I have an open fire server configured recently. But while doing one nessus scan against the server, it is showing with a medium vulnerability of “XMPP Cleartext authentication”. Can anyone please help on resolving this.
Is this related only with Security settings fields in admin console.
Thanks for the information. But sorry to say that i couldn’t find the exact settings in my openfire server. Like, Plain-text(startttls) connections and advanced configuration tab.
But In Server>Server Settings>Security Settings>
I can find some configurations for enabling encryption in both client to server and server to server encryption. This i have already configured and couldn’t resolved the particular vulnerability.
According to the testing, only changing the below 6 settings seems removed the vulnerability result. But still wondering how its resolved. As this is not really focused on encryption part, but to certificate authentication for clients.
Assuming that you want to prevent clients from using non-encrypted communication, @Josh C instructions are spot on. They do assume that you are running Openfire 4.0.0 or later. If you’re not, you should consider an upgrade, as many improvements were made to the security configuration that you appear to be interested in.
To require TLS (encryption) for all client connections, you can set the property xmpp.client.tls.policy to the value required
Note that this has some caveats:
The above still allows for an non-secure protocol and/or cipher suite (that’s how you configure the encryption strength) to be used. You can configure those on the same admin console page.
All traffic will be encrypted while in transit to/from Openfire, but will be unencrypted within Openfire. If you want end-to-end encryption, you should encrypt the content of your messages. This is not something that Openfire can do - you need to configure that on the client side.
I have having the same challenge. This seeting is set to required in my config xmpp.client.tls.policy. Under the client connections for port 5222,
Connections cannot be established unless they are encrypted is enabled but still getting the vulnerability via Nessus Scan;
The remote Extensible Messaging and Presence Protocol (XMPP) service supports one or more authentication mechanisms that allow credentials to be sent in the clear - Port 5222.
I also don’t see many of these settings Josh posted. I am on Openfire 4.0.1 so not sure if that matters.
I am running with version 3.9.1 and both the security settings under server settings has been enabled and checked box of Accept self-signed certificates also. Suggested xmpp.client.tls.policy to the value required is also there. Still its throwing the particular vulnerability while scanning.
@SC, what changes you made to resolve the vulnerability, from where you find out the settings suggested by Josh.
You have two main ways to secure XMPP communications.
1- Install SSL/TLS certificate for an CA, which should be installed on Openfire servers C2S and S2S in your case. The load balancer is not implicated in that.
2- End to End encryption, in this case you should add an encrypted algorithm to your XMPP client. This method is used be generally for mobile secure chat apps.
We have an production version of openfire 3.3.2 and its not possible to upgrade immediately . hence I would be glad to know an possible solution for the ‘Plain text vulnerability’ fix which was reported from Nessus scan .
I have configured the Client Connections settings on my 4.0.3 server and still getting the Nessus vulnerability. Do I need to add additional settings in the System Properties?