mirror of
https://github.com/processone/ejabberd.git
synced 2024-11-20 16:15:59 +01:00
Add option to specify openssl options
This commit is contained in:
parent
66006ba017
commit
fbf71f86f3
@ -332,7 +332,7 @@ To compile \ejabberd{} on a `Unix-like' operating system, you need:
|
|||||||
\makesubsection{download}{Download Source Code}
|
\makesubsection{download}{Download Source Code}
|
||||||
\ind{install!download}
|
\ind{install!download}
|
||||||
|
|
||||||
Released versions of \ejabberd{} are available in the ProcessOne \ejabberd{} downloads page:
|
Released versions of \ejabberd{} are available in the ProcessOne \ejabberd{} downloads page:
|
||||||
\ahrefurl{http://www.process-one.net/en/ejabberd/downloads}
|
\ahrefurl{http://www.process-one.net/en/ejabberd/downloads}
|
||||||
|
|
||||||
\ind{Git repository}
|
\ind{Git repository}
|
||||||
@ -869,7 +869,7 @@ The available modules, their purpose and the options allowed by each one are:
|
|||||||
\begin{description}
|
\begin{description}
|
||||||
\titem{\texttt{ejabberd\_c2s}}
|
\titem{\texttt{ejabberd\_c2s}}
|
||||||
Handles c2s connections.\\
|
Handles c2s connections.\\
|
||||||
Options: \texttt{access}, \texttt{certfile}, \texttt{ciphers},
|
Options: \texttt{access}, \texttt{certfile}, \texttt{ciphers}, \texttt{protocol\_options}
|
||||||
\texttt{max\_fsm\_queue},
|
\texttt{max\_fsm\_queue},
|
||||||
\texttt{max\_stanza\_size}, \texttt{shaper},
|
\texttt{max\_stanza\_size}, \texttt{shaper},
|
||||||
\texttt{starttls}, \texttt{starttls\_required}, \texttt{tls},
|
\texttt{starttls}, \texttt{starttls\_required}, \texttt{tls},
|
||||||
@ -917,6 +917,10 @@ This is a detailed description of each option allowed by the listening modules:
|
|||||||
To define a certificate file specific for a given domain, use the global option \term{domain\_certfile}.
|
To define a certificate file specific for a given domain, use the global option \term{domain\_certfile}.
|
||||||
\titem{ciphers: Ciphers} OpenSSL ciphers list in the same format accepted by
|
\titem{ciphers: Ciphers} OpenSSL ciphers list in the same format accepted by
|
||||||
`\verb|openssl ciphers|' command.
|
`\verb|openssl ciphers|' command.
|
||||||
|
\titem{protocol\_options: ProtocolOpts} \ind{options!protocol\_options}
|
||||||
|
List of general options relating to SSL/TLS. These map to \verb|<a href="https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html">OpenSSL's set_options()</a>|.
|
||||||
|
For a full list of options available in ejabberd, \verb|<a href="https://github.com/processone/tls/blob/protocol_options/c_src/options.h">see the source</a>|.
|
||||||
|
The default entry is: \verb|"no_sslv2"|
|
||||||
\titem{default\_host: undefined|HostName\}}
|
\titem{default\_host: undefined|HostName\}}
|
||||||
If the HTTP request received by ejabberd contains the HTTP header \term{Host}
|
If the HTTP request received by ejabberd contains the HTTP header \term{Host}
|
||||||
with an ambiguous virtual host that doesn't match any one defined in ejabberd (see \ref{hostnames}),
|
with an ambiguous virtual host that doesn't match any one defined in ejabberd (see \ref{hostnames}),
|
||||||
@ -1065,6 +1069,10 @@ There are some additional global options that can be specified in the ejabberd c
|
|||||||
Full path to the file containing the SSL certificate for a specific domain.
|
Full path to the file containing the SSL certificate for a specific domain.
|
||||||
\titem{s2s\_ciphers: Ciphers} \ind{options!s2s\_ciphers} OpenSSL ciphers list
|
\titem{s2s\_ciphers: Ciphers} \ind{options!s2s\_ciphers} OpenSSL ciphers list
|
||||||
in the same format accepted by `\verb|openssl ciphers|' command.
|
in the same format accepted by `\verb|openssl ciphers|' command.
|
||||||
|
\titem{s2s\_protocol\_options: ProtocolOpts} \ind{options!s2s\_protocol\_options}
|
||||||
|
List of general options relating to SSL/TLS. These map to \verb|<a href="https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html">OpenSSL's set_options()</a>|.
|
||||||
|
For a full list of options available in ejabberd, \verb|<a href="https://github.com/processone/tls/blob/protocol_options/c_src/options.h">see the source</a>|.
|
||||||
|
The default enitry is: \verb|"no_sslv2"|
|
||||||
\titem{outgoing\_s2s\_families: [Family, ...]} \ind{options!outgoing\_s2s\_families}
|
\titem{outgoing\_s2s\_families: [Family, ...]} \ind{options!outgoing\_s2s\_families}
|
||||||
Specify which address families to try, in what order.
|
Specify which address families to try, in what order.
|
||||||
By default it first tries connecting with IPv4, if that fails it tries using IPv6.
|
By default it first tries connecting with IPv4, if that fails it tries using IPv6.
|
||||||
|
@ -86,6 +86,12 @@ listen:
|
|||||||
##
|
##
|
||||||
## certfile: "/path/to/ssl.pem"
|
## certfile: "/path/to/ssl.pem"
|
||||||
## starttls: true
|
## starttls: true
|
||||||
|
##
|
||||||
|
## Custom OpenSSL options
|
||||||
|
##
|
||||||
|
## protocol_options:
|
||||||
|
## - "no_sslv3"
|
||||||
|
## - "no_tlsv1"
|
||||||
max_stanza_size: 65536
|
max_stanza_size: 65536
|
||||||
shaper: c2s_shaper
|
shaper: c2s_shaper
|
||||||
access: c2s
|
access: c2s
|
||||||
@ -144,6 +150,12 @@ listen:
|
|||||||
##
|
##
|
||||||
## s2s_certfile: "/path/to/ssl.pem"
|
## s2s_certfile: "/path/to/ssl.pem"
|
||||||
|
|
||||||
|
## Custom OpenSSL options
|
||||||
|
##
|
||||||
|
## s2s_protocol_options:
|
||||||
|
## - "no_sslv3"
|
||||||
|
## - "no_tlsv1"
|
||||||
|
|
||||||
##
|
##
|
||||||
## domain_certfile: Specify a different certificate for each served hostname.
|
## domain_certfile: Specify a different certificate for each served hostname.
|
||||||
##
|
##
|
||||||
|
@ -245,11 +245,20 @@ init([{SockMod, Socket}, Opts]) ->
|
|||||||
(_) -> false
|
(_) -> false
|
||||||
end,
|
end,
|
||||||
Opts),
|
Opts),
|
||||||
TLSOpts2 = case proplists:get_bool(tls_compression, Opts) of
|
TLSOpts2 = case lists:keysearch(protocol_options, 1, Opts) of
|
||||||
false -> [compression_none | TLSOpts1];
|
{value, {_, O}} ->
|
||||||
true -> TLSOpts1
|
[_|ProtocolOptions] = lists:foldl(
|
||||||
|
fun(X, Acc) -> X ++ Acc end, [],
|
||||||
|
[["|" | binary_to_list(Opt)] || Opt <- O, is_binary(Opt)]
|
||||||
|
),
|
||||||
|
[{protocol_options, iolist_to_binary(ProtocolOptions)} | TLSOpts1];
|
||||||
|
_ -> TLSOpts1
|
||||||
end,
|
end,
|
||||||
TLSOpts = [verify_none | TLSOpts2],
|
TLSOpts3 = case proplists:get_bool(tls_compression, Opts) of
|
||||||
|
false -> [compression_none | TLSOpts2];
|
||||||
|
true -> TLSOpts2
|
||||||
|
end,
|
||||||
|
TLSOpts = [verify_none | TLSOpts3],
|
||||||
IP = peerip(SockMod, Socket),
|
IP = peerip(SockMod, Socket),
|
||||||
%% Check if IP is blacklisted:
|
%% Check if IP is blacklisted:
|
||||||
case is_ip_blacklisted(IP) of
|
case is_ip_blacklisted(IP) of
|
||||||
|
@ -182,9 +182,21 @@ init([{SockMod, Socket}, Opts]) ->
|
|||||||
undefined -> TLSOpts1;
|
undefined -> TLSOpts1;
|
||||||
Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
|
Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
|
||||||
end,
|
end,
|
||||||
|
TLSOpts3 = case ejabberd_config:get_option(
|
||||||
|
s2s_protocol_options,
|
||||||
|
fun (Options) ->
|
||||||
|
[_|O] = lists:foldl(
|
||||||
|
fun(X, Acc) -> X ++ Acc end, [],
|
||||||
|
[["|" | binary_to_list(Opt)] || Opt <- Options, is_binary(Opt)]
|
||||||
|
),
|
||||||
|
iolist_to_binary(O)
|
||||||
|
end) of
|
||||||
|
undefined -> TLSOpts2;
|
||||||
|
ProtocolOpts -> [{protocol_options, ProtocolOpts} | TLSOpts2]
|
||||||
|
end,
|
||||||
TLSOpts = case proplists:get_bool(tls_compression, Opts) of
|
TLSOpts = case proplists:get_bool(tls_compression, Opts) of
|
||||||
false -> [compression_none | TLSOpts2];
|
false -> [compression_none | TLSOpts3];
|
||||||
true -> TLSOpts2
|
true -> TLSOpts3
|
||||||
end,
|
end,
|
||||||
Timer = erlang:start_timer(?S2STIMEOUT, self(), []),
|
Timer = erlang:start_timer(?S2STIMEOUT, self(), []),
|
||||||
{ok, wait_for_stream,
|
{ok, wait_for_stream,
|
||||||
|
@ -196,13 +196,25 @@ init([From, Server, Type]) ->
|
|||||||
undefined -> TLSOpts1;
|
undefined -> TLSOpts1;
|
||||||
Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
|
Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
|
||||||
end,
|
end,
|
||||||
|
TLSOpts3 = case ejabberd_config:get_option(
|
||||||
|
s2s_protocol_options,
|
||||||
|
fun (Options) ->
|
||||||
|
[_|O] = lists:foldl(
|
||||||
|
fun(X, Acc) -> X ++ Acc end, [],
|
||||||
|
[["|" | binary_to_list(Opt)] || Opt <- Options, is_binary(Opt)]
|
||||||
|
),
|
||||||
|
iolist_to_binary(O)
|
||||||
|
end) of
|
||||||
|
undefined -> TLSOpts2;
|
||||||
|
ProtocolOpts -> [{protocol_options, ProtocolOpts} | TLSOpts2]
|
||||||
|
end,
|
||||||
TLSOpts = case ejabberd_config:get_option(
|
TLSOpts = case ejabberd_config:get_option(
|
||||||
{s2s_tls_compression, From},
|
{s2s_tls_compression, From},
|
||||||
fun(true) -> true;
|
fun(true) -> true;
|
||||||
(false) -> false
|
(false) -> false
|
||||||
end, true) of
|
end, true) of
|
||||||
false -> [compression_none | TLSOpts2];
|
false -> [compression_none | TLSOpts3];
|
||||||
true -> TLSOpts2
|
true -> TLSOpts3
|
||||||
end,
|
end,
|
||||||
{New, Verify} = case Type of
|
{New, Verify} = case Type of
|
||||||
{new, Key} -> {Key, false};
|
{new, Key} -> {Key, false};
|
||||||
|
Loading…
Reference in New Issue
Block a user