Is there anyway that you can turn off port 5222 and only have the SSL enabled port available? I want to force all the clients to use SSL or they cannot connect.
Hi Aaron,
do you mean old SSL port 5223? Port 5222 supports plain and TLS authentication. You can disable plain auth editing the security settings /ssl-settings.jsp to
Custom - Advanced configuration
Old SSL method: Not Available Available
TLS method: Not Available Optional Required
You must use a firewall to deny access to port 5222, imho it’'s currently not possible to bind it to localhost or shut it down.
LG
Ah, OK. So if I’'ve specified not to allow plain authentication on the server, then port 5222 is open for TLS and 5223 is open for SSL,correct? Both of which are secure?
Yes, while TLS should be prefered. I’‘d disable old SSL if your clients don’'t need it.
Yes, anyway we hope so.
I assume Spark is using TLS by default, do you know if GAIM uses TLS as well?
Yes, Gaim uses TLS. In fact, Gaim’'s support of the older SSL is terrible, and buggy. Dont even bother using it.
Hi LG:
I’'m trying to ensure that all traffic between clients and my jabber service is encrypted. When you say “Port 5222 supports plain and TLS authentication” do you really mean that port 5222 supports plain and TLS connections? Or, is authentication encrypted via TLS but message traffic may travel in plaintext?
TIA,
Mark
When using TLS, the whole session from the starttls command is encrypted. There are some initial packets and some xml that starts off unencrypted, but the starttls command is done before authentication. From that point to the end of the session everything is encrypted using the same encryption algorithms as SSL.
Here is sort of a top to bottom view of encryption in the xmpp protocol:
VPN is encryption that happens outside (encapsulates) the IP protocol
IPSec is encryption that happens in the IP protocol
SSL is encryption that happens above the xmpp protocol
TLS is encryption that happens in the xmpp protocol
CRAM-MD5 is (weak) encryption that happens only for the password in the xmpp protocol
To all the security experts out there, I know this is oversimplified. But it gets the point right.
Hi Jay:
Speaking as a non-xmpp-developer, I believe you are telling me that I need to ensure clients use TLS. After nosing around, in the Admin Console’‘s Server Settings / Security Settings page I selected a Custom setup for “Client Connection Security”. I made “Old SSL Method” unavailable and “TLS Method” required. I’'m feeling more secure already.
BTW, your top-to-bottom overview of xmpp encryption was very nice. The overview makes me suspect I went overboard in turning SSL off but the page described it as “old” so out it went!
cheers,
Mark
Its considered “old” because of the method, not the encryption. Early in Jabber’'s life, the only way to secure it (or any other generic TCP service) was to use SSL since it works independend of the protocol. Later, as the protocol matured, it was made aware of TLS. Using TLS simplifies networks, as a single protocol uses a single port, instead of multiples. There are still a handful of jabber clients that dont do TLS, though.