- "/etc/letsencrypt/live/localhost/fullchain.pem"
- "/etc/letsencrypt/live/localhost/privkey.pem"
+define_macro:
+ # TLS options for client not being able to use modern ciphers (Windows XP+, Android 3.0+)
+ CIPHERS_INTERMEDIATE: "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+ PROTOCOL_OPTIONS_INTERMEDIATE:
+ - "no_sslv2"
+ - "no_sslv3"
+
+ # TLS options for client able to use moder ciphers (Windows 7+, Android 5.0+)
+ CIPHERS_MODERN: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
+ PROTOCOL_OPTIONS_MODERN:
+ - "no_sslv2"
+ - "no_sslv3"
+ - "no_tlsv1"
+ - "no_tlsv1.1"
+
listen:
-
port: 5222
max_stanza_size: 262144
shaper: c2s_shaper
access: c2s
+ ciphers: CIPHERS_MODERN
+ protocol_options: PROTOCOL_OPTIONS_MODERN
starttls_required: true
-
port: 5269
"/ws": ejabberd_http_ws
web_admin: true
captcha: true
+ ciphers: CIPHERS_MODERN
+ protocol_options: PROTOCOL_OPTIONS_MODERN
tls: true
s2s_use_starttls: optional
ip:
- "127.0.0.0/8"
- "::1/128"
- - "::FFFF:127.0.0.1/128"
access_rules:
local:
projects / ejabberd / commitdiff