Merge pull request #90 from malexmave/ejabberd-update

Updated for newer versions of ejabberd

diff --combined src/acknowledgements.tex
index 56a9aa2,d7a80ed..859a343
--- 1/src/acknowledgements.tex
--- 2/src/acknowledgements.tex
+++ b/src/acknowledgements.tex
@@@ -8,15 -8,16 +8,16 @@@ We would like to express our thanks to 
  Brown, Scott \\
  Brulebois, Cyril \\
  Dirksen-Thedens, Mathis \\
 -Diszeratis, Meiko \\
  Dulaunoy, Alexandre \\
  Gühring Philipp  \\
  Grigg, Ian  \\
 +Haslinger, Gunnar \\
  Horenbeck, Maarten \\
  Huebl, Axel \\
  Kovacic, Daniel \\
  Lenzhofer, Stefan \\
  Lorünser, Thomas \\
+ Maass, Max \\
  Mehlmauer, Christian \\
  Millauer, Tobias \\
  Mirbach, Andreas \\
@@@ -28,9 -29,7 +29,9 @@@ Petukhova, Anna (Logo) \
  Pichler, Patrick \\
  Riebesel, Nicolas \\
  Roeckx, Kurt \\
 +Roesen, Jens \\
  Rublik, Martin \\
 +Schüpany, Mathias \\
  Schwarz, René («DigNative») \\
  Seidl, Eva (PDF layout) \\
  Wagner, Sebastian («sebix») \\

diff --combined src/practical_settings/im.tex
index ecbacd4,6f9bb83..6da62b6
--- 1/src/practical_settings/im.tex
--- 2/src/practical_settings/im.tex
+++ b/src/practical_settings/im.tex
@@@ -14,34 -14,75 +14,62 @@@ In short
  
  The last point being out-of-scope for this section, we will only cover the first two points.
  
 -%%---------------------------------------------------------------------- 
 -
 -\subsection{Prosody}
 -\subsubsection{Settings}
 -Prosody is a Jabber server which is written in Lua. 
 -The following configuration is suggested to disable SSLv2 and SSLv3 and require a TLS connection. It is compliant with the OpenSSL string in 3.2.3 configuration B.
 -
 -\configfile{prosody.cfg.lua}{90-98,103-104}{% 
 -  TLS setup for Prosody}
 -
 -%%---------------------------------------------------------------------- 
 -
 -
  \subsection{ejabberd}
  
  \subsubsection{Tested with Versions}
  \begin{itemize*}
-   \item Debian Wheezy 2.1.10-4+deb7u1
+   \item ejabberd 14.12, Debian 7 Wheezy
+   \item ejabberd 14.12, Ubuntu 14.04 Trusty
+   \item ejabberd 15.03, Ubuntu 14.04 Trusty
+   \item ejabberd 16.01, Ubuntu 14.04 Trusty
  \end{itemize*}
  
  \subsubsection{Settings}
  ejabberd is one of the popular Jabber servers. In order to be compliant
  with the manifesto, you should adapt your configuration\footnote{\url{http://www.process-one.net/docs/ejabberd/guide_en.html}}:
  
- \configfile{ejabberd.cfg}{108-109,111-111,120-126,172-172,179-179,184-184}{%
+ \configfile{14.12/ejabberd.yml}{104-107,113-114,119-119,123-123,125-125,127-127,134-135,138-140,144-146,195-195,203-203,207-207,210-213}{%
    TLS setup for ejabberd}
  % 
  \subsubsection{Additional settings}
- Older versions of ejabberd ($ < $ 2.0.0) need to be patched\footnote{\url{http://hyperstruct.net/2007/06/20/installing-the-startcom-ssl-certificate-in-ejabberd/}} to be able to parse all of the certificates in the CA chain.
+ It is possible to explicitly specify a cipher string for TLS connections.
+ \configfile{14.12/ejabberd.yml}{104-107,113-114,119-119,123-123,125-125,127-127,134-135,138-138,142-142,144-146,195-195,203-203,207-207,210-213,217-217}{Specifying a cipher order and enforcing it}
+ 
+ Note that we are setting the SSL option \texttt{cipher\_server\_preference}. This enforces our cipher order when negotiating which ciphers are used, as the cipher order of some clients chooses weak ciphers over stronger ciphers.\footnote{\url{https://blog.thijsalkema.de/me/blog//blog/2013/09/02/the-state-of-tls-on-xmpp-3/}}
+ 
+ Starting with version 15.03\footnote{Early versions seem to have a few bugs - although officially supported, it did not work in tests with version 15.06. Version 16.01 is confirmed to work.}, it is possible to use custom Diffie-Hellman-Parameters. This allows us to negotiate stronger Diffie-Hellman-keys, and also helps us avoid problems with using common Diffie-Hellman-Parameters.\footnote{\url{https://weakdh.org}} You can generate your own parameter file by running:
+ \begin{lstlisting}
+ openssl dhparam -out dhparams.pem 4096
+ \end{lstlisting}
  
- Newer versions of ejabberd now support specifying the cipher string in the config file. See the commit message: \url{https://github.com/processone/ejabberd/commit/1dd94ac0d06822daa8c394ea2da20d91c8209124}. However, this change did not yet make it into the stable release at the time of this writing. 
+ By default, ejabberd provides an administration website (look for the ejabberd\_http module). Enable TLS protection for it like this:
  
+ \configfile{14.12/ejabberd.yml}{177-178,181-183,185-185,187-188}{Adding TLS to the web interface}
+ 
+ \subsubsection{Tested with Versions}
+ \begin{itemize*}
+ \item Debian Wheezy 2.1.10-4+deb7u1
+ \end{itemize*}
+ \subsubsection{Settings}
+ Older versions of ejabberd use a different configuration file syntax.
+ In order to be compliant with the manifesto, you should adapt your configuration\footnote{\url{http://www.process-one.net/docs/ejabberd/guide_en.html}} as follows:
+ \configfile{2.1.10/ejabberd.cfg}{108-109,111-111,120-126,172-172,179-179,184-184}{
+ TLS setup for ejabberd}
+ %
+ \subsubsection{Additional settings}
+ Older versions of ejabberd ($ < $ 2.0.0) need to be patched\footnote{\url{http://hyperstruct.net/2007/06/20/installing-the-startcom-ssl-certificate-in-ejabberd/}} to be able to parse all of the certificates in the CA chain.
+ Specifying a custom cipher string is only possible starting with version 13.12 (see configuration for version 14.12 above).
  
  \subsubsection{References}
  
- \todo{ADD references!!}
+ \begin{itemize}
+ \item \href{http://www.process-one.net/en/ejabberd/docs/}{The ejabberd documentation: http://www.process-one.net/en/ejabberd/docs/}
+ \end{itemize}
  
  
  \subsubsection{How to test}
  \begin{itemize*}
-   \item \url{https://xmpp.net} is a practical website to test Jabber server configurations.
+   \item \url{https://xmpp.net} is a useful website to test Jabber server configurations.
  \end{itemize*}