ejabberd：设置Diffie-Hellman（DH）密码大小为> = 2048

在ejabberd的现代版本中，通过向ejabberd.yml的dhfile和s2s_dhfile选项提供自我生成的pem文件，可以使用自定义的Diffie-Helman参数。 我以三种不同的方式创build了不同的DH参数pem-files：

 openssl dhparam -out dh.pem 2048 openssl dhparam -out dh.pem 4096 openssl genpkey -genparam -algorithm DH -out dhp4096.pem -pkeyopt dh_paramgen_prime_len:4096 

将它们放置在/etc/ejabberd/并相应地configuration了ejabberd：

 hosts: - "somehost.tld" access: announce: admin: allow c2s: blocked: deny all: allow c2s_shaper: admin: none all: normal configure: admin: allow local: local: allow max_user_offline_messages: admin: 100 all: 100 max_user_sessions: all: 10 muc: all: allow muc_admin: admin: allow pubsub_createnode: all: allow register: all: allow s2s: all: allow s2s_shaper: all: fast acl: admin: user: - "admin": "somehost.tld" local: user_regexp: - "" blocked: user: - "reklama": "sj.ms" - "cc6523": "tigase.im" - "reklama403": "kdetalk.net" - "pp241331": "kdetalk.net" - "advertising": "bin.vc" - "swiped_su6070": "debianforum.de" auth_method: odbc odbc_database: "ejabberd" odbc_keepalive_interval: 3600 odbc_password: "YZucuq3vSdfPDnzs" odbc_port: 3306 odbc_server: "127.0.0.1" odbc_type: mysql odbc_username: "ejabberdusr" captcha_cmd: "/usr/lib/x86_64-linux-gnu/ejabberd/priv/bin/captcha.sh" captcha_host: "http://somehost.tld:5280" captcha_limit: 5 language: "en" define_macro: 'TLS_CIPHERS': "ECDH:DH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM" listen: - port: 5222 module: ejabberd_c2s certfile: "/etc/ejabberd/cert/somehost.tld.pem" dhfile: "/etc/ejabberd/dhp4096.pem" starttls: true starttls_required: true stream_management: true max_ack_queue: 1000 resend_on_timeout: true max_stanza_size: 65536 shaper: c2s_shaper access: c2s protocol_options: - "no_sslv3" ciphers: 'TLS_CIPHERS' resend_on_timeout: if_offline zlib: true - port: 5269 module: ejabberd_s2s_in transport: tcp max_stanza_size: 131072 shaper: s2s_shaper - port: 5280 module: ejabberd_http web_admin: true captcha: true loglevel: 2 max_fsm_queue: 1000 modules: mod_adhoc: [] mod_announce: access: announce mod_blocking: {} # requires mod_privacy mod_caps: [] mod_carboncopy: {} mod_configure: [] ## mod_admin_extra: [] mod_disco: [] mod_irc: [] mod_last: [] mod_muc: host: "muc.@HOST@" access: all access_create: all access_persistent: all access_admin: muc_admin max_users: 500 history_size: 1000 default_room_options: allow_change_subj: true allow_private_messages: true allow_private_messages_from_visitors: anyone allow_query_users: false allow_user_invites: true allow_visitor_nickchange: true allow_visitor_status: true anonymous: false captcha_protected: false logging: true max_users: 200 members_by_default: true members_only: false moderated: false password_protected: false persistent: false public: true public_list: true mod_muc_log: access_log: muc_admin dirname: room_name dirtype: subdirs file_format: html outdir: "/var/www/muc" spam_prevention: false timezone: local top_link: "/": "Jedem das Seine." mod_offline: access_max_user_messages: max_user_offline_messages mod_ping: {} mod_privacy: [] mod_private: [] ## mod_proxy65: ## access: all ## shaper: c2s_shaper mod_pubsub: access_createnode: pubsub_createnode pep_sendlast_offline: false last_item_cache: false plugins: - "flat" - "hometree" - "pep" mod_register: welcome_message: subject: "Welcome!" body: "Welcome" captcha_protected: true access: register mod_roster: [] mod_shared_roster: {} mod_stats: [] mod_time: [] mod_vcard: [] mod_version: [] mod_mam: db_type: odbc default: never registration_timeout: 600 outgoing_s2s_port: 5269 outgoing_s2s_timeout: 10000 s2s_access: s2s s2s_certfile: "/etc/ejabberd/cert/somehost.tld.pem" s2s_dhfile: "/etc/ejabberd/dhp4096.pem" s2s_use_starttls: required s2s_protocol_options: - "no_sslv3" s2s_ciphers: 'TLS_CIPHERS' shaper: normal: 1000 fast: 50000 watchdog_admins: - [] auth_password_format: plain fqdn: "somehost.tld" 

这些DH-params文件没有一个工作。 XMPP.nettesting工具仍然警告说：

 Server uses Diffie-Hellman parameters of < 2048 bits. Grade capped to B. 

并且在“密码”部分确实有1024比特，而不是2048或4096 ：

• Nginx，www-data，以及担心在同一个家长下托pipe多个网站
• OSSIM在生产环境中
• 在SharePoint中，如何防止人们访问“已validation的用户”？
• 远程删除/擦除笔记本电脑
• 在安全隔离的情况下在LAMP上运行多个站点

这是我和我的configuration，或者这是XMPP.net工具？ 如何自己检查DH位的大小？

服务器运行testing版本库中的Debian 8.2“Jessie” （ Stable ）和ejabberd 15.09 。

 sudo apt-get install erlang-p1-tls/testing