the previous open issue
Go to the previous issue (open or closed)
Please log in to bookmark issues
icon_project.png Majic Ansible Roles / Closed Feature request MAR-164 TLS hardening for XMPP server
Go to the next issue (open or closed)
Go to the next open issue
This issue has been closed with status "Closed" and resolution "RESOLVED".
Issue basics
  • Type of issue
    Feature request
  • Category
    Not determined
  • Targetted for
  • Status
  • Progress
  • Priority
    Not determined
User pain
  • Type of bug
    Not triaged
  • Likelihood
    Not triaged
  • Effect
    Not triaged
Affected by this issue (0)
There are no items
People involved
Times and dates
  • Posted at
  • Last updated
  • Estimated time
    2 hours
  • Time spent
    8 hours
    Click here to see time logged against this issue
Issue details
  • Resolution
Attachments (0)
There is nothing attached to this issue
Duplicate issues (0)
This issue does not have any duplicates

Most of the roles included in Majic Ansible Roles project that employ TLS have some kind of hardening configuration deployed as well - namely the configuration for PFS (perfect forward secrecy) ciphers. One exception at the moment is the XMPP server role.

It would be beneficial to perform hardening of the XMPP server as well when it comes down to selection of TLS ciphers and supported protocols.

The following should be done:

  • Update the xmpp_server role.
    • Perform hardening only on the client-to-server connections. Server-to-server connections should be kept intact for now for compatibility reason.
    • Introduce role parameter xmpp_tls_ciphers for defining the ciphers supported by the server. Default value should include only ciphers deemed secure and those that provide PFS.
  • Update role reference documentation.
  • Update usage instructions (if relevant to mention the parameter).
  • Update release notes (this is a breaking change).

Additional notes:

Although undocumented, it seems that Prosody 0.10.x and upwards supports having separate TLS configuration for c2s and s2s components. Instead of using the (currently documented) ssl section, it is possible to separate settings into sections

  • c2s_ssl
  • s2s_ssl
Todos (0 / 0)
Issue created