30-tls.yml 697 B

1234567891011121314151617181920
  1. # only allow tls1.2 and tls1.3
  2. define_macro:
  3. 'TLS_CIPHERS': "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
  4. 'TLS_OPTIONS':
  5. - "no_sslv3"
  6. - "no_tlsv1"
  7. - "no_tlsv1_1"
  8. - "cipher_server_preference"
  9. - "no_compression"
  10. c2s_ciphers: 'TLS_CIPHERS'
  11. s2s_ciphers: 'TLS_CIPHERS'
  12. c2s_protocol_options: 'TLS_OPTIONS'
  13. s2s_protocol_options: 'TLS_OPTIONS'
  14. s2s_use_starttls: required
  15. certfiles:
  16. - /etc/ssl/ejabberd/fullchain.pem
  17. - /etc/ssl/ejabberd/key.pem