diff options
author | Evgeny Khramtsov <ekhramtsov@process-one.net> | 2019-04-28 17:50:52 +0300 |
---|---|---|
committer | Evgeny Khramtsov <ekhramtsov@process-one.net> | 2019-04-28 17:50:52 +0300 |
commit | 830a2f209abaef106d7f87a22b234f9f944fdc93 (patch) | |
tree | 609fbc842398c8b18fd509a0005b22e3b10295bd /ejabberd.yml.example | |
parent | Remove OMEMO related configuration from force_node_config section (diff) |
Remove TLS options from the example config
The purpose is two-fold:
- To simplify the example config.
- To avoid old TLS configuration to be persistent across
server updates: this might bring security problems, because
what's considered "modern" now might be insecure in the future.
Diffstat (limited to '')
-rw-r--r-- | ejabberd.yml.example | 20 |
1 files changed, 0 insertions, 20 deletions
diff --git a/ejabberd.yml.example b/ejabberd.yml.example index 9c8001cd..52a9c9f6 100644 --- a/ejabberd.yml.example +++ b/ejabberd.yml.example @@ -39,24 +39,6 @@ certfiles: - "/etc/letsencrypt/live/localhost/fullchain.pem" - "/etc/letsencrypt/live/localhost/privkey.pem" -define_macro: - # TLS options for client not being able to use modern ciphers (Windows XP+, Android 3.0+) - CIPHERS_INTERMEDIATE: "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" - PROTOCOL_OPTIONS_INTERMEDIATE: - - "no_sslv2" - - "no_sslv3" - - # TLS options for client able to use modern ciphers (Windows 7+, Android 5.0+) - CIPHERS_MODERN: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" - PROTOCOL_OPTIONS_MODERN: - - "no_sslv2" - - "no_sslv3" - - "no_tlsv1" - - "no_tlsv1_1" - -c2s_ciphers: CIPHERS_INTERMEDIATE -c2s_protocol_options: PROTOCOL_OPTIONS_INTERMEDIATE - listen: - port: 5222 @@ -82,8 +64,6 @@ listen: "/ws": ejabberd_http_ws web_admin: true captcha: true - ciphers: CIPHERS_INTERMEDIATE - protocol_options: PROTOCOL_OPTIONS_INTERMEDIATE tls: true - port: 5280 |