From 7713edc6bbef064c6be99a348ddb258da15ef72f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Chmielowski?= <pchmielowski@process-one.net>
Date: Fri, 7 Dec 2018 12:54:18 +0100
Subject: [PATCH] Define default ciphers/protocol_option in example config

---
 ejabberd.yml.example | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/ejabberd.yml.example b/ejabberd.yml.example
index a032081a3..5b2515e08 100644
--- a/ejabberd.yml.example
+++ b/ejabberd.yml.example
@@ -39,6 +39,21 @@ certfiles:
   - "/etc/letsencrypt/live/localhost/fullchain.pem"
   - "/etc/letsencrypt/live/localhost/privkey.pem"
 
+define_macro:
+  # TLS options for client not being able to use modern ciphers (Windows XP+, Android 3.0+)
+  CIPHERS_INTERMEDIATE: "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+  PROTOCOL_OPTIONS_INTERMEDIATE:
+    - "no_sslv2"
+    - "no_sslv3"
+
+  # TLS options for client able to use moder ciphers (Windows 7+, Android 5.0+)
+  CIPHERS_MODERN: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
+  PROTOCOL_OPTIONS_MODERN:
+    - "no_sslv2"
+    - "no_sslv3"
+    - "no_tlsv1"
+    - "no_tlsv1.1"
+
 listen:
   -
     port: 5222
@@ -47,6 +62,8 @@ listen:
     max_stanza_size: 262144
     shaper: c2s_shaper
     access: c2s
+    ciphers: CIPHERS_MODERN
+    protocol_options: PROTOCOL_OPTIONS_MODERN
     starttls_required: true
   -
     port: 5269
@@ -64,6 +81,8 @@ listen:
       "/ws": ejabberd_http_ws
     web_admin: true
     captcha: true
+    ciphers: CIPHERS_MODERN
+    protocol_options: PROTOCOL_OPTIONS_MODERN
     tls: true
 
 s2s_use_starttls: optional
@@ -75,7 +94,6 @@ acl:
     ip:
       - "127.0.0.0/8"
       - "::1/128"
-      - "::FFFF:127.0.0.1/128"
 
 access_rules:
   local: