mirror of
https://github.com/processone/ejabberd.git
synced 2024-11-22 16:20:52 +01:00
Support for OpenSSL ciphers list in ejabberd_c2s, ejabberd_s2s_in and ejabberd_s2s_out
This commit is contained in:
parent
a6b0e18bde
commit
1dd94ac0d0
@ -869,7 +869,8 @@ The available modules, their purpose and the options allowed by each one are:
|
|||||||
\begin{description}
|
\begin{description}
|
||||||
\titem{\texttt{ejabberd\_c2s}}
|
\titem{\texttt{ejabberd\_c2s}}
|
||||||
Handles c2s connections.\\
|
Handles c2s connections.\\
|
||||||
Options: \texttt{access}, \texttt{certfile}, \texttt{max\_fsm\_queue},
|
Options: \texttt{access}, \texttt{certfile}, \texttt{ciphers},
|
||||||
|
\texttt{max\_fsm\_queue},
|
||||||
\texttt{max\_stanza\_size}, \texttt{shaper},
|
\texttt{max\_stanza\_size}, \texttt{shaper},
|
||||||
\texttt{starttls}, \texttt{starttls\_required}, \texttt{tls},
|
\texttt{starttls}, \texttt{starttls\_required}, \texttt{tls},
|
||||||
\texttt{zlib}, \texttt{tls\_compression}
|
\texttt{zlib}, \texttt{tls\_compression}
|
||||||
@ -908,6 +909,8 @@ This is a detailed description of each option allowed by the listening modules:
|
|||||||
Simple web page that allows a user to fill a CAPTCHA challenge (see section \ref{captcha}).
|
Simple web page that allows a user to fill a CAPTCHA challenge (see section \ref{captcha}).
|
||||||
\titem{certfile: Path} Full path to a file containing the default SSL certificate.
|
\titem{certfile: Path} Full path to a file containing the default SSL certificate.
|
||||||
To define a certificate file specific for a given domain, use the global option \term{domain\_certfile}.
|
To define a certificate file specific for a given domain, use the global option \term{domain\_certfile}.
|
||||||
|
\titem{ciphers: Ciphers} OpenSSL ciphers list in the same format accepted by
|
||||||
|
`\verb|openssl ciphers|' command.
|
||||||
\titem{default\_host: undefined|HostName\}}
|
\titem{default\_host: undefined|HostName\}}
|
||||||
If the HTTP request received by ejabberd contains the HTTP header \term{Host}
|
If the HTTP request received by ejabberd contains the HTTP header \term{Host}
|
||||||
with an ambiguous virtual host that doesn't match any one defined in ejabberd (see \ref{hostnames}),
|
with an ambiguous virtual host that doesn't match any one defined in ejabberd (see \ref{hostnames}),
|
||||||
@ -1054,6 +1057,8 @@ There are some additional global options that can be specified in the ejabberd c
|
|||||||
file containing a SSL certificate.
|
file containing a SSL certificate.
|
||||||
\titem{domain\_certfile: Path} \ind{options!domain\_certfile}
|
\titem{domain\_certfile: Path} \ind{options!domain\_certfile}
|
||||||
Full path to the file containing the SSL certificate for a specific domain.
|
Full path to the file containing the SSL certificate for a specific domain.
|
||||||
|
\titem{s2s\_ciphers: Ciphers} \ind{options!s2s\_ciphers} OpenSSL ciphers list
|
||||||
|
in the same format accepted by `\verb|openssl ciphers|' command.
|
||||||
\titem{outgoing\_s2s\_families: [Family, ...]} \ind{options!outgoing\_s2s\_families}
|
\titem{outgoing\_s2s\_families: [Family, ...]} \ind{options!outgoing\_s2s\_families}
|
||||||
Specify which address families to try, in what order.
|
Specify which address families to try, in what order.
|
||||||
By default it first tries connecting with IPv4, if that fails it tries using IPv6.
|
By default it first tries connecting with IPv4, if that fails it tries using IPv6.
|
||||||
|
@ -241,6 +241,7 @@ init([{SockMod, Socket}, Opts]) ->
|
|||||||
TLS = StartTLS orelse
|
TLS = StartTLS orelse
|
||||||
StartTLSRequired orelse TLSEnabled,
|
StartTLSRequired orelse TLSEnabled,
|
||||||
TLSOpts1 = lists:filter(fun ({certfile, _}) -> true;
|
TLSOpts1 = lists:filter(fun ({certfile, _}) -> true;
|
||||||
|
({ciphers, _}) -> true;
|
||||||
(_) -> false
|
(_) -> false
|
||||||
end,
|
end,
|
||||||
Opts),
|
Opts),
|
||||||
|
@ -177,9 +177,14 @@ init([{SockMod, Socket}, Opts]) ->
|
|||||||
undefined -> [];
|
undefined -> [];
|
||||||
CertFile -> [{certfile, CertFile}]
|
CertFile -> [{certfile, CertFile}]
|
||||||
end,
|
end,
|
||||||
|
TLSOpts2 = case ejabberd_config:get_option(
|
||||||
|
s2s_ciphers, fun iolist_to_binary/1) of
|
||||||
|
undefined -> TLSOpts1;
|
||||||
|
Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
|
||||||
|
end,
|
||||||
TLSOpts = case proplists:get_bool(tls_compression, Opts) of
|
TLSOpts = case proplists:get_bool(tls_compression, Opts) of
|
||||||
false -> [compression_none | TLSOpts1];
|
false -> [compression_none | TLSOpts2];
|
||||||
true -> TLSOpts1
|
true -> TLSOpts2
|
||||||
end,
|
end,
|
||||||
Timer = erlang:start_timer(?S2STIMEOUT, self(), []),
|
Timer = erlang:start_timer(?S2STIMEOUT, self(), []),
|
||||||
{ok, wait_for_stream,
|
{ok, wait_for_stream,
|
||||||
|
@ -191,13 +191,18 @@ init([From, Server, Type]) ->
|
|||||||
undefined -> [connect];
|
undefined -> [connect];
|
||||||
CertFile -> [{certfile, CertFile}, connect]
|
CertFile -> [{certfile, CertFile}, connect]
|
||||||
end,
|
end,
|
||||||
|
TLSOpts2 = case ejabberd_config:get_option(
|
||||||
|
s2s_ciphers, fun iolist_to_binary/1) of
|
||||||
|
undefined -> TLSOpts1;
|
||||||
|
Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
|
||||||
|
end,
|
||||||
TLSOpts = case ejabberd_config:get_option(
|
TLSOpts = case ejabberd_config:get_option(
|
||||||
{s2s_tls_compression, From},
|
{s2s_tls_compression, From},
|
||||||
fun(true) -> true;
|
fun(true) -> true;
|
||||||
(false) -> false
|
(false) -> false
|
||||||
end, true) of
|
end, true) of
|
||||||
false -> [compression_none | TLSOpts1];
|
false -> [compression_none | TLSOpts2];
|
||||||
true -> TLSOpts1
|
true -> TLSOpts2
|
||||||
end,
|
end,
|
||||||
{New, Verify} = case Type of
|
{New, Verify} = case Type of
|
||||||
{new, Key} -> {Key, false};
|
{new, Key} -> {Key, false};
|
||||||
|
Loading…
Reference in New Issue
Block a user