majic-ansible-roles Changeset

Changeset - 32c666acf83a

Parent rev.

Child rev.

[Not reviewed]

0 2 0

Branko Majic (branko) - 8 years ago 2016-08-29 23:00:33
branko@majic.rs

MAR-64: Removed TLS hardening from xmpp_server role in order to avoid incompatibilities during s2s communication.

2 files changed with 6 insertions and 3 deletions:

docs/rolereference.rst

roles/xmpp_server/templates/prosody.cfg.lua.j2

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -702,22 +702,27 @@ The role implements the following: @@
 Prosody is configured as follows:
 * Modules enabled: roster, saslauth, tls, dialback, posix, private, vcard,
   version, uptime, time, ping, pep, register, admin_adhoc, announce, legacyauth.
 * Self-registration is not allowed.
 * TLS is configured. Legacy TLS is available on port 5223.
 * TLS configuration is hardened, allowing only TLSv1.2 and PFS ciphers.
 * Client-to-server communication requires encryption (TLS).
 * Authentication is done via LDAP. For setting the LDAP TLS truststore, see
   :ref:`LDAP Client <ldap_client>`.
 * Internal storage is used.
 * For each domain specified, a dedicated conference/multi-user chat (MUC)
   service is set-up, with FQDN set to ``conference.DOMAIN``.
 * For each domain specified, a dedicated file proxy service will be set-up, with
   FQDN set to ``proxy.DOMAIN``.
 .. warning::
    Since it is not possible to set-up separate TLS configuration for *c2s* and
    *s2s* connections in Prosody 0.9.x, no hardening of TLS is performed in order
    to improve interoperability. This will be changed in Prosody 0.10.x, at which
    point hardening can be revisited.
 Prosody expects a specific directory structure in LDAP when doing look-ups:
 * Prosody will log-in to LDAP as user
   ``cn=prosody,ou=services,XMPP_LDAP_BASE_DN``.
 * User entries are read from sub-tree (first-level only)
   ``ou=people,XMPP_LDAP_BASE_DN``. Query filter used for finding users is

roles/xmpp_server/templates/prosody.cfg.lua.j2

➞

Show inline comments

@@ @@ -41,14 +41,12 @@ allow_registration = false; @@
 -- These are the SSL/TLS-related settings. If you don't want
 -- to use SSL/TLS, you may comment or remove this
 ssl = {
   key = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key";
   certificate = "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem";
   prosody = "tlsv1_2";
   ciphers = "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT;"
+}
 -- Ports on which to have direct TLS/SSL.
 legacy_ssl_ports = { 5223 }
 -- Force clients to use encrypted connection.

0 comments (0 inline, 0 general)