ejabberd:将 Diffie-Hellman (DH) 密码位大小设置为 >= 2048

tag-icon tag-icon security debian openssl xmpp ejabberd
ejabberd:将 Diffie-Hellman (DH) 密码位大小设置为 >= 2048

在的现代版本中,ejabberd可以通过向中的dhfiles2s_dhfile选项提供自生成的 pem 文件来使用自定义 Diffie-Helman 参数ejabberd.yml。我曾以三种不同的方式创建了不同的 DH 参数 pem 文件:

openssl dhparam -out dh.pem 2048
openssl dhparam -out dh.pem 4096
openssl genpkey -genparam -algorithm DH -out dhp4096.pem -pkeyopt dh_paramgen_prime_len:4096

将它们放入/etc/ejabberd/并相应地配置 ejabberd:

hosts:
  - "somehost.tld"

access:
  announce:
    admin: allow
  c2s:
    blocked: deny
    all: allow
  c2s_shaper:
    admin: none
    all: normal
  configure:
    admin: allow
  local:
    local: allow
  max_user_offline_messages:
    admin: 100
    all: 100
  max_user_sessions:
    all: 10
  muc:
    all: allow
  muc_admin:
    admin: allow
  pubsub_createnode:
    all: allow
  register:
    all: allow
  s2s:
    all: allow
  s2s_shaper:
    all: fast

acl:
  admin:
    user:
      -
        "admin": "somehost.tld"
  local:
    user_regexp:
      - ""

  blocked:
    user:
      - "reklama": "sj.ms"
      - "cc6523": "tigase.im"
      - "reklama403": "kdetalk.net"
      - "pp241331": "kdetalk.net"
      - "advertising": "bin.vc"
      - "swiped_su6070": "debianforum.de"

auth_method: odbc
odbc_database: "ejabberd"
odbc_keepalive_interval: 3600
odbc_password: "YZucuq3vSdfPDnzs"
odbc_port: 3306
odbc_server: "127.0.0.1"
odbc_type: mysql
odbc_username: "ejabberdusr"

captcha_cmd: "/usr/lib/x86_64-linux-gnu/ejabberd/priv/bin/captcha.sh"
captcha_host: "http://somehost.tld:5280"
captcha_limit: 5

language: "en"

define_macro:
  'TLS_CIPHERS': "ECDH:DH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM"

listen:
  -
    port: 5222
    module: ejabberd_c2s
    certfile: "/etc/ejabberd/cert/somehost.tld.pem"
    dhfile: "/etc/ejabberd/dhp4096.pem"
    starttls: true
    starttls_required: true
    stream_management: true
    max_ack_queue: 1000
    resend_on_timeout: true
    max_stanza_size: 65536
    shaper: c2s_shaper
    access: c2s
    protocol_options:
      - "no_sslv3"
    ciphers: 'TLS_CIPHERS'
    resend_on_timeout: if_offline
    zlib: true
  -
    port: 5269
    module: ejabberd_s2s_in
    transport: tcp
    max_stanza_size: 131072
    shaper: s2s_shaper
  -
    port: 5280
    module: ejabberd_http
    web_admin: true
    captcha: true

loglevel: 2
max_fsm_queue: 1000

modules:
  mod_adhoc: []

  mod_announce:
    access: announce

  mod_blocking: {} # requires mod_privacy
  mod_caps: []
  mod_carboncopy: {}
  mod_configure: []
##  mod_admin_extra: []
  mod_disco: []
  mod_irc: []
  mod_last: []

  mod_muc:
    host: "muc.@HOST@"
    access: all
    access_create: all
    access_persistent: all
    access_admin: muc_admin
    max_users: 500
    history_size: 1000
    default_room_options:
      allow_change_subj: true
      allow_private_messages: true
      allow_private_messages_from_visitors: anyone
      allow_query_users: false
      allow_user_invites: true
      allow_visitor_nickchange: true
      allow_visitor_status: true
      anonymous: false
      captcha_protected: false
      logging: true
      max_users: 200
      members_by_default: true
      members_only: false
      moderated: false
      password_protected: false
      persistent: false
      public: true
      public_list: true

  mod_muc_log:
    access_log: muc_admin
    dirname: room_name
    dirtype: subdirs
    file_format: html
    outdir: "/var/www/muc"
    spam_prevention: false
    timezone: local
    top_link:
      "/": "Jedem das Seine."

  mod_offline:
    access_max_user_messages: max_user_offline_messages

  mod_ping: {}
  mod_privacy: []
  mod_private: []
##  mod_proxy65:
##    access: all
##    shaper: c2s_shaper
  mod_pubsub:
    access_createnode: pubsub_createnode
    pep_sendlast_offline: false
    last_item_cache: false
    plugins:
      - "flat"
      - "hometree"
      - "pep"

  mod_register:
    welcome_message:
      subject: "Welcome!"
      body: "Welcome"
    captcha_protected: true
    access: register

  mod_roster: []
  mod_shared_roster: {}
  mod_stats: []
  mod_time: []
  mod_vcard: []
  mod_version: []

  mod_mam:
    db_type: odbc
    default: never

registration_timeout: 600
outgoing_s2s_port: 5269
outgoing_s2s_timeout: 10000
s2s_access: s2s
s2s_certfile: "/etc/ejabberd/cert/somehost.tld.pem"
s2s_dhfile: "/etc/ejabberd/dhp4096.pem"
s2s_use_starttls: required
s2s_protocol_options:
  - "no_sslv3"
s2s_ciphers: 'TLS_CIPHERS'
shaper:
  normal: 1000
  fast: 50000
watchdog_admins:
  - []
auth_password_format: plain
fqdn: "somehost.tld"

这些 DH-params 文件中没有一个起作用。XMPP.net测试工具仍然警告:

Server uses Diffie-Hellman parameters of < 2048 bits. Grade capped to B.

并且在“密码”部分1024确实有位大小,而不是20484096在此处输入图片描述

这是我和我的配置的问题还是 XMPP.net 工具的问题?我该如何自己检查 DH 位大小?

服务器运行Debian 8.2 “杰西”稳定的) 和ejabberd 15.09来自测试存储库。

答案1

罪魁祸首找到了:Diffie-Hellman 参数由 控制erlang-p1-tls。因此,当您ejabberd从 升级到 版本时测试存储库,您应该将erlang-p1-tls软件包升级到测试也一样!

sudo apt-get install erlang-p1-tls/testing

实际上,为了得到测试版本 ejabberd 正常工作稳定的Debian,将所有erlang-*软件包更新至测试版本也是如此。

相关内容