majic-ansible-roles Changeset

Changeset - 52c4a4001c46

Parent rev.

Child rev.

[Not reviewed]

0 7 0

Branko Majic (branko) - 5 years ago 2020-10-01 21:08:08
branko@majic.rs

MAR-164: Harden the c2s TLS configuration for the XMPP server role:

- Updated the xmpp_server role.
- Added (optional) xmpp_server_tls_protocol and
xmpp_server_tls_ciphers parameters for specifying the desired
TLS protocol version and ciphers for the c2s connections.
- Updated XMPP server configuration to introduce separate TLS
configuration for the s2s and c2s (legacy included) connections.
- Drop support for Prosody 0.9 since it is not possible to have
separate TLS configuration for c2s and s2s connections.
- Updated role reference documentation.

7 files changed with 206 insertions and 12 deletions:

docs/rolereference.rst

roles/xmpp_server/defaults/main.yml

roles/xmpp_server/molecule/default/group_vars/parameters-optional.yml

roles/xmpp_server/molecule/default/prepare.yml

roles/xmpp_server/molecule/default/tests/test_mandatory.py

roles/xmpp_server/molecule/default/tests/test_optional.py

roles/xmpp_server/templates/prosody.cfg.lua.j2

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

       by self write
       by dn="cn=admin,dc=example,dc=com" write
       by users read
       by * none
   ldap_entries:
     - dn: ou=people,dc=example,dc=com
       attributes:
         objectClass: organizationalUnit
         ou: people
     - dn: ou=groups,dc=example,dc=com
       attributes:
         objectClass: organizationalUnit
         ou: groups
     - dn: uid=john,dc=example,dc=com
       attributes:
         objectClass:
           - inetOrgPerson
           - simpleSecurityObject
         userPassword: somepassword
         uid: john
         cn: John Doe
         sn: Doe
 XMPP Server
 -----------
 The ``xmpp_server`` role can be used for setting-up Prosody, an XMPP server, on
 destination machine.
 The role implements the following:
 * Sets-up the Prosody apt repository.
 * Deploys XMPP TLS private key and certificate.
 * Installs Prosody.
 * Configures Prosody.
 * Configures firewall to allow incoming connections to the XMPP server.
 Prosody is configured as follows:
 * Modules enabled: roster, saslauth, tls, dialback, posix, private, vcard,
   version, uptime, time, ping, pep, register, admin_adhoc, announce, legacyauth.
 * Self-registration is not allowed.
 * TLS is configured. Legacy TLS is available on port 5223.
 * Client-to-server communication requires encryption (TLS).
 * Uses 2048-bit Diffie-Hellman parameters for relevant TLS ciphers for
   incoming connections.
 * Configures TLS versions and ciphers supported by Prosody (for
   *c2s*/client connections only).
 * Authentication is done via LDAP. For setting the LDAP TLS truststore, see
   :ref:`LDAP Client <ldap_client>`.
 * Internal storage is used.
 * For each domain specified, a dedicated conference/multi-user chat (MUC)
   service is set-up, with FQDN set to ``conference.DOMAIN``.
 * For each domain specified, a dedicated file proxy service will be set-up, with
   FQDN set to ``proxy.DOMAIN``.
 .. warning::
    Since it is not possible to set-up separate TLS configuration for *c2s* and
    *s2s* connections in Prosody 0.9.x, no hardening of TLS is performed in order
    to improve interoperability. This will be changed in Prosody 0.10.x, at which
    point hardening can be revisited.
 Prosody expects a specific directory structure in LDAP when doing look-ups:
 * Prosody will log-in to LDAP as user
   ``cn=prosody,ou=services,XMPP_LDAP_BASE_DN``.
 * User entries are read from sub-tree (first-level only)
   ``ou=people,XMPP_LDAP_BASE_DN``. Query filter used for finding users is
   ``(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,XMPP_LDAP_BASE_DN))``. This
   allows group-based granting of XMPP service to users.
 LDIF Templates
 ~~~~~~~~~~~~~~
 For adding user to a group, use::
   dn: cn=xmpp,ou=groups,BASE_DN
   changetype: modify
   add: uniqueMember
   uniqueMember: uid=USERNAME,ou=people,BASE_DN
 Role dependencies
 ~~~~~~~~~~~~~~~~~
 Depends on the following roles:
 * **common**
 * **backup_client**
 Backups
 ~~~~~~~
 If the backup for this role has been enabled, the following paths are backed-up:
 **/var/lib/prosody/**
   Roster information, as well as undelivered (offline) messages for all XMPP
   users. Keep in mind that list of available users and their credentials are
   stored in the LDAP directory (which is backed-up via LDAP server role).
 Parameters
 ~~~~~~~~~~
 **xmpp_administrators** (list, mandatory)
   List of Prosody users that should be granted administrator privileges over
   Prosody. Each item is a string with value equal to XMPP user ID
   (i.e. ``john.doe@example.com``).
 **xmpp_domains** (list, optional, ``{{ ansible_domain }}``)
   List of domains that are served by this Prosody instance. Each item is a
   string specifying a domain.
 **xmpp_ldap_base_dn** (string, mandatory)
   Base DN on the LDAP server. A specific directory structure is expected under
   this entry (as explained above) in order to locate the available domains,
   users, aliases etc.
 **xmpp_ldap_password** (string, mandatory)
   Password used for authenticating to the LDAP server.
 **xmpp_ldap_server** (string, mandatory)
   Fully qualified domain name, hostname, or IP address of the LDAP server used
   for user authentication and listing.
 **xmpp_prosody_package** (string, optional, ``prosody-0.10``)
   Name of Prosody package from the Prosody repositories to
   install. This makes it possible to easily test the latest Prosody or
   to switch to a different nightly builds. It should be noted that
   only the default version is getting properly tested.
   to switch to a different nightly build. It should be noted that
   only the default version is getting properly tested. Prosody
   versions lower than ``0.10.x`` are not supported.
 **xmpp_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:!aNULL:!MD5:!EXPORT``)
   TLS ciphers to enable on the XMPP server. This should be an
   OpenSSL-compatible cipher specification. Value should be compatible
   with Prosody's option ``ciphers`` normally defined within the
   ``ssl`` section of configuration file (see `official documentation
   <https://prosody.im/doc/advanced_ssl_config#ciphers>`_ for details).
   Default value allows only TLSv1.2 and strong PFS ciphers with RSA
   private keys.
 **xmpp_server_tls_protocol** (string, optional, ``tlsv1_2+``)
   Protocol version the XMPP server should support for client
   connections. The value specified should be compatible with Prosody's
   ``protocol`` option normally defined within the ``ssl`` section of
   configuration file (see `official documentation
   <https://prosody.im/doc/advanced_ssl_config#protocol>`_ for
   details).
 **xmpp_tls_certificate** (string, mandatory)
   X.509 certificate used for TLS for XMPP service. The file will be stored in
   directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_xmpp.pem``.
 **xmpp_tls_key** (string, mandatory)
   Private key used for TLS for XMPP service. The file will be stored in
   directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_xmpp.key``.
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 9 (Stretch)
 Examples
 ~~~~~~~~
 Here is an example configuration for setting-up XMPP server using Prosody:
 .. code-block:: yaml
   ---
   xmpp_administrators:
     - john.doe@example.com
   xmpp_domains:
     - example.com
   xmpp_ldap_base_dn: dc=example,dc=com
   xmpp_ldap_password: xmpp
   xmpp_ldap_server: ldap.example.com
   # These are default key and certificate that generated during Prosody
   # installation. Possibly you want to deploy your own.
   xmpp_tls_key: "{{ lookup('file', '/etc/prosody/certs/localhost.key') }}"
   xmpp_tls_certificate: "{{ lookup('file', '/etc/prosody/certs/localhost.crt') }}"
 Mail Server
 -----------
 .. warning::
    It may happen that the ``clamav-freshclam`` service hasn't finished
    downloading the virus database before the ``clamav-daemon`` and
    ``clamav-milter`` services are enabled during the initial run. If mail server
    is not operational, you may need to wait for a little while for download to

roles/xmpp_server/defaults/main.yml

➞

Show inline comments

 ---
 enable_backup: false
 xmpp_domains:
   - "{{ ansible_domain }}"
 xmpp_prosody_package: "prosody-0.10"
 xmpp_server_tls_protocol: "tlsv1_2+"
 xmpp_server_tls_ciphers: "\
 DHE-RSA-AES128-GCM-SHA256:\
 DHE-RSA-AES256-GCM-SHA384:\
 DHE-RSA-CHACHA20-POLY1305:\
 ECDHE-RSA-AES128-GCM-SHA256:\
 ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-CHACHA20-POLY1305:\
 !aNULL:!MD5:!EXPORT"

roles/xmpp_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

 ---
 xmpp_administrators:
   - jane.doe@domain2
   - mick.doe@domain3
 xmpp_domains:
   - domain2
   - domain3
 xmpp_ldap_base_dn: dc=local
 xmpp_ldap_password: prosodypassword
 xmpp_ldap_server: ldap-server
-xmpp_prosody_package: prosody-0.9
+xmpp_prosody_package: prosody-0.10
 xmpp_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_xmpp.cert.pem') }}"
 xmpp_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_xmpp.key.pem') }}"
 xmpp_server_tls_protocol: "tlsv1+"
 xmpp_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\
 DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:!aNULL:!MD5:!EXPORT"
 # common
 ca_certificates:
   testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"
 # backup_client
 enable_backup: true
 backup_client_username: "bak-parameters-optional-{{ ansible_distribution_release }}"
 backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"
 backup_server: backup-server
 backup_server_host_ssh_public_keys:
   - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"
   - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"
   - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"
 backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional' ) }}"

roles/xmpp_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -13,99 +13,107 @@ @@
         chdir: "tests/data/"
     - name: Generate server private keys and certificates
       command:
       args:
         chdir: "tests/data/"
         creates: ".gimmecert/server/{{ item.name }}.cert.pem"
         argv: "{{ ['gimmecert', 'server', item.name] + item.fqdn }}"
       with_items:
         - name: ldap-server_ldap
           fqdn:
             - ldap-server
         - name: parameters-mandatory-stretch64.domain1_xmpp
           fqdn:
             - parameters-mandatory
             - domain1
         - name: parameters-optional-stretch64_xmpp
           fqdn:
             - parameters-optional
             - domain2
             - domain3
     - name: Set-up link to generated X.509 material
       file:
         src: ".gimmecert"
         dest: "tests/data/x509"
         state: link
 - name: Prepare
   hosts: all
   gather_facts: false
   tasks:
     - name: Install python for Ansible
       raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal)
       become: true
       changed_when: false
 - hosts: all
   become: true
   tasks:
     - name: Update all caches to avoid errors due to missing remote archives
       apt:
         update_cache: true
       changed_when: false
     - name: Install tools for testing
       apt:
         name: gnutls-bin
         name:
           - gnutls-bin
           - nmap
         state: present
     - name: Use name provided via CLI when running STARTTLS handshake for XMPP via nmap
       replace:
         path: "/usr/share/nmap/nselib/sslcert.lua"
         regexp: "host\\.name\\)"
         replace: "host.targetname)"
 - hosts: stretch
   become: true
   tasks:
     - name: Set-up the hosts file
       lineinfile:
         path: /etc/hosts
         regexp: "^{{ item.key }}"
         line: "{{ item.key }} {{ item.value }}"
         owner: root
         group: root
         mode: 0644
         state: present
       with_dict:
 .31.127.10: "ldap-server backup-server"
 .31.127.21: "client-stretch"
 .31.127.32: "parameters-mandatory domain1 proxy.domain1 conference.domain1"
 .31.127.33: "parameters-optional domain2 proxy.domain2 conference.domain2 domain3 proxy.domain3 conference.domain3"
 - hosts: clients
   become: true
   tasks:
     - name: Install tool for testing TCP connectivity
       apt:
         name: hping3
         state: present
     - name: Deploy CA certificate
       copy:
         src: tests/data/x509/ca/level1.cert.pem
         dest: /usr/local/share/ca-certificates/testca.crt
         owner: root
         group: root
         mode: 0644
       notify:
         - Update CA certificate cache
     - name: Install console-based XMPP client (for interactive testing)
       apt:
         name: mcabber
         state: present
     - name: Install console-based XMPP tool (for non-interactive testing)
       apt:
         name: sendxmpp
         state: present

roles/xmpp_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

 import os
 import defusedxml.ElementTree as ElementTree
 import pytest
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory')
 def test_certificate_validity_check_configuration(host):
     """
     Tests if certificate validity check configuration file has been deployed
     correctly.
     """
     hostname = host.run('hostname').stdout.strip()
     config = host.file('/etc/check_certificate/%s.domain1_xmpp.conf' % hostname)
     assert config.is_file
     assert config.user == 'root'
     assert config.group == 'root'
     assert config.mode == 0o644
     assert config.content_string == "/etc/ssl/certs/%s.domain1_xmpp.pem" % hostname
 def test_prosody_configuration_file_content(host):
     """
     Tests if Prosody configuration file has correct content.
     """
     hostname = host.run('hostname').stdout.strip()
     with host.sudo():
         config = host.file('/etc/prosody/prosody.cfg.lua')
         assert "admins = { \"john.doe@domain1\",  }" in config.content_string
         assert "key = \"/etc/ssl/private/%s.domain1_xmpp.key\";" % hostname in config.content_string
         assert "certificate = \"/etc/ssl/certs/%s.domain1_xmpp.pem\";" % hostname in config.content_string
         assert "ldap_server = \"ldap-server\"" in config.content_string
         assert "ldap_rootdn = \"cn=prosody,ou=services,dc=local\"" in config.content_string
         assert "ldap_password = \"prosodypassword\"" in config.content_string
         assert "ldap_filter = \"(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,dc=local))\"" in config.content_string
         assert "ldap_base = \"ou=people,dc=local\"" in config.content_string
         assert """VirtualHost "domain1"
 Component "conference.domain1" "muc"
   restrict_room_creation = "local"
 Component "proxy.domain1" "proxy65"
   proxy65_acl = { "domain1" }""" in config.content_string
 def test_correct_prosody_package_installed(host):
     """
     Tests if correct Prosody package has been installed.
     """
     assert host.package('prosody-0.10').is_installed
 def test_xmpp_server_uses_correct_dh_parameters(host):
     """
     Tests if the HTTP server uses the generated Diffie-Hellman parameter.
     """
     fqdn = host.run('hostname -f').stdout.strip()
     with host.sudo():
         expected_dhparam = host.file('/etc/ssl/private/%s_xmpp.dh.pem' % fqdn).content_string.rstrip()
     connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=xmpp --port 5222 "
                           "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose domain1")
     output = connection.stdout
     begin_marker = "-----BEGIN DH PARAMETERS-----"
     end_marker = "-----END DH PARAMETERS-----"
     used_dhparam = output[output.find(begin_marker):output.find(end_marker) + len(end_marker)]
     assert used_dhparam == expected_dhparam
 def test_tls_connectivity(host):
     """
     Tests if it is possible to connect to the XMPP server using
     STARTTLS/TLS.
     """
     starttls = host.run('echo "test" | openssl s_client -quiet -starttls xmpp -xmpphost domain1 -connect localhost:5222')
     assert starttls.rc == 0
     assert 'jabber:client' in starttls.stdout
     assert 'not-well-formed' in starttls.stdout
     tls = host.run('echo "test" | openssl s_client -quiet -connect domain1:5223')
     assert tls.rc == 0
     assert 'jabber:client' in starttls.stdout
     assert 'not-well-formed' in starttls.stdout
     s2s = host.run('echo "test" | openssl s_client -quiet -starttls xmpp-server -xmpphost domain1 -connect localhost:5222')
     assert s2s.rc == 0
     assert 'jabber:client' in s2s.stdout
     assert 'not-well-formed' in s2s.stdout
 @pytest.mark.parametrize("port", [
 ,
 ])
 def test_xmpp_c2s_tls_version_and_ciphers(host, port):
     """
     Tests if the correct TLS version and ciphers have been enabled for
     XMPP C2S ports.
     """
     expected_tls_versions = ["TLSv1.2"]
     expected_tls_ciphers = [
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+    ]
     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain1 -oX /tmp/report.xml", str(port))
     assert nmap.rc == 0
     report_content = host.file('/tmp/report.xml').content_string
     report_root = ElementTree.fromstring(report_content)
     tls_versions = []
     tls_ciphers = set()
     for child in report_root.findall("./host/ports/port/script[@id='ssl-enum-ciphers']/table"):
         tls_versions.append(child.attrib['key'])
     for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):
         tls_ciphers.add(child.text)
     tls_versions.sort()
     tls_ciphers = sorted(list(tls_ciphers))
     assert tls_versions == expected_tls_versions
     assert tls_ciphers == expected_tls_ciphers

roles/xmpp_server/molecule/default/tests/test_optional.py

➞

Show inline comments

 import os
 import defusedxml.ElementTree as ElementTree
 import pytest
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-optional')
 def test_certificate_validity_check_configuration(host):
     """
     Tests if certificate validity check configuration file has been deployed
     correctly.
     """
     hostname = host.run('hostname').stdout.strip()
     config = host.file('/etc/check_certificate/%s_xmpp.conf' % hostname)
     assert config.is_file
     assert config.user == 'root'
     assert config.group == 'root'
     assert config.mode == 0o644
     assert config.content_string == "/etc/ssl/certs/%s_xmpp.pem" % hostname
 def test_prosody_configuration_file_content(host):
     """
     Tests if Prosody configuration file has correct content.
     """
     hostname = host.run('hostname').stdout.strip()
     with host.sudo():
         config = host.file('/etc/prosody/prosody.cfg.lua')
         assert "admins = { \"jane.doe@domain2\", \"mick.doe@domain3\",  }" in config.content_string
         assert "key = \"/etc/ssl/private/%s_xmpp.key\";" % hostname in config.content_string
         assert "certificate = \"/etc/ssl/certs/%s_xmpp.pem\";" % hostname in config.content_string
         assert "ldap_server = \"ldap-server\"" in config.content_string
         assert "ldap_rootdn = \"cn=prosody,ou=services,dc=local\"" in config.content_string
         assert "ldap_password = \"prosodypassword\"" in config.content_string
         assert "ldap_filter = \"(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,dc=local))\"" in config.content_string
         assert "ldap_base = \"ou=people,dc=local\"" in config.content_string
         assert """VirtualHost "domain2"
 Component "conference.domain2" "muc"
   restrict_room_creation = "local"
 Component "proxy.domain2" "proxy65"
   proxy65_acl = { "domain2" }""" in config.content_string
         assert """VirtualHost "domain3"
 Component "conference.domain3" "muc"
   restrict_room_creation = "local"
 Component "proxy.domain3" "proxy65"
   proxy65_acl = { "domain3" }""" in config.content_string
 def test_correct_prosody_package_installed(host):
     """
     Tests if correct Prosody package has been installed.
     """
-    assert host.package('prosody-0.9').is_installed
+    assert host.package('prosody-0.10').is_installed
 def test_xmpp_server_uses_correct_dh_parameters(host):
     """
     Tests if the HTTP server uses the generated Diffie-Hellman parameter.
     """
     fqdn = host.run('hostname -f').stdout.strip()
     with host.sudo():
         expected_dhparam = host.file('/etc/ssl/private/%s_xmpp.dh.pem' % fqdn).content_string.rstrip()
     connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=xmpp --port 5222 "
                           "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose domain2")
     output = connection.stdout
     begin_marker = "-----BEGIN DH PARAMETERS-----"
     end_marker = "-----END DH PARAMETERS-----"
     used_dhparam = output[output.find(begin_marker):output.find(end_marker) + len(end_marker)]
     assert used_dhparam == expected_dhparam
 def test_tls_connectivity(host):
     """
     Tests if it is possible to connect to the XMPP server using
     STARTTLS/TLS.
     """
     starttls = host.run('echo "test" | openssl s_client -quiet -starttls xmpp -xmpphost domain2 -connect localhost:5222')
     assert starttls.rc == 0
     assert 'jabber:client' in starttls.stdout
     assert 'not-well-formed' in starttls.stdout
     tls = host.run('echo "test" | openssl s_client -quiet -connect domain2:5223')
     assert tls.rc == 0
     assert 'jabber:client' in starttls.stdout
     assert 'not-well-formed' in starttls.stdout
     s2s = host.run('echo "test" | openssl s_client -quiet -starttls xmpp-server -xmpphost domain2 -connect localhost:5222')
     assert s2s.rc == 0
     assert 'jabber:client' in s2s.stdout
     assert 'not-well-formed' in s2s.stdout
 @pytest.mark.parametrize("port", [
 ,
 ])
 def test_xmpp_c2s_tls_version_and_ciphers(host, port):
     """
     Tests if the correct TLS version and ciphers have been enabled for
     XMPP C2S ports.
     """
     expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
     expected_tls_ciphers = [
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    ]
     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain2 -oX /tmp/report.xml", str(port))
     assert nmap.rc == 0
     report_content = host.file('/tmp/report.xml').content_string
     report_root = ElementTree.fromstring(report_content)
     tls_versions = []
     tls_ciphers = set()
     for child in report_root.findall("./host/ports/port/script[@id='ssl-enum-ciphers']/table"):
         tls_versions.append(child.attrib['key'])
     for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):
         tls_ciphers.add(child.text)
     tls_versions.sort()
     tls_ciphers = sorted(list(tls_ciphers))
     assert tls_versions == expected_tls_versions
     assert tls_ciphers == expected_tls_ciphers

roles/xmpp_server/templates/prosody.cfg.lua.j2

➞

Show inline comments

 -- Additional paths to search for modules.
 plugin_paths = { "/usr/local/lib/prosody/modules/" }
 -- List of server administrators.
 admins = { {% for admin in xmpp_administrators %}"{{ admin }}", {% endfor %} }
 -- List of modules to load on startup.
 modules_enabled = {
   -- Generally required
     "roster"; -- Allow users to have a roster. Recommended ;)
     "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
     "tls"; -- Add support for secure TLS on c2s/s2s connections
     "dialback"; -- s2s dialback support
     "disco"; -- Service discovery
     "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
   -- Not essential, but recommended
     "private"; -- Private XML storage (for room bookmarks, etc.)
     "vcard"; -- Allow users to set vCards
   -- Nice to have
     "version"; -- Replies to server version requests
     "uptime"; -- Report how long server has been running
     "time"; -- Let others know the time here on this server
     "ping"; -- Replies to XMPP pings with pongs
     "pep"; -- Enables users to publish their mood, activity, playing music and more
     "register"; -- Allow users to register on this server using a client and change passwords
   -- Admin interfaces
     "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
   -- Other specific functionality
     "announce"; -- Send announcement to all online users
     "legacyauth"; -- Allow legacy authentication and SSL
 };
 -- Disable account creation by default, for security
 -- For more information see http://prosody.im/doc/creating_accounts
 allow_registration = false;
 -- These are the SSL/TLS-related settings. If you don't want
 -- to use SSL/TLS, you may comment or remove this
-ssl = {
+s2s_ssl = {
   key = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key";
   certificate = "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem";
   dhparam = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.dh.pem";
+}
 c2s_ssl = {
   key = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key";
   certificate = "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem";
   dhparam = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.dh.pem";
   protocol = "{{ xmpp_server_tls_protocol }}";
   ciphers = "{{ xmpp_server_tls_ciphers }}";
+}
 legacy_ssl_ssl = {
   key = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key";
   certificate = "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem";
   dhparam = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.dh.pem";
   protocol = "{{ xmpp_server_tls_protocol }}";
   ciphers = "{{ xmpp_server_tls_ciphers }}";
+}
 -- Ports on which to have direct TLS/SSL.
 legacy_ssl_ports = { 5223 }
 -- Force clients to use encrypted connection.
 c2s_require_encryption = true
 -- Disable certificate validation for server-to-server connections.
 s2s_secure_auth = false
 -- Path to Prosody's PID file.
 pidfile = "/run/prosody/prosody.pid"
 -- Authentication backend.
 authentication = "ldap"
 ldap_server = "{{ xmpp_ldap_server }}"
 ldap_rootdn = "cn=prosody,ou=services,{{ xmpp_ldap_base_dn }}"
 ldap_password = "{{ xmpp_ldap_password }}"
 ldap_filter = "(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,{{xmpp_ldap_base_dn}}))"
 ldap_scope = "onelevel"
 ldap_tls = true
 ldap_base = "ou=people,{{ xmpp_ldap_base_dn }}"
 -- Storage backend.
 storage = "internal"
 -- Logging configuration.
 log = {
   info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
   error = "/var/log/prosody/prosody.err";
   "*syslog";
+}
 -- Domains which should be handled by Prosody, with dedicated MUC and file
 -- proxying components.
 {% for domain in xmpp_domains -%}
 VirtualHost "{{ domain }}"
 Component "conference.{{ domain }}" "muc"
   restrict_room_creation = "local"
 Component "proxy.{{ domain }}" "proxy65"
   proxy65_acl = { "{{ domain }}" }
 {% endfor -%}

0 comments (0 inline, 0 general)