25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-12-20 17:27:00 +01:00

Support for OpenSSL ciphers list in ejabberd_c2s, ejabberd_s2s_in and ejabberd_s2s_out

This commit is contained in:
Alexey Shchepin 2013-11-28 19:39:11 +02:00
parent a6b0e18bde
commit 1dd94ac0d0
4 changed files with 21 additions and 5 deletions

View File

@ -869,7 +869,8 @@ The available modules, their purpose and the options allowed by each one are:
\begin{description}
\titem{\texttt{ejabberd\_c2s}}
Handles c2s connections.\\
Options: \texttt{access}, \texttt{certfile}, \texttt{max\_fsm\_queue},
Options: \texttt{access}, \texttt{certfile}, \texttt{ciphers},
\texttt{max\_fsm\_queue},
\texttt{max\_stanza\_size}, \texttt{shaper},
\texttt{starttls}, \texttt{starttls\_required}, \texttt{tls},
\texttt{zlib}, \texttt{tls\_compression}
@ -908,6 +909,8 @@ This is a detailed description of each option allowed by the listening modules:
Simple web page that allows a user to fill a CAPTCHA challenge (see section \ref{captcha}).
\titem{certfile: Path} Full path to a file containing the default SSL certificate.
To define a certificate file specific for a given domain, use the global option \term{domain\_certfile}.
\titem{ciphers: Ciphers} OpenSSL ciphers list in the same format accepted by
`\verb|openssl ciphers|' command.
\titem{default\_host: undefined|HostName\}}
If the HTTP request received by ejabberd contains the HTTP header \term{Host}
with an ambiguous virtual host that doesn't match any one defined in ejabberd (see \ref{hostnames}),
@ -1054,6 +1057,8 @@ There are some additional global options that can be specified in the ejabberd c
file containing a SSL certificate.
\titem{domain\_certfile: Path} \ind{options!domain\_certfile}
Full path to the file containing the SSL certificate for a specific domain.
\titem{s2s\_ciphers: Ciphers} \ind{options!s2s\_ciphers} OpenSSL ciphers list
in the same format accepted by `\verb|openssl ciphers|' command.
\titem{outgoing\_s2s\_families: [Family, ...]} \ind{options!outgoing\_s2s\_families}
Specify which address families to try, in what order.
By default it first tries connecting with IPv4, if that fails it tries using IPv6.

View File

@ -241,6 +241,7 @@ init([{SockMod, Socket}, Opts]) ->
TLS = StartTLS orelse
StartTLSRequired orelse TLSEnabled,
TLSOpts1 = lists:filter(fun ({certfile, _}) -> true;
({ciphers, _}) -> true;
(_) -> false
end,
Opts),

View File

@ -177,9 +177,14 @@ init([{SockMod, Socket}, Opts]) ->
undefined -> [];
CertFile -> [{certfile, CertFile}]
end,
TLSOpts2 = case ejabberd_config:get_option(
s2s_ciphers, fun iolist_to_binary/1) of
undefined -> TLSOpts1;
Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
end,
TLSOpts = case proplists:get_bool(tls_compression, Opts) of
false -> [compression_none | TLSOpts1];
true -> TLSOpts1
false -> [compression_none | TLSOpts2];
true -> TLSOpts2
end,
Timer = erlang:start_timer(?S2STIMEOUT, self(), []),
{ok, wait_for_stream,

View File

@ -191,13 +191,18 @@ init([From, Server, Type]) ->
undefined -> [connect];
CertFile -> [{certfile, CertFile}, connect]
end,
TLSOpts2 = case ejabberd_config:get_option(
s2s_ciphers, fun iolist_to_binary/1) of
undefined -> TLSOpts1;
Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
end,
TLSOpts = case ejabberd_config:get_option(
{s2s_tls_compression, From},
fun(true) -> true;
(false) -> false
end, true) of
false -> [compression_none | TLSOpts1];
true -> TLSOpts1
false -> [compression_none | TLSOpts2];
true -> TLSOpts2
end,
{New, Verify} = case Type of
{new, Key} -> {Key, false};