Secure Chat

A few days ago I wrote an article about ejabberd 16 installation and basic configuration on CentOS 6.7, and I missed one part where I should wrote the configuration of SSL certificates. You’ll need that to encrypt your chat sessions.

This article has three parts:

  • Part 1: Prepare SSL Certificate
  • Part 2: Adjust Configuration
  • Part 3: Reload Configuration

The goal is to get the installed ejabberd, preferably installed by following my ejabberd installation howto, to provide secure, encrypted, chat sessions.

Let’s just do it.

Part 1: Prepare SSL Certificate

In this article we will be using Self-Signed SSL Certificate.

First, you need to make sure that you have installed openssl:

openssl version

Next is to create a self-signed SSL certificate:

openssl req -new -x509 -newkey rsa:4096 -days 3650 -keyout privkey.pem -out server.pem

Please note that you need to answer the Common Name (CN) question with your configured domain on your ejabberd. One certificate for one domain only. Example, if your users XMPP/Jabber ID is username@textng.com then the Common Name should be textng.com

Continue making the certificate:

openssl rsa -in privkey.pem -out privkey.pem
cat privkey.pem >> server.pem
rm privkey.pem
mv server.pem domain.pem
ls -l domain.pem

Please note that at this point you’ll have a file called domain.pem. That is the self-signed SSL certificate you have just created.

Rename the domain.pem file to something more informational, for example if your domain is textng.com then rename it to textngcom.pem.

Copy the file to ejabberd configuration directory. If you’re following my ejabberd installation howto then it should be copied to /usr/local/etc/ejabberd, on the same location with ejabberd.yml.

Rename domain.pem and copy to /usr/local/etc/ejabberd:

mv domain.pem textngcom.pem
cp textngcom.pem /usr/local/etc/ejabberd
ls -l /usr/local/etc/ejabberd

The self-signed SSL certificate has been prepared. You may add more certificates should you require to do so, for example if you have multiple domains managed by your ejabberd.

Part 2: Adjust Configuration

Open ejabberd.yml and look for LISTENING PORTS section:

vi /usr/local/etc/ejabberd/ejabberd.yml

Adjust certfile, starttls, starttls_required and protocol_options, remove the comment marks to enable it.

Example if you use textngcom.pem as the certificate:

certfile: "/usr/local/etc/ejabberd/textngcom.pem"
starttls: true
starttls_required: true
protocol_options:
  - "no_sslv3"
  - "no_sslv2"
  - "no_tls1"

Please note that if you have multiple domains then just choose one certificate for now, preferably the certificate for your main domain. I explain how to override the certfile per domain bases below.

Still editing ejabberd.yml, now look for S2S GLOBAL OPTIONS section.

Adjust s2s_use_starttls, s2s_certfile and s2s_protocol_options, remove the comment marks to enable it.

Example:

s2s_use_starttls: required
s2s_certfile: "/usr/local/etc/ejabberd/textngcom.pem"
s2s_protocol_options:
  - "no_sslv3"
  - "no_sslv2"
  - "no_tls1"

Last configuration, if you have multiple domains and you have prepared certificates for them then you need to add host_config options.

Add host_config options at the end of ejabberd.yml.

Example of adding host_config for domain textng.com and ngoprek.org:

host_config:
  "textng.com":
    domain_certfile: "/usr/local/etc/ejabberd/textngcom.pem"
  "ngoprek.org":
    domain_certfile: "/usr/local/etc/ejabberd/ngoprekorg.pem"

Part 3: Reload Configuration

Make sure to reload your configuration:

ejabberdctl reload_config

Please note that you should not see anything when reloading the configuration using above command, if you do then there must be error somewhere on ejabberd.yml, you need to check the config again and try to reload_config too.

Test your configuration. Use a nice, good-looking, well-performed, Free and Open Source XMPP/Jabber client software which has everything from secure chat, off-the-record chat, group chat, file transfer, recording feature, like: ChatSecure.

That’s all.

Advertisements