Majic Projects
previous_open_issue.png
Go to the previous open issue
previous_issue.png
Go to the previous issue (open or closed)
star_faded.png
Please log in to bookmark issues
feature_request_small.png
Open Feature request MAR-164 TLS hardening for XMPP server
action_vote_minus_faded.png
0
Votes
action_vote_plus_faded.png
next_issue.png
Go to the next issue (open or closed)
next_open_issue.png
Go to the next open issue
Issue basics
  • Type of issue
    Feature request
  • Category
    Not determined
  • Targetted for
    5.0.0
  • Status
    New
  • Progress
  • Priority
    Not determined
User pain
  • Type of bug
    Not triaged
  • Likelihood
    Not triaged
  • Effect
    Not triaged
Affected by this issue (0)
There are no items
People involved
Times and dates
  • Posted at
  • Last updated
  • Estimated time
    2 hours
  • Time spent
    No time spent
    Click here to see time logged against this issue
Issue details
Attachments (0)
There is nothing attached to this issue
Duplicate issues (0)
This issue does not have any duplicates
Description

Most of the roles included in Majic Ansible Roles project that employ TLS have some kind of hardening configuration deployed as well - namely the configuration for PFS (perfect forward secrecy) ciphers. One exception at the moment is the XMPP server role.

It would be beneficial to perform hardening of the XMPP server as well when it comes down to selection of TLS ciphers and supported protocols.

The following should be done:

  • Update the xmpp_server role.

    • Perform hardening only on the client-to-server connections. Server-to-server connections should be kept intact for now for compatibility reason.
    • Introduce role parameter xmpp_tls_ciphers for defining the ciphers supported by the server. Default value should include only ciphers deemed secure and those that provide PFS.
  • Update role reference documentation.
  • Update usage instructions (if relevant to mention the parameter).
  • Update release notes (this is a breaking change).

Additional notes:

Although undocumented, it seems that Prosody 0.10.x and upwards supports having separate TLS configuration for c2s and s2s components. Instead of using the (currently documented) ssl section, it is possible to separate settings into sections

  • c2s_ssl
  • s2s_ssl
Comments ()
There are no comments
History