25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-22 16:20:52 +01:00

Support for OpenSSL ciphers list in ejabberd_c2s, ejabberd_s2s_in and ejabberd_s2s_out

This commit is contained in:
Alexey Shchepin 2013-11-28 19:39:11 +02:00
parent a6b0e18bde
commit 1dd94ac0d0
4 changed files with 21 additions and 5 deletions

View File

@ -869,7 +869,8 @@ The available modules, their purpose and the options allowed by each one are:
\begin{description} \begin{description}
\titem{\texttt{ejabberd\_c2s}} \titem{\texttt{ejabberd\_c2s}}
Handles c2s connections.\\ Handles c2s connections.\\
Options: \texttt{access}, \texttt{certfile}, \texttt{max\_fsm\_queue}, Options: \texttt{access}, \texttt{certfile}, \texttt{ciphers},
\texttt{max\_fsm\_queue},
\texttt{max\_stanza\_size}, \texttt{shaper}, \texttt{max\_stanza\_size}, \texttt{shaper},
\texttt{starttls}, \texttt{starttls\_required}, \texttt{tls}, \texttt{starttls}, \texttt{starttls\_required}, \texttt{tls},
\texttt{zlib}, \texttt{tls\_compression} \texttt{zlib}, \texttt{tls\_compression}
@ -908,6 +909,8 @@ This is a detailed description of each option allowed by the listening modules:
Simple web page that allows a user to fill a CAPTCHA challenge (see section \ref{captcha}). Simple web page that allows a user to fill a CAPTCHA challenge (see section \ref{captcha}).
\titem{certfile: Path} Full path to a file containing the default SSL certificate. \titem{certfile: Path} Full path to a file containing the default SSL certificate.
To define a certificate file specific for a given domain, use the global option \term{domain\_certfile}. To define a certificate file specific for a given domain, use the global option \term{domain\_certfile}.
\titem{ciphers: Ciphers} OpenSSL ciphers list in the same format accepted by
`\verb|openssl ciphers|' command.
\titem{default\_host: undefined|HostName\}} \titem{default\_host: undefined|HostName\}}
If the HTTP request received by ejabberd contains the HTTP header \term{Host} If the HTTP request received by ejabberd contains the HTTP header \term{Host}
with an ambiguous virtual host that doesn't match any one defined in ejabberd (see \ref{hostnames}), with an ambiguous virtual host that doesn't match any one defined in ejabberd (see \ref{hostnames}),
@ -1054,6 +1057,8 @@ There are some additional global options that can be specified in the ejabberd c
file containing a SSL certificate. file containing a SSL certificate.
\titem{domain\_certfile: Path} \ind{options!domain\_certfile} \titem{domain\_certfile: Path} \ind{options!domain\_certfile}
Full path to the file containing the SSL certificate for a specific domain. Full path to the file containing the SSL certificate for a specific domain.
\titem{s2s\_ciphers: Ciphers} \ind{options!s2s\_ciphers} OpenSSL ciphers list
in the same format accepted by `\verb|openssl ciphers|' command.
\titem{outgoing\_s2s\_families: [Family, ...]} \ind{options!outgoing\_s2s\_families} \titem{outgoing\_s2s\_families: [Family, ...]} \ind{options!outgoing\_s2s\_families}
Specify which address families to try, in what order. Specify which address families to try, in what order.
By default it first tries connecting with IPv4, if that fails it tries using IPv6. By default it first tries connecting with IPv4, if that fails it tries using IPv6.

View File

@ -241,6 +241,7 @@ init([{SockMod, Socket}, Opts]) ->
TLS = StartTLS orelse TLS = StartTLS orelse
StartTLSRequired orelse TLSEnabled, StartTLSRequired orelse TLSEnabled,
TLSOpts1 = lists:filter(fun ({certfile, _}) -> true; TLSOpts1 = lists:filter(fun ({certfile, _}) -> true;
({ciphers, _}) -> true;
(_) -> false (_) -> false
end, end,
Opts), Opts),

View File

@ -177,9 +177,14 @@ init([{SockMod, Socket}, Opts]) ->
undefined -> []; undefined -> [];
CertFile -> [{certfile, CertFile}] CertFile -> [{certfile, CertFile}]
end, end,
TLSOpts2 = case ejabberd_config:get_option(
s2s_ciphers, fun iolist_to_binary/1) of
undefined -> TLSOpts1;
Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
end,
TLSOpts = case proplists:get_bool(tls_compression, Opts) of TLSOpts = case proplists:get_bool(tls_compression, Opts) of
false -> [compression_none | TLSOpts1]; false -> [compression_none | TLSOpts2];
true -> TLSOpts1 true -> TLSOpts2
end, end,
Timer = erlang:start_timer(?S2STIMEOUT, self(), []), Timer = erlang:start_timer(?S2STIMEOUT, self(), []),
{ok, wait_for_stream, {ok, wait_for_stream,

View File

@ -191,13 +191,18 @@ init([From, Server, Type]) ->
undefined -> [connect]; undefined -> [connect];
CertFile -> [{certfile, CertFile}, connect] CertFile -> [{certfile, CertFile}, connect]
end, end,
TLSOpts2 = case ejabberd_config:get_option(
s2s_ciphers, fun iolist_to_binary/1) of
undefined -> TLSOpts1;
Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
end,
TLSOpts = case ejabberd_config:get_option( TLSOpts = case ejabberd_config:get_option(
{s2s_tls_compression, From}, {s2s_tls_compression, From},
fun(true) -> true; fun(true) -> true;
(false) -> false (false) -> false
end, true) of end, true) of
false -> [compression_none | TLSOpts1]; false -> [compression_none | TLSOpts2];
true -> TLSOpts1 true -> TLSOpts2
end, end,
{New, Verify} = case Type of {New, Verify} = case Type of
{new, Key} -> {Key, false}; {new, Key} -> {Key, false};