shaper: c2s_shaper
access: c2s
# Set the cipher order of the server, in OpenSSL syntax
- ciphers: "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL:!MD5:!RC4"
+ ciphers: "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
# TODO Is this cipher order fine?
-
port: 5269
# Again, prefer our known good cipher ordering to the potentially bad one
# of the other server
-s2s_ciphers: "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL:!MD5:!RC4"
+s2s_ciphers: "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
# TODO Is this cipher order fine?
It is possible to explicitly specify a cipher string for TLS connections.
\configfile{ejabberd.yml}{104-107,113-114,119-119,123-123,125-125,127-127,134-137,139-139,141-143,192-192,200-200,204-207,211-211}{Specifying a cipher order and enforcing it}
-Note that we are setting the SSL option cipher\_server\_preference. This enforces our cipher order when negotiating which ciphers are used, as the cipher order of some clients chooses weak ciphers over stronger ciphers.\footnote{\url{https://blog.thijsalkema.de/me/blog//blog/2013/09/02/the-state-of-tls-on-xmpp-3/}}
+Note that we are setting the SSL option cipher\_server\_preference. This enforces our cipher order when negotiating which ciphers are used, as the cipher order of some clients chooses weak ciphers over stronger ciphers.\footnote{\url{https://blog.thijsalkema.de/me/blog//blog/2013/09/02/the-state-of-tls-on-xmpp-3/}} The cipher suite is chosen as per the recommendations in \autoref{section:recommendedciphers}, choosing the more compatible set due to the poor cipher availability in some clients.
Other options you may want to take a look at are:
\begin{itemize}