Settings

Environment variables

If the ENV variable in otrbot.settings.env is set to “production”, the otrbot.settings.production will be used. This is the default. You should change this to “development” if you want to work on this project, to prevent your credentials from begin pushed back to Github.

ENV = "production"

The SSL/TLS configuration options

  • TLS is enabled by default but can be switched off for testing, or in case you run your Jabber server on the same physical server.
  • SleekXMPP can fall back to SSLv2/v3 if the server doesn’t support TLS but don’t do this, SSLv3 is already deemed very unsafe.
  • You can choose which TLS version the client should use at a minimum.
  • You can define ciphers that are allowed, a reasonable list of ciphers that are considered safe at the time of writing (Apr-‘16) is preconfigured, which should be fine for most modern servers.
otrbot.settings.sample.ENABLE_TLS = True

Enable or disable TLS (default: TrueDo not disable!)

otrbot.settings.sample.ALLOW_SSL_FALLBACK = False

Enable or disable SSL (default: FalseDo not enable!)

otrbot.settings.sample.TLS_VERSION = 'TLSv1.2'

TLS version to use (default: TLSv1) This can be increased to TLSv1.1 or TLSv1.2 but it requires Python 2.7.9+.

otrbot.settings.sample.CIPHER_LIST = ['ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES256-SHA256', 'ECDHE-RSA-AES128-SHA256', 'ECDHE-RSA-AES256-SHA', 'ECDHE-RSA-AES128-SHA', 'ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-AES256-SHA384', 'ECDHE-ECDSA-AES128-SHA256', 'ECDHE-ECDSA-AES256-SHA', 'ECDHE-ECDSA-AES128-SHA', 'DHE-RSA-AES256-GCM-SHA384', 'DHE-RSA-AES128-GCM-SHA256', 'DHE-RSA-AES256-SHA256', 'DHE-RSA-AES128-SHA256', 'DHE-RSA-AES256-SHA', 'DHE-RSA-AES128-SHA']

The list of accepted ciphers, this list should be supported by most servers and be reasonably safe at the time of writing (Apr-‘16).

ECDHE-RSA-AESXXX-[XXX-]SHA[XXX]:
 
  • Elliptic Curve Ephemeral Diffie Hellman key agreement
  • Perfect Forward Secret (PFS, because of Ephemeral keys)
  • RSA authentication
  • AES in CBC or GCM mode for encryption
  • SHA1, SHA256 or SHA384 digests

These are safe, and provide excellent performance (GCM is fastest). AES in CBC and GCM mode can be hardware accelerated on most servers. CBC is a block mode cipher, while GCM is a stream cipher, the latter provides better performance for network connections.

ECDHE-ECDSA-AESXXX-[XXX-]SHA[XXX]:
 
  • Elliptic Curve Ephemeral Diffie Hellman key agreement
  • Perfect Forward Secret (PFS, because of Ephemeral keys)
  • ECDSA authentication
  • AES in CBC or GCM mode for encryption
  • SHA1, SHA256 or SHA384 digests

These are safe, and provide the best performance available, ECDSA requires ECDSA server certificates which are rare at this point in time.

DHE-RSA-AESXXX-[XXX-]SHA[XXX]:
 
  • Ephemeral Diffie Hellman key agreement
  • Perfect Forward Secret (PFS, because of Ephemeral keys)
  • RSA authentication
  • AES in CBC or GCM mode for encryption
  • SHA1, SHA256 or SHA384 digests

These are safe, but perform significantly worse than ECDHE ciphers.

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
 
  • Elliptic Curve Ephemeral Diffie Hellman key agreement
  • Perfect Forward Secret (PFS, because of Ephemeral keys)
  • RSA authentication
  • ChaCha20 stream cipher, provides 256 bits of security
  • Poly1305 authenticator to detect forged data.

Safe and lightweight, and provide excellent performance, most notably for mobile devices. AES can be hardware accelerated on most servers, which means it may still outperform ChaCha20-Poly1305. Currently not supported by the most common OpenSSL versions in use.

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
 
  • Elliptic Curve Ephemeral Diffie Hellman key agreement
  • Perfect Forward Secret (PFS, because of Ephemeral keys)
  • ECDSA authentication
  • ChaCha20 stream cipher, provides 256 bits of security
  • Poly1305 authenticator to detect forged data.

Safe and lightweight, and provide excellent performance, most notably for mobile devices. AES can be hardware accelerated on most servers, which means it may still outperform ChaCha20-Poly1305. ECDSA requires ECDSA server certificates which are rare at this point in time. Currently not supported by the most common OpenSSL versions in use.

TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
 
  • Ephemeral Diffie Hellman key agreement
  • Perfect Forward Secret (PFS, because of Ephemeral keys)
  • RSA authentication
  • ChaCha20 stream cipher, provides 256 bits of security
  • Poly1305 authenticator to detect forged data.

Safe and lightweight, and provide excellent performance, most notably for mobile devices. AES can be hardware accelerated on most servers, which means it may still outperform ChaCha20-Poly1305. Currently not supported by the most common OpenSSL versions in use.

AESXXX-[XXX-]SHA[XXX]:
 
  • RSA authentication
  • AES in CBC or GCM mode for encryption
  • SHA1, SHA256 or SHA384 digests

These good ciphers but they lack Perfect Forward Secrecy, which means if the private keys of the server ever get stolen, all historic data can be trivially decrypted. Performance is very good but at great cost to security. Therefore these are disabled by default. If you experience compatibility issues, enable one by one, top to bottom, until you get a connection. However you should really consider upgrading the server software!

Note

It is still considered too hard to forge a certificate with a SHA1 digest outright but SHA1 is considered deprecated. The ciphers ending in _SHA should be disabled for better security. Since some servers do not support SHA256 or higher yet, it is still included for compatibility.

otrbot.settings.sample.CA_CERTS = '/etc/ssl/certs/ca-certificates.crt'

Location of a PEM file containing all Certificate Authority certificates. This is used for checking the server certificate. To not check the server certificate, set this to None.

Warning

Do not disable server certificate checking in production environments, except when running your own XMPP server locally, on the same physical server.

Other settings

otrbot.settings.sample.ALLOW_SSL_FALLBACK = False

Enable or disable SSL (default: FalseDo not enable!)

otrbot.settings.sample.TLS_VERSION = 'TLSv1.2'

TLS version to use (default: TLSv1) This can be increased to TLSv1.1 or TLSv1.2 but it requires Python 2.7.9+.

otrbot.settings.sample.FORMAT_STRINGS = {'bot_title': 'OTR Bot (Canvas)', 'bot_description': 'This is an instance of the OTR Bot. Source code is available on https://code.greenhost.net', 'project_name': 'Totem (Canvas)', 'bot_alias': 'Marvin (Canvas)'}

The following dict contains the statically defined variables that get formatted into the template strings of messages.

otrbot.settings.sample.XMPP_ACCOUNTS = {'totem@jabme.eu': {'password': 'quahnahgh6kohTeisixoh5ph', 'avatar_file': './avatar.jpg'}}

A dictionary of the default Jabber account to be used by the bot.

otrbot.settings.sample.XMPP_DEFAULT_ACCOUNT = 'totem@jabme.eu'

The JID that the bot uses when the flag -j is not supplied to runclient.

otrbot.settings.sample.FLASK_CONFIG = {'WTF_CSRF_ENABLED': True, 'PYLTI_URL_FIX': {'https://localhost/': {'https://localhost/': 'http://192.168.33.10/'}, 'https://localhost:8000/': {'https://localhost:8000/': 'http://localhost:8000/'}}, 'SECRET_KEY': 'REPLACE THIS BY A LONG RANDOM SEQUENCE OF CHARACTERS', 'PYLTI_CONFIG': {'consumers': {'__consumer_key__': {'secret': '__lti_secret__'}}}}

The Flask and PyLTI configuration. The values in this dictionary update the standard Flask and PyLTI configuration values.

otrbot.settings.sample.USE_LTI = 'True'

When this is true, LTI will be used for authentication. For development purposes, you can turn it off and reach the interface without authentication

otrbot.settings.sample.LTI_CSS_URL = 'https://hostname.tld/style.css'

The CSS file that should be added to the head of the LTI (link).

otrbot.settings.sample.OTR_BOT_MAY_START_SMP = False

If this is true, the bot is allowed to start SMP by itself as soon as it receives a password. If it’s false, the bot will wait for the user to start SMP.

otrbot.settings.sample.DEFAULT_LOCALE = 'en_GB'

Default language to use. Take a look at the locales folder to see which locales are available

otrbot.settings.sample.JID_WHITELIST = {'user@jabber.example.com': {'locale': 'en_GB'}}

Whitelist for accounts that are authorised to talk to the OTR bot. Can be extended by adding to self.whitelist in bot.py. Users are deleted from the whitelist when their session ends. The whitelist may also contain default values for bot sessions, like the locale

otrbot.settings.sample.DEFAULT_SECRET = None

Use this in test-settings to have a default shared secret, so you won’t have to bother using an external protocol to insert the secret into the bot.

otrbot.settings.sample.LOG_USER_MSGS = False

Log connected users messages to the log file, should be set to False in production to prevent potentially sensitive data from being collected. Note: These are the messages the user sends to the bot.

otrbot.settings.sample.WARNING_TIMEOUT = 1500

The number of seconds of inactivity before a user is warned that his session will be killed

otrbot.settings.sample.SESSION_TIMEOUT = 1800

The number of seconds of inactivity before a session is killed (should be higher than WARNING_TIMEOUT)

otrbot.settings.sample.TIMEOUT_CHECK_INTERVAL = 60

The interval in seconds that the timeouts should be checked on.

otrbot.settings.sample.SCHEDULED_MSG_SAY = True

Use a scheduler to delay message with random intervals to make the interaction seem more natural.

otrbot.settings.sample.THREADED_STATE_SCHEDULER = True

Thread the state scheduler?

otrbot.settings.sample.TYPE_SPEED = 20

How fast should the bot be able to type? (characters per second). This is irrelevant if SCHEDULED_MSG_SAY is set to False.