\makesubsection{download}{Download Source Code}
\ind{install!download}
-Released versions of \ejabberd{} are available in the ProcessOne \ejabberd{} downloads page:
+Released versions of \ejabberd{} are available in the ProcessOne \ejabberd{} downl\ 1oads page:
\ahrefurl{http://www.process-one.net/en/ejabberd/downloads}
\ind{Git repository}
\begin{description}
\titem{\texttt{ejabberd\_c2s}}
Handles c2s connections.\\
- Options: \texttt{access}, \texttt{certfile}, \texttt{ciphers},
+ Options: \texttt{access}, \texttt{certfile}, \texttt{ciphers}, \texttt{protocol\_options}
\texttt{max\_fsm\_queue},
\texttt{max\_stanza\_size}, \texttt{shaper},
\texttt{starttls}, \texttt{starttls\_required}, \texttt{tls},
To define a certificate file specific for a given domain, use the global option \term{domain\_certfile}.
\titem{ciphers: Ciphers} OpenSSL ciphers list in the same format accepted by
`\verb|openssl ciphers|' command.
+ \titem{protocol\_options: ProtocolOpts} \ind{options!protocol\_options}
+ List of general options relating to SSL/TLS. These map to \verb|<a href="https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html">OpenSSL's set_options()</a>|.
+ For a full list of options available in ejabberd, \verb|<a href="https://github.com/processone/tls/blob/protocol_options/c_src/options.h">see the source</a>|.
+ The default entry is: \verb|"no_sslv2"|
\titem{default\_host: undefined|HostName\}}
If the HTTP request received by ejabberd contains the HTTP header \term{Host}
with an ambiguous virtual host that doesn't match any one defined in ejabberd (see \ref{hostnames}),
Full path to the file containing the SSL certificate for a specific domain.
\titem{s2s\_ciphers: Ciphers} \ind{options!s2s\_ciphers} OpenSSL ciphers list
in the same format accepted by `\verb|openssl ciphers|' command.
+ \titem{s2s\_protocol\_options: ProtocolOpts} \ind{options!s2s\_protocol\_options}
+ List of general options relating to SSL/TLS. These map to \verb|<a href="https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html">OpenSSL's set_options()</a>|.
+ For a full list of options available in ejabberd, \verb|<a href="https://github.com/processone/tls/blob/protocol_options/c_src/options.h">see the source</a>|.
+ The default enitry is: \verb|"no_sslv2"|
\titem{outgoing\_s2s\_families: [Family, ...]} \ind{options!outgoing\_s2s\_families}
Specify which address families to try, in what order.
By default it first tries connecting with IPv4, if that fails it tries using IPv6.
##
## certfile: "/path/to/ssl.pem"
## starttls: true
+ ##
+ ## Custom OpenSSL options
+ ##
+ ## protocol_options:
+ ## - "no_sslv3"
+ ## - "no_tlsv1"
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
##
## s2s_certfile: "/path/to/ssl.pem"
+## Custom OpenSSL options
+##
+## s2s_protocol_options:
+## - "no_sslv3"
+## - "no_tlsv1"
+
##
## domain_certfile: Specify a different certificate for each served hostname.
##
(_) -> false
end,
Opts),
- TLSOpts2 = case proplists:get_bool(tls_compression, Opts) of
- false -> [compression_none | TLSOpts1];
- true -> TLSOpts1
+ TLSOpts2 = case lists:keysearch(protocol_options, 1, Opts) of
+ {value, {_, O}} ->
+ [_|ProtocolOptions] = lists:foldl(
+ fun(X, Acc) -> X ++ Acc end, [],
+ [["|" | binary_to_list(Opt)] || Opt <- O, is_binary(Opt)]
+ ),
+ [{protocol_options, iolist_to_binary(ProtocolOptions)} | TLSOpts1];
+ _ -> TLSOpts1
end,
- TLSOpts = [verify_none | TLSOpts2],
+ TLSOpts3 = case proplists:get_bool(tls_compression, Opts) of
+ false -> [compression_none | TLSOpts2];
+ true -> TLSOpts2
+ end,
+ TLSOpts = [verify_none | TLSOpts3],
IP = peerip(SockMod, Socket),
%% Check if IP is blacklisted:
case is_ip_blacklisted(IP) of
undefined -> TLSOpts1;
Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
end,
+ TLSOpts3 = case ejabberd_config:get_option(
+ s2s_protocol_options,
+ fun (Options) ->
+ [_|O] = lists:foldl(
+ fun(X, Acc) -> X ++ Acc end, [],
+ [["|" | binary_to_list(Opt)] || Opt <- Options, is_binary(Opt)]
+ ),
+ iolist_to_binary(O)
+ end) of
+ undefined -> TLSOpts2;
+ ProtocolOpts -> [{protocol_options, ProtocolOpts} | TLSOpts2]
+ end,
TLSOpts = case proplists:get_bool(tls_compression, Opts) of
- false -> [compression_none | TLSOpts2];
- true -> TLSOpts2
+ false -> [compression_none | TLSOpts3];
+ true -> TLSOpts3
end,
Timer = erlang:start_timer(?S2STIMEOUT, self(), []),
{ok, wait_for_stream,
undefined -> TLSOpts1;
Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
end,
+ TLSOpts3 = case ejabberd_config:get_option(
+ s2s_protocol_options,
+ fun (Options) ->
+ [_|O] = lists:foldl(
+ fun(X, Acc) -> X ++ Acc end, [],
+ [["|" | binary_to_list(Opt)] || Opt <- Options, is_binary(Opt)]
+ ),
+ iolist_to_binary(O)
+ end) of
+ undefined -> TLSOpts2;
+ ProtocolOpts -> [{protocol_options, ProtocolOpts} | TLSOpts2]
+ end,
TLSOpts = case ejabberd_config:get_option(
{s2s_tls_compression, From},
fun(true) -> true;
(false) -> false
end, true) of
- false -> [compression_none | TLSOpts2];
- true -> TLSOpts2
+ false -> [compression_none | TLSOpts3];
+ true -> TLSOpts3
end,
{New, Verify} = case Type of
{new, Key} -> {Key, false};
projects / ejabberd / commitdiff