XMPP security improvements

Post categories

Profile picture for Rob N ★

Alum

We’ve just rolled out an update to our XMPP service to give it the same level of TLS encryption support that you’ll find in our IMAP, POP3 and SMTP services. It now supports TLS 1.2 with modern ciphers. The changes mean we now get an A rating on the XMPP security test.

If you didn’t know we had an XMPP service, or if you don’t know what any of this means, then you can ignore it. Everything should just continue to work!

Our XMPP service has lagged behind our other services for a while because our XMPP server, djabberd, has problems with TLS >1.0 due to deficiencies in Perl’s TLS libraries, and has resisted our best efforts to fix it. We’re hoping to replace it with another server in the next year or two so to avoid having to do a bunch of work that we’d eventually throw out, we decided to follow the same model that we use for IMAP, POP3 and SMTP. We added XMPP support to nginx’s mail proxy, and then let it do authentication and encryption termination, both tasks which it excels at.

Most importantly, nginx is well known as a highly stable and secure TLS server and receives a constant stream of updates. Any improvements we roll out in the future will automatically be applied to the XMPP service as well.

More information about the actual implementation in nginx is at http://robn.io/nginx-xmpp/.

We’re quietly working on modernising our XMPP service. If that’s something you’re interested in then keep an eye on this blog over the next few months.

Profile picture for Rob N ★

Alum