25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-24 16:23:40 +01:00

Merge pull request #160 from runcom/protocol_options

Add option to specify openssl options
This commit is contained in:
Alexey Shchepin 2014-04-15 19:01:21 +04:00
commit f93758a3cd
5 changed files with 63 additions and 10 deletions

View File

@ -333,7 +333,7 @@ To compile \ejabberd{} on a `Unix-like' operating system, you need:
\makesubsection{download}{Download Source Code} \makesubsection{download}{Download Source Code}
\ind{install!download} \ind{install!download}
Released versions of \ejabberd{} are available in the ProcessOne \ejabberd{} downloads page: Released versions of \ejabberd{} are available in the ProcessOne \ejabberd{} downloads page:
\ahrefurl{http://www.process-one.net/en/ejabberd/downloads} \ahrefurl{http://www.process-one.net/en/ejabberd/downloads}
\ind{Git repository} \ind{Git repository}
@ -870,7 +870,7 @@ The available modules, their purpose and the options allowed by each one are:
\begin{description} \begin{description}
\titem{\texttt{ejabberd\_c2s}} \titem{\texttt{ejabberd\_c2s}}
Handles c2s connections.\\ Handles c2s connections.\\
Options: \texttt{access}, \texttt{certfile}, \texttt{ciphers}, Options: \texttt{access}, \texttt{certfile}, \texttt{ciphers}, \texttt{protocol\_options}
\texttt{max\_fsm\_queue}, \texttt{max\_fsm\_queue},
\texttt{max\_stanza\_size}, \texttt{shaper}, \texttt{max\_stanza\_size}, \texttt{shaper},
\texttt{starttls}, \texttt{starttls\_required}, \texttt{tls}, \texttt{starttls}, \texttt{starttls\_required}, \texttt{tls},
@ -918,6 +918,10 @@ This is a detailed description of each option allowed by the listening modules:
To define a certificate file specific for a given domain, use the global option \term{domain\_certfile}. To define a certificate file specific for a given domain, use the global option \term{domain\_certfile}.
\titem{ciphers: Ciphers} OpenSSL ciphers list in the same format accepted by \titem{ciphers: Ciphers} OpenSSL ciphers list in the same format accepted by
`\verb|openssl ciphers|' command. `\verb|openssl ciphers|' command.
\titem{protocol\_options: ProtocolOpts} \ind{options!protocol\_options}
List of general options relating to SSL/TLS. These map to \verb|<a href="https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html">OpenSSL's set_options()</a>|.
For a full list of options available in ejabberd, \verb|<a href="https://github.com/processone/tls/blob/protocol_options/c_src/options.h">see the source</a>|.
The default entry is: \verb|"no_sslv2"|
\titem{default\_host: undefined|HostName\}} \titem{default\_host: undefined|HostName\}}
If the HTTP request received by ejabberd contains the HTTP header \term{Host} If the HTTP request received by ejabberd contains the HTTP header \term{Host}
with an ambiguous virtual host that doesn't match any one defined in ejabberd (see \ref{hostnames}), with an ambiguous virtual host that doesn't match any one defined in ejabberd (see \ref{hostnames}),
@ -1066,6 +1070,10 @@ There are some additional global options that can be specified in the ejabberd c
Full path to the file containing the SSL certificate for a specific domain. Full path to the file containing the SSL certificate for a specific domain.
\titem{s2s\_ciphers: Ciphers} \ind{options!s2s\_ciphers} OpenSSL ciphers list \titem{s2s\_ciphers: Ciphers} \ind{options!s2s\_ciphers} OpenSSL ciphers list
in the same format accepted by `\verb|openssl ciphers|' command. in the same format accepted by `\verb|openssl ciphers|' command.
\titem{s2s\_protocol\_options: ProtocolOpts} \ind{options!s2s\_protocol\_options}
List of general options relating to SSL/TLS. These map to \verb|<a href="https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html">OpenSSL's set_options()</a>|.
For a full list of options available in ejabberd, \verb|<a href="https://github.com/processone/tls/blob/protocol_options/c_src/options.h">see the source</a>|.
The default enitry is: \verb|"no_sslv2"|
\titem{outgoing\_s2s\_families: [Family, ...]} \ind{options!outgoing\_s2s\_families} \titem{outgoing\_s2s\_families: [Family, ...]} \ind{options!outgoing\_s2s\_families}
Specify which address families to try, in what order. Specify which address families to try, in what order.
By default it first tries connecting with IPv4, if that fails it tries using IPv6. By default it first tries connecting with IPv4, if that fails it tries using IPv6.

View File

@ -86,6 +86,12 @@ listen:
## ##
## certfile: "/path/to/ssl.pem" ## certfile: "/path/to/ssl.pem"
## starttls: true ## starttls: true
##
## Custom OpenSSL options
##
## protocol_options:
## - "no_sslv3"
## - "no_tlsv1"
max_stanza_size: 65536 max_stanza_size: 65536
shaper: c2s_shaper shaper: c2s_shaper
access: c2s access: c2s
@ -144,6 +150,12 @@ listen:
## ##
## s2s_certfile: "/path/to/ssl.pem" ## s2s_certfile: "/path/to/ssl.pem"
## Custom OpenSSL options
##
## s2s_protocol_options:
## - "no_sslv3"
## - "no_tlsv1"
## ##
## domain_certfile: Specify a different certificate for each served hostname. ## domain_certfile: Specify a different certificate for each served hostname.
## ##

View File

@ -244,11 +244,20 @@ init([{SockMod, Socket}, Opts]) ->
(_) -> false (_) -> false
end, end,
Opts), Opts),
TLSOpts2 = case proplists:get_bool(tls_compression, Opts) of TLSOpts2 = case lists:keysearch(protocol_options, 1, Opts) of
false -> [compression_none | TLSOpts1]; {value, {_, O}} ->
true -> TLSOpts1 [_|ProtocolOptions] = lists:foldl(
fun(X, Acc) -> X ++ Acc end, [],
[["|" | binary_to_list(Opt)] || Opt <- O, is_binary(Opt)]
),
[{protocol_options, iolist_to_binary(ProtocolOptions)} | TLSOpts1];
_ -> TLSOpts1
end, end,
TLSOpts = [verify_none | TLSOpts2], TLSOpts3 = case proplists:get_bool(tls_compression, Opts) of
false -> [compression_none | TLSOpts2];
true -> TLSOpts2
end,
TLSOpts = [verify_none | TLSOpts3],
IP = peerip(SockMod, Socket), IP = peerip(SockMod, Socket),
%% Check if IP is blacklisted: %% Check if IP is blacklisted:
case is_ip_blacklisted(IP) of case is_ip_blacklisted(IP) of

View File

@ -181,9 +181,21 @@ init([{SockMod, Socket}, Opts]) ->
undefined -> TLSOpts1; undefined -> TLSOpts1;
Ciphers -> [{ciphers, Ciphers} | TLSOpts1] Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
end, end,
TLSOpts3 = case ejabberd_config:get_option(
s2s_protocol_options,
fun (Options) ->
[_|O] = lists:foldl(
fun(X, Acc) -> X ++ Acc end, [],
[["|" | binary_to_list(Opt)] || Opt <- Options, is_binary(Opt)]
),
iolist_to_binary(O)
end) of
undefined -> TLSOpts2;
ProtocolOpts -> [{protocol_options, ProtocolOpts} | TLSOpts2]
end,
TLSOpts = case proplists:get_bool(tls_compression, Opts) of TLSOpts = case proplists:get_bool(tls_compression, Opts) of
false -> [compression_none | TLSOpts2]; false -> [compression_none | TLSOpts3];
true -> TLSOpts2 true -> TLSOpts3
end, end,
Timer = erlang:start_timer(?S2STIMEOUT, self(), []), Timer = erlang:start_timer(?S2STIMEOUT, self(), []),
{ok, wait_for_stream, {ok, wait_for_stream,

View File

@ -195,13 +195,25 @@ init([From, Server, Type]) ->
undefined -> TLSOpts1; undefined -> TLSOpts1;
Ciphers -> [{ciphers, Ciphers} | TLSOpts1] Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
end, end,
TLSOpts3 = case ejabberd_config:get_option(
s2s_protocol_options,
fun (Options) ->
[_|O] = lists:foldl(
fun(X, Acc) -> X ++ Acc end, [],
[["|" | binary_to_list(Opt)] || Opt <- Options, is_binary(Opt)]
),
iolist_to_binary(O)
end) of
undefined -> TLSOpts2;
ProtocolOpts -> [{protocol_options, ProtocolOpts} | TLSOpts2]
end,
TLSOpts = case ejabberd_config:get_option( TLSOpts = case ejabberd_config:get_option(
{s2s_tls_compression, From}, {s2s_tls_compression, From},
fun(true) -> true; fun(true) -> true;
(false) -> false (false) -> false
end, true) of end, true) of
false -> [compression_none | TLSOpts2]; false -> [compression_none | TLSOpts3];
true -> TLSOpts2 true -> TLSOpts3
end, end,
{New, Verify} = case Type of {New, Verify} = case Type of
{new, Key} -> {Key, false}; {new, Key} -> {Key, false};