Changeset - 32c666acf83a
Parent rev.
Child rev.
[Not reviewed]
0 2 0
Branko Majic (branko) - 8 years ago 2016-08-29 23:00:33
branko@majic.rs
MAR-64: Removed TLS hardening from xmpp_server role in order to avoid incompatibilities during s2s communication.
2 files changed with 6 insertions and 3 deletions:
docs/rolereference.rst
6
1
roles/xmpp_server/templates/prosody.cfg.lua.j2
2
0 comments (0 inline, 0 general)
docs/rolereference.rst
Show inline comments
 
@@ -705,7 +705,6 @@ Prosody is configured as follows:
 
  version, uptime, time, ping, pep, register, admin_adhoc, announce, legacyauth.
 
* Self-registration is not allowed.
 
* TLS is configured. Legacy TLS is available on port 5223.
 
* TLS configuration is hardened, allowing only TLSv1.2 and PFS ciphers.
 
* Client-to-server communication requires encryption (TLS).
 
* Authentication is done via LDAP. For setting the LDAP TLS truststore, see
 
  :ref:`LDAP Client <ldap_client>`.
 
@@ -715,6 +714,12 @@ Prosody is configured as follows:
 
* For each domain specified, a dedicated file proxy service will be set-up, with
 
  FQDN set to ``proxy.DOMAIN``.
 

			




	
	
	
		
 
.. warning::

			




	
	
	
		
 
   Since it is not possible to set-up separate TLS configuration for *c2s* and

			




	
	
	
		
 
   *s2s* connections in Prosody 0.9.x, no hardening of TLS is performed in order

			




	
	
	
		
 
   to improve interoperability. This will be changed in Prosody 0.10.x, at which

			




	
	
	
		
 
   point hardening can be revisited.

			




	
	
	
		
 

			




	
	
	
		
 
Prosody expects a specific directory structure in LDAP when doing look-ups:

			




	
	
	
		
 

			




	
	
	
		
 
* Prosody will log-in to LDAP as user

			




        

    


    
    

    

        

                

                    roles/xmpp_server/templates/prosody.cfg.lua.j2
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -44,8 +44,6 @@ allow_registration = false;

			




	
	
	
		
 
ssl = {

			




	
	
	
		
 
  key = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key";

			




	
	
	
		
 
  certificate = "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem";

			




	
	
	
		
 
  prosody = "tlsv1_2";

			




	
	
	
		
 
  ciphers = "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT;"

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 
-- Ports on which to have direct TLS/SSL.

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2023 by various authors & licensed under GPLv3.