majic-ansible-roles Changeset

Changeset - 5d6cebe35306

Parent rev.

Child rev.

[Not reviewed]

0 2 0

Branko Majic (branko) - 8 years ago 2016-01-24 15:52:52
branko@majic.rs

MAR-49: Implemented TLS hardening for XMPP server role.

2 files changed with 4 insertions and 0 deletions:

docs/rolereference.rst

roles/xmpp_server/templates/prosody.cfg.lua.j2

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -655,6 +655,8 @@ The role implements the following: @@
 * Deploys XMPP TLS private key and certificate.
 * Installs Prosody.
 * Configures Prosody.
 * Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers. **Note:**
   older clients may have problems connecting.
 * Configures firewall to allow incoming connections to the XMPP server.
 Prosody is configured as follows:

roles/xmpp_server/templates/prosody.cfg.lua.j2

➞

Show inline comments

@@ @@ -44,6 +44,8 @@ allow_registration = false; @@
 ssl = {
   key = "/etc/ssl/private/{{ xmpp_tls_key | basename }}";
   certificate = "/etc/ssl/certs/{{ xmpp_tls_certificate | basename }}";
   prosody = "tlsv1_2";
   ciphers = "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT;"
+}
 -- Ports on which to have direct TLS/SSL.

0 comments (0 inline, 0 general)