Majic Projects ~ [CLOSED] MAR-164 - TLS hardening for XMPP server

Majic Projects

Majic Ansible Roles

Projects
Wiki
- Quick links
- Wiki
- Project wikis
- Conntrackt
- Django Pydenticon
- Gimmecert
- Majic Ansible Roles
- Pydenticon
- Scripts
- Global content

You are not logged in

Majic Ansible Roles / Closed Feature request MAR-164 TLS hardening for XMPP server

Votes

This issue has been closed with status "Closed" and resolution "RESOLVED".

- No additional actions available

Issue basics

Type of issue

Feature request Unknown issue type
Issue label

No label set
Category

Not determined
Targetted for

5.0.0 Not determined
Status

Closed

Status not determined
Progress
Priority

Not determined

Affected by this issue (0)

There are no items

People involved

Posted by
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 15, 2024 - 10:15

Show user details
Owned by

Not owned by anyone
Assigned to
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 15, 2024 - 10:15

Show user details
Not assigned to anyone
Subscribers

0 subscriber(s)

Click here to show the list of subscribers

Times and dates

Posted at

May 19, 2020
Last updated

Nov 22, 2020
Estimated time

2 hours Not estimated
Time spent

8 hours No time spent

Click here to see time logged against this issue

Issue details

Resolution

RESOLVED Not determined
Reproducability

Not determined
Severity

Not determined

Attachments (0)

There is nothing attached to this issue

Child issues (0)

This issue does not have any child issues

Duplicate issues (0)

This issue does not have any duplicates

Show / hide more details »

Description

Most of the roles included in Majic Ansible Roles project that employ TLS have some kind of hardening configuration deployed as well - namely the configuration for PFS (perfect forward secrecy) ciphers. One exception at the moment is the XMPP server role.

It would be beneficial to perform hardening of the XMPP server as well when it comes down to selection of TLS ciphers and supported protocols.

The following should be done:

Update the xmpp_server role.
- Perform hardening only on the client-to-server connections. Server-to-server connections should be kept intact for now for compatibility reason.
- Introduce role parameter xmpp_tls_ciphers for defining the ciphers supported by the server. Default value should include only ciphers deemed secure and those that provide PFS.
Update role reference documentation.
Update usage instructions (if relevant to mention the parameter).
Update release notes (this is a breaking change).

Additional notes:

Although undocumented, it seems that Prosody 0.10.x and upwards supports having separate TLS configuration for c2s and s2s components. Instead of using the (currently documented) ssl section, it is possible to separate settings into sections

c2s_ssl
s2s_ssl

Todos (0 / 0)

Options

Issue created

Welcome to The Bug Genie

Log in with your username and password