|
|
@@ -1,13 +1,17 @@
|
|
|
# only allow tls1.2 and tls1.3
|
|
|
-protocol_options:
|
|
|
- - "no_sslv2"
|
|
|
- - "no_sslv3"
|
|
|
- - "no_tlsv1"
|
|
|
- - "no_tlsv1_1"
|
|
|
- - "no_compression"
|
|
|
-
|
|
|
-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256"
|
|
|
+define_macro:
|
|
|
+ 'TLS_CIPHERS': "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
|
|
|
+ 'TLS_OPTIONS':
|
|
|
+ - "no_sslv3"
|
|
|
+ - "no_tlsv1"
|
|
|
+ - "no_tlsv1_1"
|
|
|
+ - "cipher_server_preference"
|
|
|
+ - "no_compression"
|
|
|
|
|
|
+c2s_ciphers: 'TLS_CIPHERS'
|
|
|
+s2s_ciphers: 'TLS_CIPHERS'
|
|
|
+c2s_protocol_options: 'TLS_OPTIONS'
|
|
|
+s2s_protocol_options: 'TLS_OPTIONS'
|
|
|
|
|
|
certfiles:
|
|
|
- /etc/ssl/ejabberd/fullchain.pem
|
root