From 152b18777513f703c405641138f0651bc2408f1b 2016-08-29 22:42:49 From: Branko Majic Date: 2016-08-29 22:42:49 Subject: [PATCH] MAR-62: Removed TLS hardening from xmpp_server role in order to avoid incompatibilities during s2s communication. --- diff --git a/docs/rolereference.rst b/docs/rolereference.rst index dbb071afbd11710c81c84b1f0bdc22835ed7071a..d3bc181f1b2378876f96a893fd8a667304e13834 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -705,7 +705,6 @@ Prosody is configured as follows: version, uptime, time, ping, pep, register, admin_adhoc, announce, legacyauth. * Self-registration is not allowed. * TLS is configured. Legacy TLS is available on port 5223. -* TLS configuration is hardened, allowing only TLSv1.2 and PFS ciphers. * Client-to-server communication requires encryption (TLS). * Authentication is done via LDAP. For setting the LDAP TLS truststore, see :ref:`LDAP Client `. @@ -715,6 +714,12 @@ Prosody is configured as follows: * For each domain specified, a dedicated file proxy service will be set-up, with FQDN set to ``proxy.DOMAIN``. +.. warning:: + Since it is not possible to set-up separate TLS configuration for *c2s* and + *s2s* connections in Prosody 0.9.x, no hardening of TLS is performed in order + to improve interoperability. This will be changed in Prosody 0.10.x, at which + point hardening can be revisited. + Prosody expects a specific directory structure in LDAP when doing look-ups: * Prosody will log-in to LDAP as user diff --git a/roles/xmpp_server/templates/prosody.cfg.lua.j2 b/roles/xmpp_server/templates/prosody.cfg.lua.j2 index 7d9477abd8948c5682cdb80f5d8fe8c5a7aca2b2..1b8d5e4b1b08e2667f56e5c800c92a192d3082cb 100644 --- a/roles/xmpp_server/templates/prosody.cfg.lua.j2 +++ b/roles/xmpp_server/templates/prosody.cfg.lua.j2 @@ -44,8 +44,6 @@ allow_registration = false; ssl = { key = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key"; certificate = "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem"; - prosody = "tlsv1_2"; - ciphers = "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT;" } -- Ports on which to have direct TLS/SSL.