Home » Forums » ejabberd & XMPP » ejabberd Administration

s2s incoming TLS configuration

Submitted by Andy_2639 on Sun, 2017-09-17 08:58

Hello

After updating ejabberd from 17.04 to 17.08, I get the following errors:

2017-09-03 12:14:36.504 [error] <0.260.0>@ejabberd_listener:validate_module_option:610 unknown listen option 'starttls_required' for 'ejabberd_s2s_in' will be likely ignored, available options are: shaper, certfile, ciphers, dhfile, cafile, protocol_options, tls_compression, tls, max_fsm_queue

2017-09-03 12:14:36.504 [error] <0.260.0>@ejabberd_listener:validate_module_option:610 unknown listen option 'starttls' for 'ejabberd_s2s_in' will be likely ignored, available options are: shaper, certfile, ciphers, dhfile, cafile, protocol_options, tls_compression, tls, max_fsm_queue

2017-09-03 12:14:36.551 [error] <0.260.0>@ejabberd_listener:validate_module_option:610 unknown listen option 'starttls_required' for 'ejabberd_s2s_in' will be likely ignored, available options are: shaper, certfile, ciphers, dhfile, cafile, protocol_options, tls_compression, tls, max_fsm_queue

2017-09-03 12:14:36.551 [error] <0.260.0>@ejabberd_listener:validate_module_option:610 unknown listen option 'starttls' for 'ejabberd_s2s_in' will be likely ignored, available options are: shaper, certfile, ciphers, dhfile, cafile, protocol_options, tls_compression, tls, max_fsm_queue

However, the desired options are applied.

ejabberd.yml:

define_macro:
  'OPENSSL_CIPHER_STRING': "TLS13-AES-256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:HIGH:!MEDIUM:!LOW:!WEAK:!EXPORT:!NULL:!aNULL:!RSA:!kDH:!kECDH:!DSS:!3DES"
  'CERTIFICATE_FILE': "**cert**"
  'DHPARAM': "**dhparam.pem**"
  'PROTOCOL_OPTIONS':
    - "cipher_server_preference"
    - "no_sslv2"
    - "no_sslv3"
    - "no_tlsv1"
    - "no_tlsv1_1"

listen:
  -
    ip: "0.0.0.0"
    port: 5269
    module: ejabberd_s2s_in
    max_stanza_size: 131072
    shaper: s2s_shaper
    tls_compression: true
    ciphers: 'OPENSSL_CIPHER_STRING'
    certfile: 'CERTIFICATE_FILE'
    dhfile: 'DHPARAM'
    starttls: true
    starttls_required: true
    protocol_options: 'PROTOCOL_OPTIONS'
  -
    ip: "::"
    port: 5269
    module: ejabberd_s2s_in
    max_stanza_size: 131072
    shaper: s2s_shaper
    tls_compression: true
    ciphers: 'OPENSSL_CIPHER_STRING'
    certfile: 'CERTIFICATE_FILE'
    dhfile: 'DHPARAM'
    starttls: true
    starttls_required: true
    protocol_options: 'PROTOCOL_OPTIONS'

s2s_use_starttls: required

s2s_certfile: 'CERTIFICATE_FILE'

s2s_dhfile: 'DHPARAM'
s2s_ciphers: 'OPENSSL_CIPHER_STRING'

s2s_protocol_options: 'PROTOCOL_OPTIONS'

outgoing_s2s_families:
  - ipv6
  - ipv4

Does the option
s2s_use_starttls
apply for outgoing and incomming s2s connections?

Thanks and kind regards.

‹ mucsub issues Time out when performing backup ›

Andy_2639 wrote: Does the

Submitted by badlop on Mon, 2017-09-18 13:35.
Andy_2639 wrote:

Does the option
s2s_use_starttls
apply for outgoing and incomming s2s connections?

I think yes, because that option is read both in ejabberd_s2s_in.erl and in ejabberd_s2s_out.erl

»
Syndicate content

User login