mirror of
https://github.com/processone/ejabberd.git
synced 2024-12-20 17:27:00 +01:00
Support for OpenSSL ciphers list in ejabberd_c2s, ejabberd_s2s_in and ejabberd_s2s_out
This commit is contained in:
parent
a6b0e18bde
commit
1dd94ac0d0
@ -869,7 +869,8 @@ The available modules, their purpose and the options allowed by each one are:
|
||||
\begin{description}
|
||||
\titem{\texttt{ejabberd\_c2s}}
|
||||
Handles c2s connections.\\
|
||||
Options: \texttt{access}, \texttt{certfile}, \texttt{max\_fsm\_queue},
|
||||
Options: \texttt{access}, \texttt{certfile}, \texttt{ciphers},
|
||||
\texttt{max\_fsm\_queue},
|
||||
\texttt{max\_stanza\_size}, \texttt{shaper},
|
||||
\texttt{starttls}, \texttt{starttls\_required}, \texttt{tls},
|
||||
\texttt{zlib}, \texttt{tls\_compression}
|
||||
@ -908,6 +909,8 @@ This is a detailed description of each option allowed by the listening modules:
|
||||
Simple web page that allows a user to fill a CAPTCHA challenge (see section \ref{captcha}).
|
||||
\titem{certfile: Path} Full path to a file containing the default SSL certificate.
|
||||
To define a certificate file specific for a given domain, use the global option \term{domain\_certfile}.
|
||||
\titem{ciphers: Ciphers} OpenSSL ciphers list in the same format accepted by
|
||||
`\verb|openssl ciphers|' command.
|
||||
\titem{default\_host: undefined|HostName\}}
|
||||
If the HTTP request received by ejabberd contains the HTTP header \term{Host}
|
||||
with an ambiguous virtual host that doesn't match any one defined in ejabberd (see \ref{hostnames}),
|
||||
@ -1054,6 +1057,8 @@ There are some additional global options that can be specified in the ejabberd c
|
||||
file containing a SSL certificate.
|
||||
\titem{domain\_certfile: Path} \ind{options!domain\_certfile}
|
||||
Full path to the file containing the SSL certificate for a specific domain.
|
||||
\titem{s2s\_ciphers: Ciphers} \ind{options!s2s\_ciphers} OpenSSL ciphers list
|
||||
in the same format accepted by `\verb|openssl ciphers|' command.
|
||||
\titem{outgoing\_s2s\_families: [Family, ...]} \ind{options!outgoing\_s2s\_families}
|
||||
Specify which address families to try, in what order.
|
||||
By default it first tries connecting with IPv4, if that fails it tries using IPv6.
|
||||
|
@ -241,6 +241,7 @@ init([{SockMod, Socket}, Opts]) ->
|
||||
TLS = StartTLS orelse
|
||||
StartTLSRequired orelse TLSEnabled,
|
||||
TLSOpts1 = lists:filter(fun ({certfile, _}) -> true;
|
||||
({ciphers, _}) -> true;
|
||||
(_) -> false
|
||||
end,
|
||||
Opts),
|
||||
|
@ -177,9 +177,14 @@ init([{SockMod, Socket}, Opts]) ->
|
||||
undefined -> [];
|
||||
CertFile -> [{certfile, CertFile}]
|
||||
end,
|
||||
TLSOpts2 = case ejabberd_config:get_option(
|
||||
s2s_ciphers, fun iolist_to_binary/1) of
|
||||
undefined -> TLSOpts1;
|
||||
Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
|
||||
end,
|
||||
TLSOpts = case proplists:get_bool(tls_compression, Opts) of
|
||||
false -> [compression_none | TLSOpts1];
|
||||
true -> TLSOpts1
|
||||
false -> [compression_none | TLSOpts2];
|
||||
true -> TLSOpts2
|
||||
end,
|
||||
Timer = erlang:start_timer(?S2STIMEOUT, self(), []),
|
||||
{ok, wait_for_stream,
|
||||
|
@ -191,13 +191,18 @@ init([From, Server, Type]) ->
|
||||
undefined -> [connect];
|
||||
CertFile -> [{certfile, CertFile}, connect]
|
||||
end,
|
||||
TLSOpts2 = case ejabberd_config:get_option(
|
||||
s2s_ciphers, fun iolist_to_binary/1) of
|
||||
undefined -> TLSOpts1;
|
||||
Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
|
||||
end,
|
||||
TLSOpts = case ejabberd_config:get_option(
|
||||
{s2s_tls_compression, From},
|
||||
fun(true) -> true;
|
||||
(false) -> false
|
||||
end, true) of
|
||||
false -> [compression_none | TLSOpts1];
|
||||
true -> TLSOpts1
|
||||
false -> [compression_none | TLSOpts2];
|
||||
true -> TLSOpts2
|
||||
end,
|
||||
{New, Verify} = case Type of
|
||||
{new, Key} -> {Key, false};
|
||||
|
Loading…
Reference in New Issue
Block a user