How to make my all chat communication encrypted

Hello,

I have an open fire server configured recently. But while doing one nessus scan against the server, it is showing with a medium vulnerability of “XMPP Cleartext authentication”. Can anyone please help on resolving this.

Is this related only with Security settings fields in admin console.

Thanks,

San.

Try this

Openfire Admin Console > Server > Server Settings > Client Connections

Under Plain-text (with STARTTLS) connections click on

Advanced configuration

Check under StartTLS Policy :

1 Like

Hello Josh,

Thanks for the information. But sorry to say that i couldn’t find the exact settings in my openfire server. Like, Plain-text(startttls) connections and advanced configuration tab.

But In Server>Server Settings>Security Settings>

I can find some configurations for enabling encryption in both client to server and server to server encryption. This i have already configured and couldn’t resolved the particular vulnerability.

According to the testing, only changing the below 6 settings seems removed the vulnerability result. But still wondering how its resolved. As this is not really focused on encryption part, but to certificate authentication for clients.

xmpp.client.cert.policy “needed” or “wanted”

xmpp.client.certificate.accept-selfsigned true

xmpp.client.certificate.verify true

xmpp.client.certificate.verify.chain true

xmpp.client.certificate.verify.root true

sasl.mechs EXTERNAL

Welcome some thoughts on the above scenario.

Assuming that you want to prevent clients from using non-encrypted communication, @Josh C instructions are spot on. They do assume that you are running Openfire 4.0.0 or later. If you’re not, you should consider an upgrade, as many improvements were made to the security configuration that you appear to be interested in.

To require TLS (encryption) for all client connections, you can set the property xmpp.client.tls.policy to the value required

Note that this has some caveats:

  • The above still allows for an non-secure protocol and/or cipher suite (that’s how you configure the encryption strength) to be used. You can configure those on the same admin console page.
  • All traffic will be encrypted while in transit to/from Openfire, but will be unencrypted within Openfire. If you want end-to-end encryption, you should encrypt the content of your messages. This is not something that Openfire can do - you need to configure that on the client side.

I have having the same challenge. This seeting is set to required in my config xmpp.client.tls.policy. Under the client connections for port 5222,

  • Connections cannot be established unless they are encrypted is enabled but still getting the vulnerability via Nessus Scan;

The remote Extensible Messaging and Presence Protocol (XMPP) service supports one or more authentication mechanisms that allow credentials to be sent in the clear - Port 5222.

I also don’t see many of these settings Josh posted. I am on Openfire 4.0.1 so not sure if that matters.

xmpp.client.cert.policy “needed” or “wanted”

xmpp.client.certificate.accept-selfsigned true

xmpp.client.certificate.verify true

xmpp.client.certificate.verify.chain true

xmpp.client.certificate.verify.root true

sasl.mechs EXTERNAL

Please advise.

Actually Josh’s settings did fix the vulnerability scan. I didn’t realize I had to add them but that worked.

Hello,

I am running with version 3.9.1 and both the security settings under server settings has been enabled and checked box of Accept self-signed certificates also. Suggested xmpp.client.tls.policy to the value required is also there. Still its throwing the particular vulnerability while scanning.

@SC, what changes you made to resolve the vulnerability, from where you find out the settings suggested by Josh.

Thanks,

You need to add all the settings from Josh’s post under server settings. I am a also on 4.0.1 so you should consider upgrading.

The settings I am referring to are under 4.0.1 .

You have two main ways to secure XMPP communications.

1- Install SSL/TLS certificate for an CA, which should be installed on Openfire servers C2S and S2S in your case. The load balancer is not implicated in that.

2- End to End encryption, in this case you should add an encrypted algorithm to your XMPP client. This method is used be generally for mobile secure chat apps.

For best security use both

Thanks for the help.

Hello Ben, Thanks for the information.

We have an production version of openfire 3.3.2 and its not possible to upgrade immediately . hence I would be glad to know an possible solution for the ‘Plain text vulnerability’ fix which was reported from Nessus scan .

I have the following properties currently :

sasl.mechs : CRAM-MD5,DIGEST-MD5,ANONYMOUS,JIVE-SHAREDSECRET,GSSAPI,EXTERNAL

xmpp.client.certificate.accept-selfsigned : true

xmpp.client.certificate.verify : true

xmpp.client.certificate.verify.chain : true

xmpp.client.certificate.verify.root : true

xmpp.client.tls.policy : required

Please note : In this 3.3.2 version openfire administrator page there is no Client Settings Page I believe.

but while searched I have managed to see this another screen (Server Settings --> Edit Properties ) and below properties

Server Name: 'Server Name’
Server-to-Server Port: 5269
Component Port: 5275
Client Port: 5222

SSL Enabled: Enabled

Client SSL Port: 5223
Admin Console Port: 9090
Secure Admin Console Port:
9091

  1. Open the Openfire administration console
  2. Go to Server Settings under Server
  3. Then open Security Settings in the list to the left
  4. Check both radiobuttons labeled Required
  5. Check the checkbox marked Accept self-signed certificates
  6. Done!

I have configured the Client Connections settings on my 4.0.3 server and still getting the Nessus vulnerability. Do I need to add additional settings in the System Properties?

does anyone know what this said? It seems to be cut off and I am having the same problem now. If anyone knows it would be greatly appreciated. Thanks