Ejabberd
ejabberd 網路管理員:安全連接失敗
背景資料
作業系統:Debian 穩定版(9.6)
ejabberd 版本:18.09-2(來自後端埠)
我的配置基於https://gitlab.com/hanno/ejabberd-config (我將我的真實網址更改為 example.com)
# _%%_ Ejabberd config from schokokeks.org XMPP server. # _%%_ We try to enable modern XMPP features and document to which XEP # _%%_ they relate. # _%%_ We also use a modern and secure TLS configuration where possible. define_macro: 'CIPHERS': "HIGH:!MEDIUM:!LOW:!3DES:!CAMELLIA:!aNULL:!RSA@STRENGTH" 'TLSOPTS': - "no_sslv2" - "no_sslv3" - "cipher_server_preference" # generated with: openssl dhparam -out dhparams.pem 2048 'DHFILE': "/etc/ejabberd/dh2048-ejabberd.pem" certfiles: - "/etc/letsencrypt/live/*/fullchain.pem" - "/etc/letsencrypt/live/*/privkey.pem" hosts: - "example.com" access: announce: admin: allow c2s: blocked: deny all: allow c2s_shaper: admin: none all: normal local: local: allow max_user_offline_messages: admin: 5000 all: 100 max_user_sessions: all: 10 muc: all: allow muc_admin: admin: allow muc_create: local: allow pubsub_createnode: all: allow register: # _%%_ Don't allow registration all: deny s2s_shaper: all: fast acl: admin: user: - "kiigass": "example.com" local: user_regexp: - "" # _%%_ We want internal authentication auth_method: - mnesia # _%%_ store passwords with scram hash method. # _%%_ no DIGEST-MD5, needs plaintext storage of passwords. auth_password_format: scram disable_sasl_mechanisms: "DIGEST-MD5" language: "en" listen: - ip: "0.0.0.0" port: 5222 module: ejabberd_c2s max_stanza_size: 65536 shaper: c2s_shaper access: c2s # _%%_ DEPRECATED, uses mod_stream_mgmt # _%%_ XEP-0198, Stream Management # _%%_ Note: This is enabled by default, but we'd like to explicitly enable it # stream_management: true # _%%_ TLS compression is dangerous, see CRIME attack tls_compression: false # _%%_ Diffie Hellman parameters with 2048 bit, created with "openssl dhparam 2048" dhfile: 'DHFILE' # _%%_ We only want "HIGH" strength ciphers and explicitly disable # _%%_ 3DES (SWEET32 attack), RSA (no forward secrecy, Bleichenbacher attacks), # _%%_ CAMELLIA (unusual and not needed). ciphers: 'CIPHERS' # _%%_ We require STARTTLS for clients. No unencrypted logins starttls_required: true # certfile: "/etc/ejabberd/ejabberd.pem" # _%%_ Due to DROWN (SSLv2) and POODLE (SSLv3) all old SSL versions are considered insecure protocol_options: 'TLSOPTS' - ip: "0.0.0.0" port: 5269 module: ejabberd_s2s_in max_stanza_size: 131072 shaper: s2s_shaper protocol_options: 'TLSOPTS' - port: 5280 module: ejabberd_http web_admin: true http_bind: true captcha: true # _%%_ XEP-0363, HTTP File Upload # _%%_ Note: This only opens the port, further below is the module config itself - port: 5443 module: ejabberd_http tls: true # certfile: "/etc/ejabberd/ejabberd.pem" # _%%_ See comments above for justification of TLS options tls_compression: false dhfile: 'DHFILE' ciphers: 'CIPHERS' protocol_options: 'TLSOPTS' request_handlers: "": mod_http_upload loglevel: 4 max_fsm_queue: 1000 modules: mod_admin_extra: [] mod_adhoc: [] mod_announce: access: announce # _%%_ XEP-0115, Entity Capabilities mod_caps: [] # XEP-0157 mod_disco: server_info: - modules: all name: "abuse-addresses" urls: ["mailto:kiigass@example.com"] - modules: all name: "security-addresses" urls: ["mailto:kiigass@example.com"] mod_bosh: [] mod_last: [] # _%%_ XEP-0045, Mult-User Chat (MUC) mod_muc: access: muc access_create: muc_create access_persistent: muc_create access_admin: muc_admin mod_offline: access_max_user_messages: max_user_offline_messages mod_ping: send_pings: true ping_interval: 10 ping_ack_timeout: 5 timeout_action: kill mod_privacy: [] mod_private: [] # _%%_ XEP-0065, SOCKS5 Bytestreams (Proxy) mod_proxy65: host: "proxy65.example.com" hostname: "proxy65.example.com" ip: "0.0.0.0" port: 7777 mod_pubsub: access_createnode: pubsub_createnode ignore_pep_from_offline: false last_item_cache: true plugins: - "flat" - "hometree" # _%%_ XEP-0163, Personal Eventing Protocol (PEP), needed for Avatars / OMEMO - "pep" # _%%_ XEP-0237, Roster Versioning mod_roster: versioning: true mod_shared_roster: [] mod_stats: [] # _%%_ XEP-0198, Stream Management # _%%_ Note: This is enabled by default, but we'd like to explicitly enable it mod_stream_mgmt: max_resume_timeout: 30 resend_on_timeout: if_offline resume_timeout: 30 ack_timeout: 30 mod_time: [] mod_vcard: [] mod_version: [] # _%%_ XEP-0313, Message Archive Management (MAM) mod_mam: default: always assume_mam_usage: true # _%%_ XEP-0191, Blocking Command mod_blocking: [] # _%%_ XEP-0352, Client State Indicator mod_client_state: [] # _%%_ XEP-0280, Message Carbons mod_carboncopy: [] # _%%_ XEP-0363, HTTP File Upload # _%%_ This is the configuration for the module, port config above. mod_http_upload: # _%%_ With this configuration for each domain name there must be a subdirectory # _%%_ in the docroot, e.g. /var/ejabberd-http-upload/example.org/ thumbnail: false docroot: "/var/ejabberd-http-upload/" put_url: "https://example.com:5443/@HOST@" mod_s2s_dialback: [] mod_legacy_auth: [] shaper: normal: 1000 fast: 50000 # _%%_ TLS settings for s2s communication s2s_use_starttls: required #s2s_certfile: "/etc/ejabberd/ejabberd.pem" s2s_dhfile: 'DHFILE' # _%%_ For s2s we allow RSA key exchange for more compatibility s2s_ciphers: 'CIPHERS'
問題
當我嘗試連接到https://example.com:5280/>或<https://example.com:5280/admin/時,我從 firefox 獲得:
安全連接失敗
與 example.com:5280 的連接在頁面載入時中斷。
您嘗試查看的頁面無法顯示,因為無法驗證接收到的數據的真實性。
請聯繫網站所有者告知他們這個問題。
當我同時觀看 /var/log/ejabberd/ejabberd.log (tail -f) 時,我得到:
2018-12-09 13:24:32.021
$$ info $$<0.353.0>@ejabberd_listener:accept:221 (<0.479.0>) 接受連接 xxxx:7048 -> xxyy:5280
問題
我配置錯了什麼,我應該如何配置它以使其工作?
解決方案是必須明確定義 tls:true 。我還選擇將 tls_compression 設置為 false(CRIME 攻擊)。
工作配置是:
port: 5280 module: ejabberd_http web_admin: true http_bind: true captcha: true tls: true tls_compression: false
(我添加了最後兩行)。