I'm using ejabberd on Ubuntu.
My configuration looks like this:
{5269, ejabberd_s2s_in, [
{shaper, s2s_shaper},
{max_stanza_size, 131072},
starttls_required
]},
{5222, ejabberd_c2s, [
{access, c2s},
{shaper, c2s_shaper},
{max_stanza_size, 65536},
starttls_required,
starttls, {certfile, "./xmpp.pem"}
]},
{s2s_use_starttls, true}.
{s2s_certfile, "./xmpp.pem"}.
Still xmpp.net is showing that s2s TLS is not "required" but only "allowed".
In addition SSLv3 is enabled for c2s and s2s and some insecure ciphers like RC4.
How can I disable SSLv3 and RC4, and force starttls on all connections?
Thanks!
Best Answer
Requiring StartTLS:
{s2s_use_starttls, require}.
instead of{s2s_use_starttls, true}.
(keep in mind this will currently make you unable to connect to gmail.com and all domains they host).Weak ciphers:
See http://www.process-one.net/docs/ejabberd/guide_en.html#sec27. I think this means doing something like adding
{ciphers, "..."}
to theejabberd_c2s
options. Check withopenssl ciphers -V '...'
to see what ciphers a cipher string will enable.As far as I can tell, it's not possible to disable SSLv3 without recompiling ejabberd yourself. See some discussion here.