Chapril
/
xmpp.chapril.org-ejabberd
mirror of https://github.com/processone/ejabberd.git
24
1
Fork 0
Code Releases Activity

Add option to specify openssl options

This commit is contained in:
Antonio Murdaca 2014-04-01 21:57:33 +02:00
parent 66006ba017
commit fbf71f86f3
5 changed files with 63 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
doc/guide.tex
View File

@ -332,7 +332,7 @@ To compile \ejabberd{} on a `Unix-like' operating system, you need:
\makesubsection{download}{Download Source Code} \makesubsection{download}{Download Source Code}
\ind{install!download} \ind{install!download}
Released versions of \ejabberd{} are available in the ProcessOne \ejabberd{} downloads page: Released versions of \ejabberd{} are available in the ProcessOne \ejabberd{} downloads page:
\ahrefurl{http://www.process-one.net/en/ejabberd/downloads} \ahrefurl{http://www.process-one.net/en/ejabberd/downloads}
\ind{Git repository} \ind{Git repository}
@ -869,7 +869,7 @@ The available modules, their purpose and the options allowed by each one are:
\begin{description} \begin{description}
\titem{\texttt{ejabberd\_c2s}} \titem{\texttt{ejabberd\_c2s}}
Handles c2s connections.\\ Handles c2s connections.\\
Options: \texttt{access}, \texttt{certfile}, \texttt{ciphers}, Options: \texttt{access}, \texttt{certfile}, \texttt{ciphers}, \texttt{protocol\_options}
\texttt{max\_fsm\_queue}, \texttt{max\_fsm\_queue},
\texttt{max\_stanza\_size}, \texttt{shaper}, \texttt{max\_stanza\_size}, \texttt{shaper},
\texttt{starttls}, \texttt{starttls\_required}, \texttt{tls}, \texttt{starttls}, \texttt{starttls\_required}, \texttt{tls},
@ -917,6 +917,10 @@ This is a detailed description of each option allowed by the listening modules:
To define a certificate file specific for a given domain, use the global option \term{domain\_certfile}. To define a certificate file specific for a given domain, use the global option \term{domain\_certfile}.
\titem{ciphers: Ciphers} OpenSSL ciphers list in the same format accepted by \titem{ciphers: Ciphers} OpenSSL ciphers list in the same format accepted by
`\verb|openssl ciphers|' command. `\verb|openssl ciphers|' command.
\titem{protocol\_options: ProtocolOpts} \ind{options!protocol\_options}
List of general options relating to SSL/TLS. These map to \verb|<a href="https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html">OpenSSL's set_options()</a>|.
For a full list of options available in ejabberd, \verb|<a href="https://github.com/processone/tls/blob/protocol_options/c_src/options.h">see the source</a>|.
The default entry is: \verb|"no_sslv2"|
\titem{default\_host: undefined|HostName\}} \titem{default\_host: undefined|HostName\}}
If the HTTP request received by ejabberd contains the HTTP header \term{Host} If the HTTP request received by ejabberd contains the HTTP header \term{Host}
with an ambiguous virtual host that doesn't match any one defined in ejabberd (see \ref{hostnames}), with an ambiguous virtual host that doesn't match any one defined in ejabberd (see \ref{hostnames}),
@ -1065,6 +1069,10 @@ There are some additional global options that can be specified in the ejabberd c
Full path to the file containing the SSL certificate for a specific domain. Full path to the file containing the SSL certificate for a specific domain.
\titem{s2s\_ciphers: Ciphers} \ind{options!s2s\_ciphers} OpenSSL ciphers list \titem{s2s\_ciphers: Ciphers} \ind{options!s2s\_ciphers} OpenSSL ciphers list
in the same format accepted by `\verb|openssl ciphers|' command. in the same format accepted by `\verb|openssl ciphers|' command.
\titem{s2s\_protocol\_options: ProtocolOpts} \ind{options!s2s\_protocol\_options}
List of general options relating to SSL/TLS. These map to \verb|<a href="https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html">OpenSSL's set_options()</a>|.
For a full list of options available in ejabberd, \verb|<a href="https://github.com/processone/tls/blob/protocol_options/c_src/options.h">see the source</a>|.
The default enitry is: \verb|"no_sslv2"|
\titem{outgoing\_s2s\_families: [Family, ...]} \ind{options!outgoing\_s2s\_families} \titem{outgoing\_s2s\_families: [Family, ...]} \ind{options!outgoing\_s2s\_families}
Specify which address families to try, in what order. Specify which address families to try, in what order.
By default it first tries connecting with IPv4, if that fails it tries using IPv6. By default it first tries connecting with IPv4, if that fails it tries using IPv6.

12
ejabberd.yml.example
View File

@ -86,6 +86,12 @@ listen:
## ##
## certfile: "/path/to/ssl.pem" ## certfile: "/path/to/ssl.pem"
## starttls: true ## starttls: true
##
## Custom OpenSSL options
##
## protocol_options:
## - "no_sslv3"
## - "no_tlsv1"
max_stanza_size: 65536 max_stanza_size: 65536
shaper: c2s_shaper shaper: c2s_shaper
access: c2s access: c2s
@ -144,6 +150,12 @@ listen:
## ##
## s2s_certfile: "/path/to/ssl.pem" ## s2s_certfile: "/path/to/ssl.pem"
## Custom OpenSSL options
##
## s2s_protocol_options:
## - "no_sslv3"
## - "no_tlsv1"
## ##
## domain_certfile: Specify a different certificate for each served hostname. ## domain_certfile: Specify a different certificate for each served hostname.
## ##

17
src/ejabberd_c2s.erl
View File

@ -245,11 +245,20 @@ init([{SockMod, Socket}, Opts]) ->
(_) -> false (_) -> false
end, end,
Opts), Opts),
TLSOpts2 = case proplists:get_bool(tls_compression, Opts) of TLSOpts2 = case lists:keysearch(protocol_options, 1, Opts) of
false -> [compression_none | TLSOpts1]; {value, {_, O}} ->
true -> TLSOpts1 [_|ProtocolOptions] = lists:foldl(
fun(X, Acc) -> X ++ Acc end, [],
[["|" | binary_to_list(Opt)] || Opt <- O, is_binary(Opt)]
),
[{protocol_options, iolist_to_binary(ProtocolOptions)} | TLSOpts1];
_ -> TLSOpts1
end, end,
TLSOpts = [verify_none | TLSOpts2], TLSOpts3 = case proplists:get_bool(tls_compression, Opts) of
false -> [compression_none | TLSOpts2];
true -> TLSOpts2
end,
TLSOpts = [verify_none | TLSOpts3],
IP = peerip(SockMod, Socket), IP = peerip(SockMod, Socket),
%% Check if IP is blacklisted: %% Check if IP is blacklisted:
case is_ip_blacklisted(IP) of case is_ip_blacklisted(IP) of

16
src/ejabberd_s2s_in.erl
View File

@ -182,9 +182,21 @@ init([{SockMod, Socket}, Opts]) ->
undefined -> TLSOpts1; undefined -> TLSOpts1;
Ciphers -> [{ciphers, Ciphers} | TLSOpts1] Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
end, end,
TLSOpts3 = case ejabberd_config:get_option(
s2s_protocol_options,
fun (Options) ->
[_|O] = lists:foldl(
fun(X, Acc) -> X ++ Acc end, [],
[["|" | binary_to_list(Opt)] || Opt <- Options, is_binary(Opt)]
),
iolist_to_binary(O)
end) of
undefined -> TLSOpts2;
ProtocolOpts -> [{protocol_options, ProtocolOpts} | TLSOpts2]
end,
TLSOpts = case proplists:get_bool(tls_compression, Opts) of TLSOpts = case proplists:get_bool(tls_compression, Opts) of
false -> [compression_none | TLSOpts2]; false -> [compression_none | TLSOpts3];
true -> TLSOpts2 true -> TLSOpts3
end, end,
Timer = erlang:start_timer(?S2STIMEOUT, self(), []), Timer = erlang:start_timer(?S2STIMEOUT, self(), []),
{ok, wait_for_stream, {ok, wait_for_stream,

16
src/ejabberd_s2s_out.erl
View File

@ -196,13 +196,25 @@ init([From, Server, Type]) ->
undefined -> TLSOpts1; undefined -> TLSOpts1;
Ciphers -> [{ciphers, Ciphers} | TLSOpts1] Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
end, end,
TLSOpts3 = case ejabberd_config:get_option(
s2s_protocol_options,
fun (Options) ->
[_|O] = lists:foldl(
fun(X, Acc) -> X ++ Acc end, [],
[["|" | binary_to_list(Opt)] || Opt <- Options, is_binary(Opt)]
),
iolist_to_binary(O)
end) of
undefined -> TLSOpts2;
ProtocolOpts -> [{protocol_options, ProtocolOpts} | TLSOpts2]
end,
TLSOpts = case ejabberd_config:get_option( TLSOpts = case ejabberd_config:get_option(
{s2s_tls_compression, From}, {s2s_tls_compression, From},
fun(true) -> true; fun(true) -> true;
(false) -> false (false) -> false
end, true) of end, true) of
false -> [compression_none | TLSOpts2]; false -> [compression_none | TLSOpts3];
true -> TLSOpts2 true -> TLSOpts3
end, end,
{New, Verify} = case Type of {New, Verify} = case Type of
{new, Key} -> {Key, false}; {new, Key} -> {Key, false};