如何让 Prosody 使用 TLS 1.2?

如何让 Prosody 使用 TLS 1.2?

我在 Ubuntu 14.04 LTS 服务器上运行 Prosody。我安装了 OpenSSL 1.01f,可以通过运行 进行确认openssl version。TLSv1.2 受支持,可以通过运行 进行确认openssl ciphers -v 'TLSv1.2'

我跟着本指南以实现前向保密。

尽管如此,我的 Prosody 服务器似乎仍然停留在 TLSv1.0 上,这可以通过检查XMPP 天文台并运行导致openssl s_client -connect mydomain.com:5222 -starttls xmpp < /dev/nullTLS1.0 连接的命令。

protocol = "tlsv1_2";在 SSL 选项下添加到我的配置会导致 Prosody 错误日志报告“无效协议”。

这是我的 Prosody 配置的副本:

admins = {"[email protected]"}

modules_enabled = {

    -- Generally required
        "roster"; -- Allow users to have a roster. Recommended ;)
        "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
        "tls"; -- Add support for secure TLS on c2s/s2s connections
        "dialback"; -- s2s dialback support
        "disco"; -- Service discovery
        "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.

    -- Not essential, but recommended
        "private"; -- Private XML storage (for room bookmarks, etc.)
        "vcard"; -- Allow users to set vCards

    -- These are commented by default as they have a performance impact
        --"privacy"; -- Support privacy lists
        "compression"; -- Stream compression (requires the lua-zlib package installed)
    -- Nice to have
        "version"; -- Replies to server version requests
        "uptime"; -- Report how long server has been running
        "time"; -- Let others know the time here on this server
        "ping"; -- Replies to XMPP pings with pongs
        "pep"; -- Enables users to publish their mood, activity, playing music and more
        "register"; -- Allow users to register on this server using a client and change passwords

    -- Admin interfaces
        "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
        --"admin_telnet"; -- Opens telnet console interface on localhost port 5582

    -- HTTP modules
        --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
        --"http_files"; -- Serve static files from a directory over HTTP

    -- Other specific functionality
        --"groups"; -- Shared roster support
        --"announce"; -- Send announcement to all online users
        --"welcome"; -- Welcome users who register accounts
        --"watchregistrations"; -- Alert admins of registrations
        --"motd"; -- Send a message to users when they log in
        --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
};

modules_disabled = {
      -- "offline"; -- Store offline messages
      -- "c2s"; -- Handle client connections
      -- "s2s"; -- Handle server-to-server connections
};

allow_registration = false;

ssl = {
      key = "/etc/prosody/certs/localhost.key";
      certificate = "/etc/prosody/certs/localhost.crt";
}

c2s_require_encryption = true
s2s_require_encryption = true
s2s_secure_auth = true

pidfile = "/var/run/prosody/prosody.pid"

authentication = "internal_plain"

log = {
    info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
    error = "/var/log/prosody/prosody.err";
    "*syslog";
}

VirtualHost "mydomain.com"
    ssl = {
        key             = "/etc/letsencrypt/archive/mydomain.com/privkey3.pem";
        certificate     = "/etc/letsencrypt/archive/mydomain.com/fullchain3.pem";
        cafile          = "/etc/ssl/certs/ca-certificates.crt";
ciphers="EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4";
        dhparam = "/etc/pki/tls/dh-2048.pem";
    }



Component "conference.mydomain.com" "muc"
Component "proxy.mydomain.com" "proxy65"

相关内容