Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] New secure XMPP server

Mikael Nordfeldth mmn at
Mon Dec 30 01:39:26 PST 2013

2013-12-29 22:04 skrev Anthony Papillion:
> I'm definitely open to supporting XEP-0198. I'm not sure there's a
> plugin for the server I'm using (OpenFire) that supports it though. 
> I'll
> look around.

I thought OpenFire had problems with chained certificates[1], such as 
the ones I'm using with intermediate CAcert class3 cert.

This causes my server's TLS connections to an OpenFire server to be 
regarded as insecure and (since there's no bidirectional server link 
support in OpenFire) the replying server connection is made in 

My XMPP server's using Prosody[2]. That's so far the best XMPP server 
software I've found, especially if the goal - as with your setup - is to 
be secure. (best feature imho is server-specific 
verify-by-certificate-hash support the in latest versions, for servers 
with trusted admins but untrusted CAs or self-signed certs)

Prosody also defaults to sane, recommended encryption settings, have 
insecure SSL versions, prefer TLSv1.2 etc. (except that there are 
problems with GNU/Linux distributions like Ubuntu where Canonical etc. 
disable TLSv1.2 in their system libs).

As long as the chained certificates bug is still present, I would 
recommend scouting around for other serverside solutions than OpenFire. 
And it's dead-simple to configure Prosody, you essentially just need 
your certificates, vhost name and possible conference server setup. Not 
sure about any migration solutions with OpenFire->foo, though, but 
there's migration script for ejabberd->Prosody at least. So look around 


Mikael Nordfeldth
XMPP/mail: mmn at

More information about the liberationtech mailing list