ssl.rst 3.85 KB
Newer Older
mathieui's avatar
mathieui committed
1 2 3 4
TLS in poezio
=============

.. _security settings:
mathieui's avatar
mathieui committed
5

6 7 8
Security of the connection
~~~~~~~~~~~~~~~~~~~~~~~~~~

mathieui's avatar
mathieui committed
9 10 11 12 13 14 15 16 17 18 19 20 21
Enabling or disabling TLS
-------------------------

Starting from version 0.8, poezio is configured to reject unencrypted connections
by default, in accordance to the `TLS manifesto`_. Users can still allow
unencrypted connections by setting the :term:`force_encryption` option to false.

If you cannot connect to your server, maybe it does not allow encrypted connections,
in which case you should reconfigure it if it is yours, or contact your admin
to let him know he should try to protect your privacy and credentials, at least
a little.


22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
.. _ciphers:

Ciphers
-------

From the version 0.8, poezio offers the possibility to define your own set of
ciphers.

You can set this with the :term:`ciphers` option, the default for poezio being
``HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL``.
You can check what ciphers are enabled by that list by running the command
``openssl ciphers -v 'cipher list'``. The default list prioritizes `Forward Secrecy`_
and does not have any cipher suite providing less than 128 bits of security.

You should change this if you either cannot connect to your server (but in this
case, you should notify the administrator that his XMPP server configuration
is probably not great), or if you want to be even more restrictive (only allowing
256 bits of security *and* forward secrecy, for example).

41 42 43 44 45
For example, gmail.com (and subsequent XMPP services) only support RC4-MD5 and RC4-SHA,
so you will want to set the option to ``RC4`` (or the default with ``:RC4`` appended,
just in case they upgrade their service, though that is very unlikely). Please consider
moving to a better XMPP service provider.

mathieui's avatar
mathieui committed
46 47
Certificate validation
~~~~~~~~~~~~~~~~~~~~~~
48

mathieui's avatar
mathieui committed
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85
Starting from version 0.7.5, poezio offers some options to check the validity
of a X.509 certificate.

TOFU
----

The default handling method is the `TOFU/TUFU`_
method. At your first connection, poezio will save the hash of the certificate
received, and will compare the received one and the first one for the next
connections.


If you are paranoid (or run poezio for the first time in an unsafe
environment), you can set the _certificate_ value of your config file yourself
(the hash, not colon-separated).


If the certificate is not the same, poezio will show an error message and wait
for confirmation:

.. figure:: ../images/ssl_warning.png
    :alt: Warning message

If you press y, the change is validated an poezio will match the next certs
with the accepted one.

If you press n, you will get the confirmation that the change has been
refused, and you will be disconnected.

CA-Based
--------

If you are connecting to a large server that has several front-facing
endpoints, you might be bothered by having to validate the change each time,
and you may want to check only if it the same authority delivered the
certificate.

86 87 88 89
You can then set the :term:`ca_cert_path` option to the path of a file
containing the validation chain in `PEM format`_ ; those certificates are
usually in /usr/share/ca-certificates/ but it may vary depending of your
distribution.
mathieui's avatar
mathieui committed
90 91 92 93 94 95 96 97

If the authority does not match when connecting, you should be disconnected.

None
----

If you do not want to bother with certificate validation at all (which can be
the case when you run poezio on the same computer as your jabber server), you
98 99
can set the :term:`ignore_certificate` value to true, and let the
:term:`ca_cert_path` option empty (or even remove it).
mathieui's avatar
mathieui committed
100 101 102 103

.. warning:: Only do this if you know what you are doing, or you will be open
            to Man in The Middle attacks!

104
.. _Forward Secrecy: https://en.wikipedia.org/wiki/Forward_secrecy
mathieui's avatar
mathieui committed
105 106
.. _TOFU/TUFU: https://en.wikipedia.org/wiki/User:Dotdotike/Trust_Upon_First_Use
.. _PEM format: https://tools.ietf.org/html/rfc1422.html
mathieui's avatar
mathieui committed
107
.. _TLS manifesto: https://github.com/stpeter/manifesto/blob/master/manifesto.txt