tuxad blog

jabberd Forward Secrecy patch

jabberd2 is a widely used XMPP server written in C. Release 2.2.17 is also the base for Apple's ChatServer. This release has support for a custom TLS cipher list but it is hardcoded in source. It does not support DHE ciphers due to missing usage of DH params. The latest release (2.3.2) still lacks this support for Forward Secrecy. There's a commit of 2014-03-17 in its git repository at github. But this commit only uses a fixed / pre-computed set of DH params and does not offer configurable DH param support i.e. by files (maybe cron generated).

This patch makes the cipher list configurable by reading in

/etc/jabberd/SSLCipherSuite

at start time.

DH params for the fixed lengths 512, 1024 and 2048 bits are read from

/etc/jabberd/dh512.pem
/etc/jabberd/dh1024.pem
/etc/jabberd/dh2048.pem

If these files does not exist then internal defaults will be used. The files may be updated at running time. If a new TLS connections requires reading of the DH parms then the mod time will be checked. If it has changed then the new file(s) will be read and used. To get "real" forward secrecy you should regularly update the DH params with something like

openssl dhparam -out tmp 1024 && mv tmp dh1024.pem

Beside the patch there's also a binary RPM package for RHEL 5 and a Source RPM package available.

(An update of the patch is available.)

Update 2015-08-09: The package is included in the tuxad repo.