1 %%\subsection{Instant Messaging Systems}
2 \subsubsection{XMPP / Jabber}
5 \subsubsection{General server configuration recommendations}
7 For servers, we mostly recommend to apply what's proposed by the {\it Peter's manifesto}\footnote{https://github.com/stpeter/manifesto}.
11 \item require the use of TLS for both client-to-server and server-to-server connections
12 \item prefer or require TLS cipher suites that enable forward secrecy
13 \item deploy certificates issued by well-known and widely-deployed certification authorities (CAs)
16 The last point being out-of-scope for this section, we will only cover the first two points.
21 \item[Tested with Version:] Debian Wheezy 2.1.10-4+deb7u1
23 \item[Settings:] \mbox{}
26 ejabberd is one of the popular Jabber server. In order to be compliant
27 with the manifesto, you should adapt your
28 configuration\footnote{\url{http://www.process-one.net/docs/ejabberd/guide_en.html}}:
29 \begin{lstlisting}[breaklines]
32 {5222, ejabberd_c2s, [
35 {max_stanza_size, 65536},
38 {certfile, "/etc/ejabberd/ejabberd.pem"}
40 {5269, ejabberd_s2s_in, [
42 {max_stanza_size, 131072}
47 {s2s_use_starttls, required_trusted}.
48 {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
51 \item[Additional settings:]
53 Older Versions of ejabberd ($ < $ 2.0.0) need to be patched\footnote{\url{http://hyperstruct.net/2007/06/20/installing-the-startcom-ssl-certificate-in-ejabberd/}} to be able to parse all of the certificates in the CA chain.
55 Newer versions of ejabberd now support specifying the cipher string in the config file. See the commit message: \url{https://github.com/processone/ejabberd/commit/1dd94ac0d06822daa8c394ea2da20d91c8209124}. However, this change did not yet make it into the stable release at the time of this writing.
60 \item[How to test:] \url{https://xmpp.net} is a practical website to test Jabber Server configurations.
65 \subsubsection{Chat privacy - Off-the-Record Messaging (OTR)}
67 The OTR protocol works on top of the Jabber protocol(\footnote{\url{https://otr.cypherpunks.ca/Protocol-v3-4.0.0.html}}).
68 It add to popular chat clients (Adium, Pidgin...) the following properties for chiffered chats:
70 \item Authentification
76 It bascially uses Diffie-Helleman, AES and SHA1.
78 There are no specific configuration required but the protocol itself worth to be mentionned.
82 \todo{Quick draft -- to complete / review / validate}
84 There are numerous implementations of IRC servers. In this section, we choose {\it Charybdis} which serve as basis for {\it ircd-seven}\footnote{https://dev.freenode.net/redmine/projects/ircd-seven}, developped and used by freenode. Freenode is actually the biggest IRC network\footnote{http://irc.netsplit.de/networks/top10.php}. {\it Charybdis} is being part of the {\it Debian} \& {\it Ubuntu} distributions.
86 \begin{lstlisting}[breaklines]
89 #loadmodule "extensions/chm_sslonly_compat.so";
90 loadmodule "extensions/extb_ssl.so";
94 /* Standard piece of information */
96 ssl_private_key = "etc/test.key";
97 ssl_cert = "etc/test.cert";
98 ssl_dh_params = "etc/dh.pem";
99 # set ssld_count as number of cores - 1
107 /* IPv6 configuration */
114 SILC is instant messaging protocol publicly released in 2000. SILC is a per-default secure chat protocol thanks to a generalized usage of symmetric encryption. Keys are generated by the server meaning that if compromised, communication could be compromised.
116 The protocol is not really popular anymore.