=== Zametki zlogo admina &raquo; Ejabberd: poluchaem grade A na xmpp.net ===


Delo bylo vecherom, delat' bylo nechego. I reshil ja zapoluchit' vot takuju
plashku:


S defoltnymi nastrojkami poluchaetsja maksimum klass C, chto kak by
stydno. Obnaruzhennye nedostatki svjazany s ispol'zovaniem nebezopasnyh
protokolov (SSLv3) i algoritmov shifrovanija. Poryvshis' v dokumentacii,
udalos' nastroit' sledujuschee:

c2s config:

 listen:
   -
 ...
     starttls_required: true
     protocol_options:
       - "no_sslv2"
       - "no_sslv3"
     tls_compression: false
     dhfile: "/usr/local/etc/ejabberd/dh.pem"
     ciphers: "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:
 ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CAMELLIA256-
 SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:
 CAMELLIA256-SHA:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-
 SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-
 GCM-SHA256:DHE-RSA-SEED-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-
 CAMELLIA128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA256:SEED-SHA:
 CAMELLIA128-SHA:AES128-SHA256:AES128-SHA:IDEA-CBC-SHA"
s2s config:

 s2s_use_starttls: optional
 s2s_protocol_options:
   - "no_sslv2"
   - "no_sslv3"
 s2s_tls_compression: false
 s2s_dhfile: "/usr/local/etc/ejabberd/dh.pem"
 s2s_ciphers: "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:
 ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CAMELLIA256-
 SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:
 CAMELLIA256-SHA:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-
 SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-
 GCM-SHA256:DHE-RSA-SEED-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-
 CAMELLIA128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA256:SEED-SHA:
 CAMELLIA128-SHA:AES128-SHA256:AES128-SHA:IDEA-CBC-SHA"
Fajl dh.pem sozdaetsja komandoj openssl dhparam -out dh.pem 2048

Iz soobrazhenij sovmestimosti prishlos' sdelat' neobjazatel'nym starttls
dlja s2s. Takzhe otvalilis' nekotorye starye klienty, ne umejuschie TLS.
Naprimer, staraja miranda. Kak kostyl', mozhno podnjat' dlja nih slushatel'
na drugom portu, no e'to uzhe po zhelaniju admina.


.