OpenFire and Ciphers

OpenFire.

Running OpenFire for XMPP is fun, as it is a fully featured server that brings it’s own web-interface.  I have been running it for nearly a decade now.

Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Openfire is incredibly easy to setup and administer, but offers rock-solid security and performance.

Scoring.

Most distribution bring openfire packaged and somewhat up-to-date,  but to be on the safe side you should install the .deb or .rpm files from the developers homepage.  Installation is pretty straightforward as configuration is done via the web-interface. You only need an up and running mysql (or mariadb) server and off you go. I will not go into installing said packages in this article, I assume you are able to get things running for yourself. If not, the remainder of this article is not for you – yet.

Issues start however getting a good grade over at xmpp.net:

xmpp.net score

(more…)

DNSSEC

DNSSECShort: We now have a fully working DNSSEC infrastructure, complete with DANE!

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

– Wikipedia entry for DNSSEC.

Implementing DNSSEC itself is fairly easy, there are a lot of good howtos out there. The trick is to make it work with puppet and several dns servers at once. I don’t want any hassle with the DNSSEC part at any time. If I change a dns zone in my puppet manifest, the change has to be made public on the dns servers, which in turn have to handle the signing by themselves. But if you manage the zones with puppet the signed zonefiles will get wiped. So that was the tricky bit.

Plus I host several other domains whose admins want to enjoy DNSSEC without any hassle. With my current implementation of puppet and dns — it works! \o/

DANE enables the administrator of a domain name to certify the keys used in that domain’s TLS servers by storing them in the Domain Name System (DNS). DANE needs DNS records to be signed with DNSSEC.

– Wikipedia on DANE.

DANE was rather easy once DNSSEC was online. As the zones are trusted (by verifying the signatures) the TLSA records are trusted, too. It’s a shame that most browsers do not yet support DANE. Youcan add TLSA/DANE suport by installing and addon.

 

See for yourself:

(more…)

Jabber Encryption

Hey all,

according to the Jabber-Manifesto all Jabber-Admins have agreed to completely encrypt the XMPP Network. As such only encrypted connections are possible, that is server to server and client to server. You will need to enable encryption in your client if you have not done so before.

alpha-labs.net was offering both encrypted an unencrypted connections between servers, but not all server administrators offered those secured connections on their end. During this XMPP-Network wide switch it might be possible that some connections between servers will be disrupted as, starting today, alpha-labs.net will no longer establish or accept unencrypted connections.

New certificates

Hey folks,

I just rolled out new startssl-signed class 2 certificates for several Domains, including the jabber Server and all jabber frontends. As they are all signed you should actually not notice any errors or warnings.

The current fingerprint for the jabber certificate is

Fingerprint=8A:C9:F2:A7:48:A6:D4:63:94:13:82:29:C9:15:33:74:29:30:36:FF

I moved to the new policy of…

– signing all public services with officially signed certificates,
– signing all private services with my own certificate-authority.

One would think that having a “self”-signed certificate for jabber would actually not mattter, but the amount of TLS connected clients has doubled since the rollout of the new signed certs. Sigh.

Jabber Certificates Updated

Hello folks,

Edit: This has been superseded by newer certs.

all of you who are using the XMPP Server might have been greeted today with a “certificate changed” message. I just uploaded signed certificates from our certificate authority. If you installed the certificate authority in your system, then the transition should have been transient.

Depending on the TLS method you are connecting, here are the fingerprints for rsa and dsa certificates:

alpha-labs.net_rsa, 21-Mar-2014, 
Certificate fingerprint (MD5): F0:F4:FD:F9:F8:59:4F:F7:31:88:16:98:98:1D:32:22

alpha-labs.net_dsa, 21-Mar-2014, 
Certificate fingerprint (MD5): A6:54:39:89:B5:7E:13:1E:1D:9F:B3:6C:CC:05:AF:64

This might be a good time to just import the certificate-authority. If not, you have to import the certificate every year again.

Jabber Migration

Hello folks,

I am currently migration the Jabber Server to a new environment, complete with new IP address. The DNS changes are published, but it might take up to 12 hours until the changes are globally visible. During this time the Jabber Server will be somewhat in a wobbly state. You might experience disconnections, not able to connect at all or offline friends (that are actually online).

There is nothing we can do but wait – DNS is not the fasted propagating information system out there.

UPDATE: Please be SURE you did not enter any server name or ip address. The Server is now running on jabber.alpha-labs.net. If you just entered your jabber-id like chris@alpha-labs.net, DNS SRV records will automagically point you to jabber.alpha-labs.net. If you, however, entered alpha-labs.net as servername, you will not be able to connect.