2014-01-15 17:28:23 +00:00
|
|
|
TLS Management
|
2013-04-09 23:37:23 +00:00
|
|
|
==============
|
|
|
|
|
|
2014-01-15 17:28:23 +00:00
|
|
|
Security of the connection
|
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
|
|
.. _ciphers:
|
|
|
|
|
|
|
|
|
|
Ciphers
|
|
|
|
|
-------
|
|
|
|
|
|
|
|
|
|
From the version 0.8, poezio offers the possibility to define your own set of
|
|
|
|
|
ciphers.
|
|
|
|
|
|
|
|
|
|
You can set this with the :term:`ciphers` option, the default for poezio being
|
|
|
|
|
``HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL``.
|
|
|
|
|
You can check what ciphers are enabled by that list by running the command
|
|
|
|
|
``openssl ciphers -v 'cipher list'``. The default list prioritizes `Forward Secrecy`_
|
|
|
|
|
and does not have any cipher suite providing less than 128 bits of security.
|
|
|
|
|
|
|
|
|
|
You should change this if you either cannot connect to your server (but in this
|
|
|
|
|
case, you should notify the administrator that his XMPP server configuration
|
|
|
|
|
is probably not great), or if you want to be even more restrictive (only allowing
|
|
|
|
|
256 bits of security *and* forward secrecy, for example).
|
|
|
|
|
|
|
|
|
|
Cert valididty
|
|
|
|
|
~~~~~~~~~~~~~~
|
|
|
|
|
|
2013-04-09 23:37:23 +00:00
|
|
|
Starting from version 0.7.5, poezio offers some options to check the validity
|
|
|
|
|
of a X.509 certificate.
|
|
|
|
|
|
|
|
|
|
TOFU
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
The default handling method is the `TOFU/TUFU`_
|
|
|
|
|
method. At your first connection, poezio will save the hash of the certificate
|
|
|
|
|
received, and will compare the received one and the first one for the next
|
|
|
|
|
connections.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If you are paranoid (or run poezio for the first time in an unsafe
|
|
|
|
|
environment), you can set the _certificate_ value of your config file yourself
|
|
|
|
|
(the hash, not colon-separated).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If the certificate is not the same, poezio will show an error message and wait
|
|
|
|
|
for confirmation:
|
|
|
|
|
|
|
|
|
|
.. figure:: ../images/ssl_warning.png
|
|
|
|
|
:alt: Warning message
|
|
|
|
|
|
|
|
|
|
If you press y, the change is validated an poezio will match the next certs
|
|
|
|
|
with the accepted one.
|
|
|
|
|
|
|
|
|
|
If you press n, you will get the confirmation that the change has been
|
|
|
|
|
refused, and you will be disconnected.
|
|
|
|
|
|
|
|
|
|
CA-Based
|
|
|
|
|
--------
|
|
|
|
|
|
|
|
|
|
If you are connecting to a large server that has several front-facing
|
|
|
|
|
endpoints, you might be bothered by having to validate the change each time,
|
|
|
|
|
and you may want to check only if it the same authority delivered the
|
|
|
|
|
certificate.
|
|
|
|
|
|
2014-01-15 17:28:23 +00:00
|
|
|
You can then set the :term:`ca_cert_path` option to the path of a file
|
|
|
|
|
containing the validation chain in `PEM format`_ ; those certificates are
|
|
|
|
|
usually in /usr/share/ca-certificates/ but it may vary depending of your
|
|
|
|
|
distribution.
|
2013-04-09 23:37:23 +00:00
|
|
|
|
|
|
|
|
If the authority does not match when connecting, you should be disconnected.
|
|
|
|
|
|
|
|
|
|
None
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
If you do not want to bother with certificate validation at all (which can be
|
|
|
|
|
the case when you run poezio on the same computer as your jabber server), you
|
2014-01-15 17:28:23 +00:00
|
|
|
can set the :term:`ignore_certificate` value to true, and let the
|
|
|
|
|
:term:`ca_cert_path` option empty (or even remove it).
|
2013-04-09 23:37:23 +00:00
|
|
|
|
|
|
|
|
.. warning:: Only do this if you know what you are doing, or you will be open
|
|
|
|
|
to Man in The Middle attacks!
|
|
|
|
|
|
2014-01-15 17:28:23 +00:00
|
|
|
.. _Forward Secrecy: https://en.wikipedia.org/wiki/Forward_secrecy
|
2013-04-09 23:37:23 +00:00
|
|
|
.. _TOFU/TUFU: https://en.wikipedia.org/wiki/User:Dotdotike/Trust_Upon_First_Use
|
|
|
|
|
.. _PEM format: https://tools.ietf.org/html/rfc1422.html
|
