У меня Prosody работает на моем сервере Ubuntu 14.04 LTS. У меня установлен OpenSSL 1.01f, что подтверждается запуском openssl version
. TLSv1.2 поддерживается и подтверждается запуском openssl ciphers -v 'TLSv1.2'
Я последовал за это руководство для обеспечения прямой секретности.
Несмотря на все это, похоже, что мой сервер Prosody по-прежнему зависает с использованием TLSv1.0, что подтверждается проверкой на Обсерватория XMPP а также выполнив команду openssl s_client -connect mydomain.com:5222 -starttls xmpp < /dev/null
что приводит к соединению TLS1.0.
Добавление protocol = "tlsv1_2";
к моей конфигурации в параметрах SSL приводит к отчету журнала ошибок Prosody "недопустимый протокол".
Вот копия моей конфигурации Prosody:
admins = {"me@mydomain.com"}
modules_enabled = {
-- Generally required
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
-- Not essential, but recommended
"private"; -- Private XML storage (for room bookmarks, etc.)
"vcard"; -- Allow users to set vCards
-- These are commented by default as they have a performance impact
--"privacy"; -- Support privacy lists
"compression"; -- Stream compression (requires the lua-zlib package installed)
-- Nice to have
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"pep"; -- Enables users to publish their mood, activity, playing music and more
"register"; -- Allow users to register on this server using a client and change passwords
-- Admin interfaces
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
-- HTTP modules
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
--"http_files"; -- Serve static files from a directory over HTTP
-- Other specific functionality
--"groups"; -- Shared roster support
--"announce"; -- Send announcement to all online users
--"welcome"; -- Welcome users who register accounts
--"watchregistrations"; -- Alert admins of registrations
--"motd"; -- Send a message to users when they log in
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
};
modules_disabled = {
-- "offline"; -- Store offline messages
-- "c2s"; -- Handle client connections
-- "s2s"; -- Handle server-to-server connections
};
allow_registration = false;
ssl = {
key = "/etc/prosody/certs/localhost.key";
certificate = "/etc/prosody/certs/localhost.crt";
}
c2s_require_encryption = true
s2s_require_encryption = true
s2s_secure_auth = true
pidfile = "/var/run/prosody/prosody.pid"
authentication = "internal_plain"
log = {
info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
error = "/var/log/prosody/prosody.err";
"*syslog";
}
VirtualHost "mydomain.com"
ssl = {
key = "/etc/letsencrypt/archive/mydomain.com/privkey3.pem";
certificate = "/etc/letsencrypt/archive/mydomain.com/fullchain3.pem";
cafile = "/etc/ssl/certs/ca-certificates.crt";
ciphers="EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4";
dhparam = "/etc/pki/tls/dh-2048.pem";
}
Component "conference.mydomain.com" "muc"
Component "proxy.mydomain.com" "proxy65"