Como faço para que o Prosody use o TLS 1.2?

Navegue suas respostas
2

Eu tenho o Prosody em execução no meu servidor Ubuntu 14.04 LTS. Eu tenho o OpenSSL 1.01f instalado, o que é confirmado executando openssl version . O TLSv1.2 é suportado e confirmado executando openssl ciphers -v 'TLSv1.2'

Eu segui este guia para ativar encaminhamento de sigilo.

Apesar de tudo isso, parece que meu servidor da Prosody ainda está travado usando o TLSv1.0, o que é confirmado pela verificação no Observatório XMPP e também executando o comando openssl s_client -connect mydomain.com:5222 -starttls xmpp < /dev/null , que resulta em uma conexão TLS1.0.

Adicionar protocol = "tlsv1_2"; à minha configuração nas opções SSL resulta no relatório de log de erros da Prosódia "protocolo inválido".

Aqui está uma cópia da minha configuração da prosódia: 

admins = {"[email protected]"}

modules_enabled = {

    -- Generally required
        "roster"; -- Allow users to have a roster. Recommended ;)
        "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
        "tls"; -- Add support for secure TLS on c2s/s2s connections
        "dialback"; -- s2s dialback support
        "disco"; -- Service discovery
        "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.

    -- Not essential, but recommended
        "private"; -- Private XML storage (for room bookmarks, etc.)
        "vcard"; -- Allow users to set vCards

    -- These are commented by default as they have a performance impact
        --"privacy"; -- Support privacy lists
        "compression"; -- Stream compression (requires the lua-zlib package installed)
    -- Nice to have
        "version"; -- Replies to server version requests
        "uptime"; -- Report how long server has been running
        "time"; -- Let others know the time here on this server
        "ping"; -- Replies to XMPP pings with pongs
        "pep"; -- Enables users to publish their mood, activity, playing music and more
        "register"; -- Allow users to register on this server using a client and change passwords

    -- Admin interfaces
        "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
        --"admin_telnet"; -- Opens telnet console interface on localhost port 5582

    -- HTTP modules
        --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
        --"http_files"; -- Serve static files from a directory over HTTP

    -- Other specific functionality
        --"groups"; -- Shared roster support
        --"announce"; -- Send announcement to all online users
        --"welcome"; -- Welcome users who register accounts
        --"watchregistrations"; -- Alert admins of registrations
        --"motd"; -- Send a message to users when they log in
        --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
};

modules_disabled = {
      -- "offline"; -- Store offline messages
      -- "c2s"; -- Handle client connections
      -- "s2s"; -- Handle server-to-server connections
};

allow_registration = false;

ssl = {
      key = "/etc/prosody/certs/localhost.key";
      certificate = "/etc/prosody/certs/localhost.crt";
}

c2s_require_encryption = true
s2s_require_encryption = true
s2s_secure_auth = true

pidfile = "/var/run/prosody/prosody.pid"

authentication = "internal_plain"

log = {
    info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
    error = "/var/log/prosody/prosody.err";
    "*syslog";
}

VirtualHost "mydomain.com"
    ssl = {
        key             = "/etc/letsencrypt/archive/mydomain.com/privkey3.pem";
        certificate     = "/etc/letsencrypt/archive/mydomain.com/fullchain3.pem";
        cafile          = "/etc/ssl/certs/ca-certificates.crt";
ciphers="EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4";
        dhparam = "/etc/pki/tls/dh-2048.pem";
    }



Component "conference.mydomain.com" "muc"
Component "proxy.mydomain.com" "proxy65"
    
por jeff1234567890 25.10.2016 / 18:02

0 respostas

Tags

Como excluir / apenas tornar a opção desaparecer "Verificar a disponibilidade da atualização do Windows Update" no Windows 10 Desligar o computador com o Syslinux - poweroff.c32 & acpioff.c32