我在 Ubuntu 14.04 LTS 服务器上运行 Prosody。我安装了 OpenSSL 1.01f,可以通过运行 进行确认openssl version
。TLSv1.2 受支持,可以通过运行 进行确认openssl ciphers -v 'TLSv1.2'
我跟着本指南以实现前向保密。
尽管如此,我的 Prosody 服务器似乎仍然停留在 TLSv1.0 上,这可以通过检查XMPP 天文台并运行导致openssl s_client -connect mydomain.com:5222 -starttls xmpp < /dev/null
TLS1.0 连接的命令。
protocol = "tlsv1_2";
在 SSL 选项下添加到我的配置会导致 Prosody 错误日志报告“无效协议”。
这是我的 Prosody 配置的副本:
admins = {"[email protected]"}
modules_enabled = {
-- Generally required
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
-- Not essential, but recommended
"private"; -- Private XML storage (for room bookmarks, etc.)
"vcard"; -- Allow users to set vCards
-- These are commented by default as they have a performance impact
--"privacy"; -- Support privacy lists
"compression"; -- Stream compression (requires the lua-zlib package installed)
-- Nice to have
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"pep"; -- Enables users to publish their mood, activity, playing music and more
"register"; -- Allow users to register on this server using a client and change passwords
-- Admin interfaces
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
-- HTTP modules
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
--"http_files"; -- Serve static files from a directory over HTTP
-- Other specific functionality
--"groups"; -- Shared roster support
--"announce"; -- Send announcement to all online users
--"welcome"; -- Welcome users who register accounts
--"watchregistrations"; -- Alert admins of registrations
--"motd"; -- Send a message to users when they log in
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
};
modules_disabled = {
-- "offline"; -- Store offline messages
-- "c2s"; -- Handle client connections
-- "s2s"; -- Handle server-to-server connections
};
allow_registration = false;
ssl = {
key = "/etc/prosody/certs/localhost.key";
certificate = "/etc/prosody/certs/localhost.crt";
}
c2s_require_encryption = true
s2s_require_encryption = true
s2s_secure_auth = true
pidfile = "/var/run/prosody/prosody.pid"
authentication = "internal_plain"
log = {
info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
error = "/var/log/prosody/prosody.err";
"*syslog";
}
VirtualHost "mydomain.com"
ssl = {
key = "/etc/letsencrypt/archive/mydomain.com/privkey3.pem";
certificate = "/etc/letsencrypt/archive/mydomain.com/fullchain3.pem";
cafile = "/etc/ssl/certs/ca-certificates.crt";
ciphers="EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4";
dhparam = "/etc/pki/tls/dh-2048.pem";
}
Component "conference.mydomain.com" "muc"
Component "proxy.mydomain.com" "proxy65"