在的现代版本中,ejabberd
可以通过向中的dhfile
和s2s_dhfile
选项提供自生成的 pem 文件来使用自定义 Diffie-Helman 参数ejabberd.yml
。我曾以三种不同的方式创建了不同的 DH 参数 pem 文件:
openssl dhparam -out dh.pem 2048
openssl dhparam -out dh.pem 4096
openssl genpkey -genparam -algorithm DH -out dhp4096.pem -pkeyopt dh_paramgen_prime_len:4096
将它们放入/etc/ejabberd/
并相应地配置 ejabberd:
hosts:
- "somehost.tld"
access:
announce:
admin: allow
c2s:
blocked: deny
all: allow
c2s_shaper:
admin: none
all: normal
configure:
admin: allow
local:
local: allow
max_user_offline_messages:
admin: 100
all: 100
max_user_sessions:
all: 10
muc:
all: allow
muc_admin:
admin: allow
pubsub_createnode:
all: allow
register:
all: allow
s2s:
all: allow
s2s_shaper:
all: fast
acl:
admin:
user:
-
"admin": "somehost.tld"
local:
user_regexp:
- ""
blocked:
user:
- "reklama": "sj.ms"
- "cc6523": "tigase.im"
- "reklama403": "kdetalk.net"
- "pp241331": "kdetalk.net"
- "advertising": "bin.vc"
- "swiped_su6070": "debianforum.de"
auth_method: odbc
odbc_database: "ejabberd"
odbc_keepalive_interval: 3600
odbc_password: "YZucuq3vSdfPDnzs"
odbc_port: 3306
odbc_server: "127.0.0.1"
odbc_type: mysql
odbc_username: "ejabberdusr"
captcha_cmd: "/usr/lib/x86_64-linux-gnu/ejabberd/priv/bin/captcha.sh"
captcha_host: "http://somehost.tld:5280"
captcha_limit: 5
language: "en"
define_macro:
'TLS_CIPHERS': "ECDH:DH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM"
listen:
-
port: 5222
module: ejabberd_c2s
certfile: "/etc/ejabberd/cert/somehost.tld.pem"
dhfile: "/etc/ejabberd/dhp4096.pem"
starttls: true
starttls_required: true
stream_management: true
max_ack_queue: 1000
resend_on_timeout: true
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
protocol_options:
- "no_sslv3"
ciphers: 'TLS_CIPHERS'
resend_on_timeout: if_offline
zlib: true
-
port: 5269
module: ejabberd_s2s_in
transport: tcp
max_stanza_size: 131072
shaper: s2s_shaper
-
port: 5280
module: ejabberd_http
web_admin: true
captcha: true
loglevel: 2
max_fsm_queue: 1000
modules:
mod_adhoc: []
mod_announce:
access: announce
mod_blocking: {} # requires mod_privacy
mod_caps: []
mod_carboncopy: {}
mod_configure: []
## mod_admin_extra: []
mod_disco: []
mod_irc: []
mod_last: []
mod_muc:
host: "muc.@HOST@"
access: all
access_create: all
access_persistent: all
access_admin: muc_admin
max_users: 500
history_size: 1000
default_room_options:
allow_change_subj: true
allow_private_messages: true
allow_private_messages_from_visitors: anyone
allow_query_users: false
allow_user_invites: true
allow_visitor_nickchange: true
allow_visitor_status: true
anonymous: false
captcha_protected: false
logging: true
max_users: 200
members_by_default: true
members_only: false
moderated: false
password_protected: false
persistent: false
public: true
public_list: true
mod_muc_log:
access_log: muc_admin
dirname: room_name
dirtype: subdirs
file_format: html
outdir: "/var/www/muc"
spam_prevention: false
timezone: local
top_link:
"/": "Jedem das Seine."
mod_offline:
access_max_user_messages: max_user_offline_messages
mod_ping: {}
mod_privacy: []
mod_private: []
## mod_proxy65:
## access: all
## shaper: c2s_shaper
mod_pubsub:
access_createnode: pubsub_createnode
pep_sendlast_offline: false
last_item_cache: false
plugins:
- "flat"
- "hometree"
- "pep"
mod_register:
welcome_message:
subject: "Welcome!"
body: "Welcome"
captcha_protected: true
access: register
mod_roster: []
mod_shared_roster: {}
mod_stats: []
mod_time: []
mod_vcard: []
mod_version: []
mod_mam:
db_type: odbc
default: never
registration_timeout: 600
outgoing_s2s_port: 5269
outgoing_s2s_timeout: 10000
s2s_access: s2s
s2s_certfile: "/etc/ejabberd/cert/somehost.tld.pem"
s2s_dhfile: "/etc/ejabberd/dhp4096.pem"
s2s_use_starttls: required
s2s_protocol_options:
- "no_sslv3"
s2s_ciphers: 'TLS_CIPHERS'
shaper:
normal: 1000
fast: 50000
watchdog_admins:
- []
auth_password_format: plain
fqdn: "somehost.tld"
这些 DH-params 文件中没有一个起作用。XMPP.net
测试工具仍然警告:
Server uses Diffie-Hellman parameters of < 2048 bits. Grade capped to B.
并且在“密码”部分1024
确实有位大小,而不是2048
或4096
:
这是我和我的配置的问题还是 XMPP.net 工具的问题?我该如何自己检查 DH 位大小?
服务器运行Debian 8.2 “杰西”(稳定的) 和ejabberd 15.09来自测试存储库。
答案1
罪魁祸首找到了:Diffie-Hellman 参数由 控制erlang-p1-tls
。因此,当您ejabberd
从 升级到 版本时测试存储库,您应该将erlang-p1-tls
软件包升级到测试也一样!
sudo apt-get install erlang-p1-tls/testing
实际上,为了得到测试版本 ejabberd 正常工作稳定的Debian,将所有erlang-*
软件包更新至测试版本也是如此。