prosody: Allow less secure ciphers for old clients

This extends SSL/TLS configuration for client connections to allow for a set of additional ciphers over the current "intermediate" set of defaults applied, in support of older clients.
deuill · Mar 22, 2022 · 8d0a76a · 8d0a76a
1 parent 9416ad7
commit 8d0a76a
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/service/prosody/container/config/prosody.cfg.lua b/service/prosody/container/config/prosody.cfg.lua
@@ -184,6 +184,30 @@ turn_external_secret = os.getenv("PROSODY_TURN_SECRET") or ""
 -- Location of directory to find certificates in (relative to main config file):
 certificates = "/etc/ssl/private/certificates"
 
+-- Allow TLS connections with additional, less secure ciphers, for compatibility with older clients.
+ssl = {
+    protocol = "tlsv1_2+";
+    ciphers = {
+        "ECDHE-ECDSA-AES128-GCM-SHA256";
+        "ECDHE-RSA-AES128-GCM-SHA256";
+        "ECDHE-ECDSA-AES256-GCM-SHA384";
+        "ECDHE-RSA-AES256-GCM-SHA384";
+        "ECDHE-ECDSA-CHACHA20-POLY1305";
+        "ECDHE-RSA-CHACHA20-POLY1305";
+        "DHE-RSA-AES128-GCM-SHA256";
+        "DHE-RSA-AES256-GCM-SHA384";
+        "DHE-RSA-CHACHA20-POLY1305";
+        "ECDHE-ECDSA-AES128-SHA256";
+        "ECDHE-RSA-AES128-SHA256";
+        "ECDHE-ECDSA-AES128-SHA";
+        "ECDHE-RSA-AES128-SHA";
+        "ECDHE-ECDSA-AES256-SHA384";
+        "ECDHE-RSA-AES256-SHA384";
+        "ECDHE-ECDSA-AES256-SHA";
+        "ECDHE-RSA-AES256-SHA";
+    };
+}
+
 -- Listen on all interfaces for component connections.
 component_interface = "0.0.0.0"