Browse Source

XMPP cert handling improvements, ufw rules, and tests

Luke Cyca 11 years ago
parent
commit
76d52b63f3

+ 1
- 1
roles/common/tasks/ssl.yml View File

@@ -1,5 +1,5 @@
1 1
 - name: Copy SSL private key into place
2
-  copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=root owner=root
2
+  copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=ssl-cert owner=root mode=640
3 3
 
4 4
 - name: Copy SSL public certificate into place
5 5
   copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root

+ 2
- 0
roles/common/tasks/ufw.yml View File

@@ -17,6 +17,8 @@
17 17
     - ssh/tcp
18 18
     - ssmtp/tcp
19 19
     - imaps/tcp
20
+    - 5222/tcp  # xmpp c2s
21
+    - 5269/tcp  # xmpp s2s
20 22
     - 6697/tcp  # znc
21 23
     - openvpn/udp
22 24
     - 60000:61000/udp  # mosh udp packets

+ 3
- 12
roles/xmpp/tasks/prosody.yml View File

@@ -7,21 +7,12 @@
7 7
 - name: Install Prosody from official repository
8 8
   apt: pkg=prosody update_cache=yes
9 9
 
10
+- name: Add prosody user to ssl-cert group
11
+  user: name=prosody groups=ssl-cert append=yes
12
+
10 13
 - name: Create Prosody data directory
11 14
   file: state=directory path=/decrypted/prosody owner=prosody group=prosody
12 15
 
13
-- name: Copy SSL private key into place for Prosody
14
-  shell: cp /etc/ssl/private/wildcard_private.key /etc/ssl/private/wildcard_private_prosody.key
15
-
16
-- name: Ensure prosody user and group can read private key
17
-  file: path=/etc/ssl/private/wildcard_private_prosody.key group=prosody owner=prosody
18
-
19
-- name: Copy SSL public certificate into place for Prosody
20
-  shell: cp /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_public_cert_prosody.crt
21
-
22
-- name: Ensure prosody user and group can read cert
23
-  file: path=/etc/ssl/certs/wildcard_public_cert_prosody.crt group=prosody owner=prosody
24
-
25 16
 - name: Configure Prosody
26 17
   template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=root owner=root
27 18
   notify: restart prosody

+ 2
- 2
roles/xmpp/templates/prosody.cfg.lua.j2 View File

@@ -86,8 +86,8 @@ allow_registration = false;
86 86
 -- These are the SSL/TLS-related settings. If you don't want
87 87
 -- to use SSL/TLS, you may comment or remove this
88 88
 ssl = {
89
-	key = "/etc/ssl/private/wildcard_private_prosody.key";
90
-	certificate = "/etc/ssl/certs/wildcard_public_cert_prosody.crt";
89
+	key = "/etc/ssl/private/wildcard_private.key";
90
+	certificate = "/etc/ssl/certs/wildcard_public_cert.crt";
91 91
 }
92 92
 
93 93
 -- Force clients to use encrypted connections? This option will

+ 0
- 2
roles/xmpp/vars/main.yml View File

@@ -1,2 +0,0 @@
1
-prosody_admin: al3x@al3x.net
2
-prosody_virtual_domain: al3x.net

+ 38
- 0
tests.py View File

@@ -258,3 +258,41 @@ class MailTests(unittest.TestCase):
258 258
         m.expunge()
259 259
         m.close()
260 260
         m.logout()
261
+
262
+
263
+class XMPPTests(unittest.TestCase):
264
+    def test_xmpp_c2s(self):
265
+        """Prosody is listening on 5222 for clients and requiring TLS"""
266
+
267
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
268
+        s.connect((TEST_SERVER, 5222))
269
+
270
+        # Based off http://wiki.xmpp.org/web/Programming_Jabber_Clients
271
+        s.send("<stream:stream xmlns:stream='http://etherx.jabber.org/streams' "
272
+               "xmlns='jabber:client' to='sovereign.local' version='1.0'>")
273
+
274
+        data = s.recv(1024)
275
+        s.close()
276
+
277
+        self.assertRegexpMatches(
278
+            data,
279
+            "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls>"
280
+        )
281
+
282
+    def test_xmpp_s2s(self):
283
+        """Prosody is listening on 5269 for servers"""
284
+
285
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
286
+        s.connect((TEST_SERVER, 5269))
287
+
288
+        # Base off http://xmpp.org/extensions/xep-0114.html
289
+        s.send("<stream:stream xmlns:stream='http://etherx.jabber.org/streams' "
290
+               "xmlns='jabber:component:accept' to='sovereign.local'>")
291
+
292
+        data = s.recv(1024)
293
+        s.close()
294
+
295
+        self.assertRegexpMatches(
296
+            data,
297
+            "from='sovereign.local'"
298
+        )

Loading…
Cancel
Save