5

I'm using ejabberd on Ubuntu. My configuration looks like this:

  {5269, ejabberd_s2s_in, [
                       {shaper, s2s_shaper},
                       {max_stanza_size, 131072},
                       starttls_required
                      ]},
  {5222, ejabberd_c2s, [
                    {access, c2s},
                    {shaper, c2s_shaper},
                    {max_stanza_size, 65536},
                    starttls_required,
                    starttls, {certfile, "./xmpp.pem"}
                   ]},
  {s2s_use_starttls, true}.
  {s2s_certfile, "./xmpp.pem"}.

Still xmpp.net is showing that s2s TLS is not "required" but only "allowed". In addition SSLv3 is enabled for c2s and s2s and some insecure ciphers like RC4.

How can I disable SSLv3 and RC4, and force starttls on all connections?

Thanks!

pythonimus
  • 367
  • 1
  • 3
  • 12

2 Answers2

7

This is an old question, but I wanted to add an updated answer for anyone searching and finding this, but using a more modern version of ejabberd (14.12 at the time of this writing). The following options (in the new YAML configuration format) should make starttls required, change the ciphers list to something decent, and disable legacy SSL support for s2s connections:

s2s_use_starttls: required
s2s_ciphers: "HIGH:!3DES:!aNULL:!SSLv2:@STRENGTH"
s2s_protocol_options:                                                            
  - "no_sslv2"                                                                   
  - "no_sslv3"

for c2s connections you can do something similar, except that it goes under the c2s listen directive:

-
  port: 5222
  module: ejabberd_c2s
  protocol_options:                                                            
    - "no_sslv2"                                                               
    - "no_sslv3" 
  ciphers: ...
Sam Whited
  • 216
  • 3
  • 9
  • Though not explicitly asked by the question, it's also a good idea to set the `dhfile` option to your own DH parameters. – xnyhps Oct 24 '15 at 19:38
3

Requiring StartTLS:

{s2s_use_starttls, require}. instead of {s2s_use_starttls, true}. (keep in mind this will currently make you unable to connect to gmail.com and all domains they host).

Weak ciphers:

See http://www.process-one.net/docs/ejabberd/guide_en.html#sec27. I think this means doing something like adding {ciphers, "..."} to the ejabberd_c2s options. Check with openssl ciphers -V '...' to see what ciphers a cipher string will enable.

As far as I can tell, it's not possible to disable SSLv3 without recompiling ejabberd yourself. See some discussion here.

xnyhps
  • 190
  • 7