I have Prosody running on my Ubuntu 14.04 LTS server. I have OpenSSL 1.01f installed, which is confirmed by running openssl version. TLSv1.2 is supported and confirmed by running openssl ciphers -v 'TLSv1.2'
I followed this guide to enable forward secrecy.
Despite all of this, it seems like my Prosody server is still stuck using TLSv1.0 which is confirmed by checking on the XMPP Observatory and also by running the command openssl s_client -connect mydomain.com:5222 -starttls xmpp < /dev/null which results in a TLS1.0 connection.
Adding protocol = "tlsv1_2"; to my config under the SSL options results in the Prosody error log reporting "invalid protocol".
Here is a copy of my Prosody config:
admins = {"me@mydomain.com"}
modules_enabled = {
-- Generally required
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
-- Not essential, but recommended
"private"; -- Private XML storage (for room bookmarks, etc.)
"vcard"; -- Allow users to set vCards
-- These are commented by default as they have a performance impact
--"privacy"; -- Support privacy lists
"compression"; -- Stream compression (requires the lua-zlib package installed)
-- Nice to have
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"pep"; -- Enables users to publish their mood, activity, playing music and more
"register"; -- Allow users to register on this server using a client and change passwords
-- Admin interfaces
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
-- HTTP modules
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
--"http_files"; -- Serve static files from a directory over HTTP
-- Other specific functionality
--"groups"; -- Shared roster support
--"announce"; -- Send announcement to all online users
--"welcome"; -- Welcome users who register accounts
--"watchregistrations"; -- Alert admins of registrations
--"motd"; -- Send a message to users when they log in
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
};
modules_disabled = {
-- "offline"; -- Store offline messages
-- "c2s"; -- Handle client connections
-- "s2s"; -- Handle server-to-server connections
};
allow_registration = false;
ssl = {
key = "/etc/prosody/certs/localhost.key";
certificate = "/etc/prosody/certs/localhost.crt";
}
c2s_require_encryption = true
s2s_require_encryption = true
s2s_secure_auth = true
pidfile = "/var/run/prosody/prosody.pid"
authentication = "internal_plain"
log = {
info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
error = "/var/log/prosody/prosody.err";
"*syslog";
}
VirtualHost "mydomain.com"
ssl = {
key = "/etc/letsencrypt/archive/mydomain.com/privkey3.pem";
certificate = "/etc/letsencrypt/archive/mydomain.com/fullchain3.pem";
cafile = "/etc/ssl/certs/ca-certificates.crt";
ciphers="EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4";
dhparam = "/etc/pki/tls/dh-2048.pem";
}
Component "conference.mydomain.com" "muc"
Component "proxy.mydomain.com" "proxy65"
