Support for OpenSSL ciphers list in ejabberd_c2s, ejabberd_s2s_in and ejabberd_s2s_out

author: Alexey Shchepin <alexey@process-one.net> 2013-11-28 19:39:11 +0200
committer: Alexey Shchepin <alexey@process-one.net> 2013-11-28 19:39:11 +0200
commit: 1dd94ac0d06822daa8c394ea2da20d91c8209124 (patch)
tree: b0eef12d917d16c0de94d34471b8780803e0fbc7
parent: add Pubsub data migration from mnesia to odbc (EJAB-1126) (diff)
4 files changed, 21 insertions, 5 deletions
diff --git a/doc/guide.tex b/doc/guide.tex
index 1278dfbbd..4d3b2b4ff 100644
--- a/doc/guide.tex
+++ b/doc/guide.tex
@@ -869,7 +869,8 @@ The available modules, their purpose and the options allowed by each one are:
 \begin{description}
   \titem{\texttt{ejabberd\_c2s}}
     Handles c2s connections.\\
-    Options: \texttt{access}, \texttt{certfile}, \texttt{max\_fsm\_queue},
+    Options: \texttt{access}, \texttt{certfile}, \texttt{ciphers},
+    \texttt{max\_fsm\_queue},
     \texttt{max\_stanza\_size}, \texttt{shaper},
     \texttt{starttls}, \texttt{starttls\_required}, \texttt{tls},
     \texttt{zlib}, \texttt{tls\_compression}
@@ -908,6 +909,8 @@ This is a detailed description of each option allowed by the listening modules:
     Simple web page that allows a user to fill a CAPTCHA challenge (see section \ref{captcha}).
   \titem{certfile: Path} Full path to a file containing the default SSL certificate.
     To define a certificate file specific for a given domain, use the global option \term{domain\_certfile}.
+  \titem{ciphers: Ciphers} OpenSSL ciphers list in the same format accepted by
+  `\verb|openssl ciphers|' command.
   \titem{default\_host: undefined|HostName\}}
     If the HTTP request received by ejabberd contains the HTTP header \term{Host}
     with an ambiguous virtual host that doesn't match any one defined in ejabberd (see \ref{hostnames}),
@@ -1054,6 +1057,8 @@ There are some additional global options that can be specified in the ejabberd c
   file containing a SSL certificate.
   \titem{domain\_certfile: Path} \ind{options!domain\_certfile}
   Full path to the file containing the SSL certificate for a specific domain.
+  \titem{s2s\_ciphers: Ciphers} \ind{options!s2s\_ciphers} OpenSSL ciphers list
+  in the same format accepted by `\verb|openssl ciphers|' command.
   \titem{outgoing\_s2s\_families: [Family, ...]} \ind{options!outgoing\_s2s\_families}
   Specify which address families to try, in what order.
   By default it first tries connecting with IPv4, if that fails it tries using IPv6.
diff --git a/src/ejabberd_c2s.erl b/src/ejabberd_c2s.erl
index 610f22c24..fa8ec3f5b 100644
--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@@ -241,6 +241,7 @@ init([{SockMod, Socket}, Opts]) ->
     TLS = StartTLS orelse
 	    StartTLSRequired orelse TLSEnabled,
     TLSOpts1 = lists:filter(fun ({certfile, _}) -> true;
+				({ciphers, _}) -> true;
 				(_) -> false
 			    end,
 			    Opts),
diff --git a/src/ejabberd_s2s_in.erl b/src/ejabberd_s2s_in.erl
index dd1c93c8d..2823cde62 100644
--- a/src/ejabberd_s2s_in.erl
+++ b/src/ejabberd_s2s_in.erl
@@ -177,9 +177,14 @@ init([{SockMod, Socket}, Opts]) ->
                   undefined -> [];
                   CertFile -> [{certfile, CertFile}]
 	      end,
+    TLSOpts2 = case ejabberd_config:get_option(
+                      s2s_ciphers, fun iolist_to_binary/1) of
+                   undefined -> TLSOpts1;
+                   Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
+               end,
     TLSOpts = case proplists:get_bool(tls_compression, Opts) of
-                  false -> [compression_none | TLSOpts1];
-                  true -> TLSOpts1
+                  false -> [compression_none | TLSOpts2];
+                  true -> TLSOpts2
               end,
     Timer = erlang:start_timer(?S2STIMEOUT, self(), []),
     {ok, wait_for_stream,
diff --git a/src/ejabberd_s2s_out.erl b/src/ejabberd_s2s_out.erl
index f52a673e4..a5acdad95 100644
--- a/src/ejabberd_s2s_out.erl
+++ b/src/ejabberd_s2s_out.erl
@@ -191,13 +191,18 @@ init([From, Server, Type]) ->
 		undefined -> [connect];
 		CertFile -> [{certfile, CertFile}, connect]
 	      end,
+    TLSOpts2 = case ejabberd_config:get_option(
+                      s2s_ciphers, fun iolist_to_binary/1) of
+                   undefined -> TLSOpts1;
+                   Ciphers -> [{ciphers, Ciphers} | TLSOpts1]
+               end,
     TLSOpts = case ejabberd_config:get_option(
                      {s2s_tls_compression, From},
                      fun(true) -> true;
                         (false) -> false
                      end, true) of
-                  false -> [compression_none | TLSOpts1];
-                  true -> TLSOpts1
+                  false -> [compression_none | TLSOpts2];
+                  true -> TLSOpts2
               end,
     {New, Verify} = case Type of
 		      {new, Key} -> {Key, false};
author	Alexey Shchepin <alexey@process-one.net>	2013-11-28 19:39:11 +0200
committer	Alexey Shchepin <alexey@process-one.net>	2013-11-28 19:39:11 +0200
commit	1dd94ac0d06822daa8c394ea2da20d91c8209124 (patch)
tree	b0eef12d917d16c0de94d34471b8780803e0fbc7
parent	add Pubsub data migration from mnesia to odbc (EJAB-1126) (diff)