From 830a2f209abaef106d7f87a22b234f9f944fdc93 Mon Sep 17 00:00:00 2001
From: Evgeny Khramtsov <ekhramtsov@process-one.net>
Date: Sun, 28 Apr 2019 17:50:52 +0300
Subject: [PATCH] Remove TLS options from the example config

The purpose is two-fold:

- To simplify the example config.
- To avoid old TLS configuration to be persistent across
  server updates: this might bring security problems, because
  what's considered "modern" now might be insecure in the future.
---
 ejabberd.yml.example | 20 --------------------
 1 file changed, 20 deletions(-)

diff --git a/ejabberd.yml.example b/ejabberd.yml.example
index 9c8001cdd..52a9c9f66 100644
--- a/ejabberd.yml.example
+++ b/ejabberd.yml.example
@@ -39,24 +39,6 @@ certfiles:
   - "/etc/letsencrypt/live/localhost/fullchain.pem"
   - "/etc/letsencrypt/live/localhost/privkey.pem"
 
-define_macro:
-  # TLS options for client not being able to use modern ciphers (Windows XP+, Android 3.0+)
-  CIPHERS_INTERMEDIATE: "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
-  PROTOCOL_OPTIONS_INTERMEDIATE:
-    - "no_sslv2"
-    - "no_sslv3"
-
-  # TLS options for client able to use modern ciphers (Windows 7+, Android 5.0+)
-  CIPHERS_MODERN: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
-  PROTOCOL_OPTIONS_MODERN:
-    - "no_sslv2"
-    - "no_sslv3"
-    - "no_tlsv1"
-    - "no_tlsv1_1"
-
-c2s_ciphers: CIPHERS_INTERMEDIATE
-c2s_protocol_options: PROTOCOL_OPTIONS_INTERMEDIATE
-
 listen:
   -
     port: 5222
@@ -82,8 +64,6 @@ listen:
       "/ws": ejabberd_http_ws
     web_admin: true
     captcha: true
-    ciphers: CIPHERS_INTERMEDIATE
-    protocol_options: PROTOCOL_OPTIONS_INTERMEDIATE
     tls: true
   -
     port: 5280