我在我的Ubuntu 14.04 LTS服务器上运行Prosody。 我安装了OpenSSL 1.01f,通过运行openssl version来确认。 TLSv1.2支持并通过运行openssl ciphers -v 'TLSv1.2'
我遵循这个指南来启用前向保密。
尽pipe如此,似乎我的Prosody服务器仍然使用TLSv1.0,通过检查XMPP天文台以及运行命令openssl s_client -connect mydomain.com:5222 -starttls xmpp < /dev/null这导致了TLS1.0连接。
添加protocol = "tlsv1_2"; 到我的configuration下SSL选项导致Prosody错误日志报告“无效的协议”。
这里是我的韵律configuration的副本:
admins = {"[email protected]"} modules_enabled = { -- Generally required "roster"; -- Allow users to have a roster. Recommended ;) "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. "tls"; -- Add support for secure TLS on c2s/s2s connections "dialback"; -- s2s dialback support "disco"; -- Service discovery "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. -- Not essential, but recommended "private"; -- Private XML storage (for room bookmarks, etc.) "vcard"; -- Allow users to set vCards -- These are commented by default as they have a performance impact --"privacy"; -- Support privacy lists "compression"; -- Stream compression (requires the lua-zlib package installed) -- Nice to have "version"; -- Replies to server version requests "uptime"; -- Report how long server has been running "time"; -- Let others know the time here on this server "ping"; -- Replies to XMPP pings with pongs "pep"; -- Enables users to publish their mood, activity, playing music and more "register"; -- Allow users to register on this server using a client and change passwords -- Admin interfaces "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands --"admin_telnet"; -- Opens telnet console interface on localhost port 5582 -- HTTP modules --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" --"http_files"; -- Serve static files from a directory over HTTP -- Other specific functionality --"groups"; -- Shared roster support --"announce"; -- Send announcement to all online users --"welcome"; -- Welcome users who register accounts --"watchregistrations"; -- Alert admins of registrations --"motd"; -- Send a message to users when they log in --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots. }; modules_disabled = { -- "offline"; -- Store offline messages -- "c2s"; -- Handle client connections -- "s2s"; -- Handle server-to-server connections }; allow_registration = false; ssl = { key = "/etc/prosody/certs/localhost.key"; certificate = "/etc/prosody/certs/localhost.crt"; } c2s_require_encryption = true s2s_require_encryption = true s2s_secure_auth = true pidfile = "/var/run/prosody/prosody.pid" authentication = "internal_plain" log = { info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging error = "/var/log/prosody/prosody.err"; "*syslog"; } VirtualHost "mydomain.com" ssl = { key = "/etc/letsencrypt/archive/mydomain.com/privkey3.pem"; certificate = "/etc/letsencrypt/archive/mydomain.com/fullchain3.pem"; cafile = "/etc/ssl/certs/ca-certificates.crt"; ciphers="EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4"; dhparam = "/etc/pki/tls/dh-2048.pem"; } Component "conference.mydomain.com" "muc" Component "proxy.mydomain.com" "proxy65"