Ejabberd

ejabberd 網路管理員:安全連接失敗

  • December 9, 2018

背景資料

作業系統:Debian 穩定版(9.6)

ejabberd 版本:18.09-2(來自後端埠)

我的配置基於https://gitlab.com/hanno/ejabberd-config (我將我的真實網址更改為 example.com)

# _%%_ Ejabberd config from schokokeks.org XMPP server.
# _%%_ We try to enable modern XMPP features and document to which XEP
# _%%_ they relate.
# _%%_ We also use a modern and secure TLS configuration where possible.

define_macro:
 'CIPHERS': "HIGH:!MEDIUM:!LOW:!3DES:!CAMELLIA:!aNULL:!RSA@STRENGTH"
 'TLSOPTS':
   - "no_sslv2"
   - "no_sslv3"
   - "cipher_server_preference"
# generated with: openssl dhparam -out dhparams.pem 2048
 'DHFILE': "/etc/ejabberd/dh2048-ejabberd.pem"
certfiles:
 - "/etc/letsencrypt/live/*/fullchain.pem"
 - "/etc/letsencrypt/live/*/privkey.pem"

hosts:
 - "example.com"
access:
 announce:
   admin: allow
 c2s:
   blocked: deny
   all: allow
 c2s_shaper:
   admin: none
   all: normal
 local:
   local: allow
 max_user_offline_messages:
   admin: 5000
   all: 100
 max_user_sessions:
   all: 10
 muc:
   all: allow
 muc_admin:
   admin: allow
 muc_create:
   local: allow
 pubsub_createnode:
   all: allow
 register:
#  _%%_ Don't allow registration
   all: deny
 s2s_shaper:
   all: fast
acl:
 admin:
   user:
     - "kiigass": "example.com"
 local:
   user_regexp:
     - ""
#  _%%_ We want internal authentication
auth_method:
 - mnesia
#  _%%_ store passwords with scram hash method.
#  _%%_ no DIGEST-MD5, needs plaintext storage of passwords.
auth_password_format: scram
disable_sasl_mechanisms: "DIGEST-MD5"
language: "en"
listen:
 -
   ip: "0.0.0.0"
   port: 5222
   module: ejabberd_c2s
   max_stanza_size: 65536
   shaper: c2s_shaper
   access: c2s
#  _%%_ DEPRECATED, uses mod_stream_mgmt
#  _%%_ XEP-0198, Stream Management
#  _%%_ Note: This is enabled by default, but we'd like to explicitly enable it
#    stream_management: true
#  _%%_ TLS compression is dangerous, see CRIME attack
   tls_compression: false
#  _%%_ Diffie Hellman parameters with 2048 bit, created with "openssl dhparam 2048"
   dhfile: 'DHFILE'
#  _%%_ We only want "HIGH" strength ciphers and explicitly disable
#  _%%_ 3DES (SWEET32 attack), RSA (no forward secrecy, Bleichenbacher attacks),
#  _%%_ CAMELLIA (unusual and not needed).
   ciphers: 'CIPHERS'
#  _%%_ We require STARTTLS for clients. No unencrypted logins
   starttls_required: true
#    certfile: "/etc/ejabberd/ejabberd.pem"
#  _%%_ Due to DROWN (SSLv2) and POODLE (SSLv3) all old SSL versions are considered insecure
   protocol_options: 'TLSOPTS'
 -
   ip: "0.0.0.0"
   port: 5269
   module: ejabberd_s2s_in
   max_stanza_size: 131072
   shaper: s2s_shaper
   protocol_options: 'TLSOPTS'
 -
   port: 5280
   module: ejabberd_http
   web_admin: true
   http_bind: true
   captcha: true
#  _%%_ XEP-0363, HTTP File Upload
#  _%%_ Note: This only opens the port, further below is the module config itself
 -
   port: 5443
   module: ejabberd_http
   tls: true
#    certfile: "/etc/ejabberd/ejabberd.pem"
#  _%%_ See comments above for justification of TLS options
   tls_compression: false
   dhfile: 'DHFILE'
   ciphers: 'CIPHERS'
   protocol_options: 'TLSOPTS'
   request_handlers:
     "": mod_http_upload
loglevel: 4
max_fsm_queue: 1000
modules:
 mod_admin_extra: []
 mod_adhoc: []
 mod_announce:
   access: announce
#  _%%_ XEP-0115, Entity Capabilities
 mod_caps: []
# XEP-0157
 mod_disco:
   server_info:
     -
       modules: all
       name: "abuse-addresses"
       urls: ["mailto:kiigass@example.com"]
     -
       modules: all
       name: "security-addresses"
       urls: ["mailto:kiigass@example.com"]
 mod_bosh: []
 mod_last: []
#  _%%_ XEP-0045, Mult-User Chat (MUC)
 mod_muc:
   access: muc
   access_create: muc_create
   access_persistent: muc_create
   access_admin: muc_admin
 mod_offline:
   access_max_user_messages: max_user_offline_messages
 mod_ping:
   send_pings: true
   ping_interval: 10
   ping_ack_timeout: 5
   timeout_action: kill
 mod_privacy: []
 mod_private: []
#  _%%_ XEP-0065, SOCKS5 Bytestreams (Proxy)
 mod_proxy65:
   host: "proxy65.example.com"
   hostname: "proxy65.example.com"
   ip: "0.0.0.0"
   port: 7777
 mod_pubsub:
   access_createnode: pubsub_createnode
   ignore_pep_from_offline: false
   last_item_cache: true
   plugins:
     - "flat"
     - "hometree"
#  _%%_ XEP-0163, Personal Eventing Protocol (PEP), needed for Avatars / OMEMO
     - "pep"
#  _%%_ XEP-0237, Roster Versioning
 mod_roster:
   versioning: true
 mod_shared_roster: []
 mod_stats: []
#  _%%_ XEP-0198, Stream Management
#  _%%_ Note: This is enabled by default, but we'd like to explicitly enable it
 mod_stream_mgmt:
   max_resume_timeout: 30
   resend_on_timeout: if_offline
   resume_timeout: 30
   ack_timeout: 30
 mod_time: []
 mod_vcard: []
 mod_version: []
#  _%%_ XEP-0313, Message Archive Management (MAM)
 mod_mam:
   default: always
   assume_mam_usage: true
#  _%%_ XEP-0191, Blocking Command
 mod_blocking: []
#  _%%_ XEP-0352, Client State Indicator
 mod_client_state: []
#  _%%_ XEP-0280, Message Carbons
 mod_carboncopy: []
#  _%%_ XEP-0363, HTTP File Upload
#  _%%_ This is the configuration for the module, port config above.
 mod_http_upload:
#  _%%_ With this configuration for each domain name there must be a subdirectory
#  _%%_ in the docroot, e.g. /var/ejabberd-http-upload/example.org/
   thumbnail: false
   docroot: "/var/ejabberd-http-upload/"
   put_url: "https://example.com:5443/@HOST@"
 mod_s2s_dialback: []
 mod_legacy_auth: []
shaper:
 normal: 1000
 fast: 50000

# _%%_ TLS settings for s2s communication
s2s_use_starttls: required
#s2s_certfile: "/etc/ejabberd/ejabberd.pem"
s2s_dhfile: 'DHFILE'
# _%%_ For s2s we allow RSA key exchange for more compatibility
s2s_ciphers: 'CIPHERS'

問題

當我嘗試連接到https://example.com:5280/>或<https://example.com:5280/admin/時,我從 firefox 獲得:

安全連接失敗

與 example.com:5280 的連接在頁面載入時中斷。

您嘗試查看的頁面無法顯示,因為無法驗證接收到的數據的真實性。

請聯繫網站所有者告知他們這個問題。

當我同時觀看 /var/log/ejabberd/ejabberd.log (tail -f) 時,我得到:

2018-12-09 13:24:32.021

$$ info $$<0.353.0>@ejabberd_listener:accept:221 (<0.479.0>) 接受連接 xxxx:7048 -> xxyy:5280

問題

我配置錯了什麼,我應該如何配置它以使其工作?

解決方案是必須明確定義 tls:true 。我還選擇將 tls_compression 設置為 false(CRIME 攻擊)。

工作配置是:

port: 5280
module: ejabberd_http
web_admin: true
http_bind: true
captcha: true
tls: true
tls_compression: false

(我添加了最後兩行)。

引用自:https://serverfault.com/questions/943513