![]() In particular the following lines were added at the end of /etc/default/ejabberd: export LD_PRELOAD=/usr/local/lib/libtlsinterposer. Besides that SSL 3 was also still in use.Īfter integrating “TLS Interposer” according the guide it looks much better. I tried that with my XMPP server – ejabberd – which does not allow to customize the SSL/TLS configuration in the version I use.īefore using “TLS Interposer”, ejabberd did not support cipher suites for forward secrecy and also still used the insecure cipher suite DES-CBC3-SHA. On the website of the creator you find several examples for the practical use. Hi My postgresql client (ejabberd postgresql lib) does not seem to be capable. For the affected services you can also adjust the list of cipher suites used with the environment variable TLS_INTERPOSER_CIPHERS. ![]() a specific ejabberd implementation while still providing a secure 1145 Websocket connection. The installation is very easy using the sources in Github, for example in Ubuntu Linux (you may have to set up a Git client first with sudo apt-get install git): git clone Īfter this the library is available as /usr/local/lib/libtlsinterposer.so and can be integrated in particular servers using the environment Variable LD_PRELOAD if needed. 290 A list of OpenSSL ciphers to use for c2s connections. This is a library for Linux (the source is also available on Github) which replaces calls of the OpenSSL library by an aditional layer and therefore allows a secure configuration even if the service itself does not support that. Sometimes this is not possible in the used version but upgrading to a newer version is not possible for several reasons.Ī solution for such cases is “TLS Interposer”. Now I am looking to add secure certificate on IP. Not every service allows the customization of the SSL/TLS configuration. Hi, I am running ejabberd on Windows server 2008 on static/public IP. However, often there are additional services in use like a mail server (Dovecot, Postfix) or as in my case a XMPP/Jabber server based on ejabberd. Not every cipher suite allows forward secrecy (which means you can not decrypt recorded data later) and some of them are generally not secure any longer and should therefore not be used any more.įor the most web servers as for example Apache or Nginx it is quite easy to customize the configuration to achieve this. Also the choice of the cipher suites is important for security. ![]() “Poodle” has shown that SSL 3 can not be considered secure any longer and that you should use at least TLS 1.0 or better 1.1 oder 1.2. A secure encryption of services requires up-to-date SSL libraries (for example a current version of OpenSSL without the “Heartbleed” bug) as well as a secure configuration of the respective software (Apache, Dovecot, Postfix etc.). chosen for a specific ejabberd implementation while still providing a secure Websocket connection. At the latest since “Heartbleed” and “Poodle” it should be clear that using SSL/TLS does not automatically mean “secure”. A list of OpenSSL ciphers to use for c2s connections.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |