From 1dd94ac0d06822daa8c394ea2da20d91c8209124 Mon Sep 17 00:00:00 2001 From: Alexey Shchepin Date: Thu, 28 Nov 2013 19:39:11 +0200 Subject: [PATCH] Support for OpenSSL ciphers list in ejabberd_c2s, ejabberd_s2s_in and ejabberd_s2s_out --- doc/guide.tex | 7 ++++++- src/ejabberd_c2s.erl | 1 + src/ejabberd_s2s_in.erl | 9 +++++++-- src/ejabberd_s2s_out.erl | 9 +++++++-- 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/doc/guide.tex b/doc/guide.tex index 1278dfbbd..4d3b2b4ff 100644 --- a/doc/guide.tex +++ b/doc/guide.tex @@ -869,7 +869,8 @@ The available modules, their purpose and the options allowed by each one are: \begin{description} \titem{\texttt{ejabberd\_c2s}} Handles c2s connections.\\ - Options: \texttt{access}, \texttt{certfile}, \texttt{max\_fsm\_queue}, + Options: \texttt{access}, \texttt{certfile}, \texttt{ciphers}, + \texttt{max\_fsm\_queue}, \texttt{max\_stanza\_size}, \texttt{shaper}, \texttt{starttls}, \texttt{starttls\_required}, \texttt{tls}, \texttt{zlib}, \texttt{tls\_compression} @@ -908,6 +909,8 @@ This is a detailed description of each option allowed by the listening modules: Simple web page that allows a user to fill a CAPTCHA challenge (see section \ref{captcha}). \titem{certfile: Path} Full path to a file containing the default SSL certificate. To define a certificate file specific for a given domain, use the global option \term{domain\_certfile}. + \titem{ciphers: Ciphers} OpenSSL ciphers list in the same format accepted by + `\verb|openssl ciphers|' command. \titem{default\_host: undefined|HostName\}} If the HTTP request received by ejabberd contains the HTTP header \term{Host} with an ambiguous virtual host that doesn't match any one defined in ejabberd (see \ref{hostnames}), @@ -1054,6 +1057,8 @@ There are some additional global options that can be specified in the ejabberd c file containing a SSL certificate. \titem{domain\_certfile: Path} \ind{options!domain\_certfile} Full path to the file containing the SSL certificate for a specific domain. + \titem{s2s\_ciphers: Ciphers} \ind{options!s2s\_ciphers} OpenSSL ciphers list + in the same format accepted by `\verb|openssl ciphers|' command. \titem{outgoing\_s2s\_families: [Family, ...]} \ind{options!outgoing\_s2s\_families} Specify which address families to try, in what order. By default it first tries connecting with IPv4, if that fails it tries using IPv6. diff --git a/src/ejabberd_c2s.erl b/src/ejabberd_c2s.erl index 610f22c24..fa8ec3f5b 100644 --- a/src/ejabberd_c2s.erl +++ b/src/ejabberd_c2s.erl @@ -241,6 +241,7 @@ init([{SockMod, Socket}, Opts]) -> TLS = StartTLS orelse StartTLSRequired orelse TLSEnabled, TLSOpts1 = lists:filter(fun ({certfile, _}) -> true; + ({ciphers, _}) -> true; (_) -> false end, Opts), diff --git a/src/ejabberd_s2s_in.erl b/src/ejabberd_s2s_in.erl index dd1c93c8d..2823cde62 100644 --- a/src/ejabberd_s2s_in.erl +++ b/src/ejabberd_s2s_in.erl @@ -177,9 +177,14 @@ init([{SockMod, Socket}, Opts]) -> undefined -> []; CertFile -> [{certfile, CertFile}] end, + TLSOpts2 = case ejabberd_config:get_option( + s2s_ciphers, fun iolist_to_binary/1) of + undefined -> TLSOpts1; + Ciphers -> [{ciphers, Ciphers} | TLSOpts1] + end, TLSOpts = case proplists:get_bool(tls_compression, Opts) of - false -> [compression_none | TLSOpts1]; - true -> TLSOpts1 + false -> [compression_none | TLSOpts2]; + true -> TLSOpts2 end, Timer = erlang:start_timer(?S2STIMEOUT, self(), []), {ok, wait_for_stream, diff --git a/src/ejabberd_s2s_out.erl b/src/ejabberd_s2s_out.erl index f52a673e4..a5acdad95 100644 --- a/src/ejabberd_s2s_out.erl +++ b/src/ejabberd_s2s_out.erl @@ -191,13 +191,18 @@ init([From, Server, Type]) -> undefined -> [connect]; CertFile -> [{certfile, CertFile}, connect] end, + TLSOpts2 = case ejabberd_config:get_option( + s2s_ciphers, fun iolist_to_binary/1) of + undefined -> TLSOpts1; + Ciphers -> [{ciphers, Ciphers} | TLSOpts1] + end, TLSOpts = case ejabberd_config:get_option( {s2s_tls_compression, From}, fun(true) -> true; (false) -> false end, true) of - false -> [compression_none | TLSOpts1]; - true -> TLSOpts1 + false -> [compression_none | TLSOpts2]; + true -> TLSOpts2 end, {New, Verify} = case Type of {new, Key} -> {Key, false};