Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

TLS certificate installation in ejabberd for STARTTLS negotiation

I read that ejabberd recommends to use STARTTLS negotiation for secure connection between communicating entities. When I install ejabberd, by default it comes with a TLS certificate.

Then, why do I need to buy a certificate to install? what is the purpose of buying a new certificate from Certificate Authoririty since we have a default certificate?

When I deploy ejabberd on the machine, how the default certificate will be used for my domain? How the default certificate will be verified by client?

like image 240
Kamesh Avatar asked Oct 20 '22 06:10

Kamesh


1 Answers

You can use ejabberd with SSL / STARTTLS with the provided TLS certificate. However, that certificate is only a self-signed certificate. It means that:

  1. You will still be able to encrypt the traffic between the client and the server.
  2. You client will not be able to check that the server is the domain it pretends to be. To be able to know that the certificate can be trusted the client need to refer to a trust authority in some way.

In the second case, it means that if an intermediate network device (i.e Wifi access point) tries to impersonate your server, it can present any self-signed certificate to the user, pretending to be your domain.

So, you can definitely use self-signed certificate to encrypt traffic, but to protect your users against man-in-the-middle type of attacks, you need to find a way to let the client now it can trust the certificate.

This can be done either by buying a certificate from a trusted authority (that will certify your certificate domain) or by making the client support a list of well defined certificates. This is called certificates pinning, however it requires to build the list of acceptable certificates into your client, which may not be possible.

It may be fine in your case, so buying a certificate is not mandatory. However, not use the default ejabberd self-signed certificate, even if you plan using a self-signed certificate. The certificate provided with ejabberd will not match your own domain. You should at least generate your own self signed certificate that match your actual XMPP domain: How to create a self-signed certificate with openssl?

like image 179
Mickaël Rémond Avatar answered Nov 15 '22 07:11

Mickaël Rémond