New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Listener Modules doc refactor #1527
Conversation
ludwikbukowski
commented
Oct 17, 2017
- changed default ciphers
- changed some default values
- removed "host" and "hosts" options in ejabberd_service docs
Those were removed in 4103892 commit and the "password" option was introduced.
666d798
to
0d74fc9
Compare
@@ -16,14 +16,15 @@ You only need to declare running `ejabberd_c2s`, to have the other 2 modules sta | |||
|
|||
### Configuration | |||
|
|||
* `certfile` (string, default: no certfile will be used) - Path to the X509 PEM file with a certificate and a private key (not protected by a password). | |||
* `certfile` (string, default: no certfile will be used) - Path to the X509 PEM file with a certificate and a private key (not protected by a password). If the certificate is signed by an intermediate CA, you should specify here the whole CA chain. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Specify the whole chain - how?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
concatenate all public keys and the append private one.
I should put it in docs I guess
* `starttls` (default: disabled) - Enables StartTLS support; requires `certfile`. | ||
* `starttls_required` (default: disabled) - enforces StartTLS usage. | ||
* `tls` (default: disabled) - enables the old SSL connection. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does 'old' mean? (I know it but the reader might not :))
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you're right, its not informative - I just took it from ejabberd.cfg file [1]
Can be changed in both files then
[1] https://github.com/esl/MongooseIM/blob/master/rel/files/ejabberd.cfg#L238
* `host` ( tuple: `{host, Domain, [{password, "password here"}]}`, optional when `hosts` present) - Only allowed domain for components, protected by password. | ||
Must be set when `hosts` are not present. | ||
* `shaper_rule` (atom, default: `fast`) - Connection shaper to use for incoming component traffic. | ||
* `password` (string) - with this password the service is protected |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The dark side I sense in you. ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
_.' : `._
.-.'`. ; .'`.-.
__ / : ___\ ; /___ ; \ __
,'_ ""--.:__;".-.";: :".-.":__;.--"" _`,
:' `.t""--.. '<@.`;_ ',@>` ..--""j.' `;
`:-.._J '-.-'L__ `-- ' L_..-;'
"-.__ ; .-" "-. : __.-"
L ' /.------.\ ' J
"-. "--" .-"
__.l"-:_JL_;-";.__
.-j/'.; ;"""" / .'\"-.
.' /:`. "-.: .-" .'; `.
.-" / ; "-. "-..-" .-" : "-.
.+"-. : : "-.__.-" ;-._ \
; \ `.; ; : : "+. ;
: ; ; ; : ; : \:
: `."-; ; ; MIM : ; ,/;
; -: ; : ; : .-"' :
:\ \ : ; : \.-" :
;`. \ ; : ;.'_..-- / ;
: "-. "-: ; :/." .' :
\ .-`.\ /t-"" ":-+. :
`. .-" `l __/ /`. : ; ; \ ;
\ .-" .-"-.-" .' .'j \ / ;/
\ / .-" /. .'.' ;_:' ;
:-""-.`./-.' / `.___.'
\ `t ._ /
"-.t-._:'
fc63950
to
bcb8219
Compare
@@ -20,10 +20,10 @@ You only need to declare running `ejabberd_c2s`, to have the other 2 modules sta | |||
* `starttls` (default: disabled) - Enables StartTLS support; requires `certfile`. | |||
* `starttls_required` (default: disabled) - enforces StartTLS usage. | |||
* `zlib` (atom or a positive integer, default: disabled) - Enables ZLIB support, the integer value is a limit for a decompressed output size (to prevent successful [ZLIB bomb attack](http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/)); the limit can be disabled with an atom 'unlimited'. | |||
* `ciphers` (string, default: as of OpenSSL 1.0.0 it's `ALL:!aNULL:!eNULL` [(source)](https://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS)) - cipher suites to use with StartTLS. | |||
Please refer to the [OpenSSL documentation](http://www.openssl.org/docs/apps/ciphers.html) for the cipher string format. | |||
* `ciphers` (string, default: as of OpenSSL 1.0.2 it's `ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2` [(source)](https://www.openssl.org/docs/man1.0.2/apps/ciphers.html#CIPHER_STRINGS)) - cipher suites to use with StartTLS. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
!EXPORT:!LOW:!SSLv2:!aNULL:!eNULL:!IDEA:!RC4:!3DES:!SSLv3:!SSLv2:!DSS:!SRP:!PSK
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ECDHE-RSA-AES256-SHA:HIGH:!AESGCM:!CAMELLIA:!3DES:!EDH:!EXPORT:!MD5:!PSK:!RC4:!SRP:!aNULL:!eNULL
Some ciphers are insecure or obsolete. |
5811.1 / Erlang 19.3 / small_tests / 9924bee 5811.3 / Erlang 19.3 / mysql_redis / 9924bee 5811.2 / Erlang 19.3 / internal_mnesia / 9924bee mod_global_distrib_SUITE:mod_global_distrib:test_pm_with_ungraceful_reconnection_to_different_server{error,
{timeout_when_waiting_for_stanza,
[{escalus_client,wait_for_stanza,
[{client,<<"eve34.261857@localhost/res1">>,escalus_tcp,
<0.13137.1>,
[{event_manager,<0.13128.1>},
{server,<<"localhost">>},
{username,<<"eve34.261857">>},
{resource,<<"res1">>}],
[{event_client,
[{event_manager,<0.13128.1>},
{server,<<"localhost">>},
{username,<<"eve34.261857">>},
{resource,<<"res1">>}]},
{resource,<<"res1">>},
{username,<<"eve34.261857">>},
{server,<<"localhost">>},
{host,<<"localhost">>},
{port,5222},
{auth,{escalus_auth,auth_plain}},
{wspath,undefined},
{username,<<"eve34.261857">>},
{server,<<"localhost">>},
{password,<<"password">>},
{port,5222},
{stream_management,true},
{stream_id,<<"A34EE5CCE4F3A5D1">>}]},
10000],
[{file,
"/home/travis/build/esl/MongooseIM/big_tests/_build/default/lib/escalus/src/escalus_client.erl"},
{line,138}]},
{mod_global_distrib_SUITE,
'-test_pm_with_ungraceful_reconnection_to_different_server/1-fun-0-',
4,
[{file,"mod_global_distrib_SUITE.erl"},{line,607}]},
{escalus_story,story,4,
[{file,
"/home/travis/build/esl/MongooseIM/big_tests/_build/default/lib/escalus/src/escalus_story.erl"},
{line,72}]},
... mod_global_distrib_SUITE:mod_global_distrib:test_pm_with_ungraceful_reconnection_to_different_server{error,
{timeout_when_waiting_for_stanza,
[{escalus_client,wait_for_stanza,
[{client,<<"eve73.559626@localhost/res1">>,escalus_tcp,
<0.13601.1>,
[{event_manager,<0.13592.1>},
{server,<<"localhost">>},
{username,<<"eve73.559626">>},
{resource,<<"res1">>}],
[{event_client,
[{event_manager,<0.13592.1>},
{server,<<"localhost">>},
{username,<<"eve73.559626">>},
{resource,<<"res1">>}]},
{resource,<<"res1">>},
{username,<<"eve73.559626">>},
{server,<<"localhost">>},
{host,<<"localhost">>},
{port,5222},
{auth,{escalus_auth,auth_plain}},
{wspath,undefined},
{username,<<"eve73.559626">>},
{server,<<"localhost">>},
{password,<<"password">>},
{port,5222},
{stream_management,true},
{stream_id,<<"15666256FD9FF2A8">>}]},
10000],
[{file,
"/home/travis/build/esl/MongooseIM/big_tests/_build/default/lib/escalus/src/escalus_client.erl"},
{line,138}]},
{mod_global_distrib_SUITE,
'-test_pm_with_ungraceful_reconnection_to_different_server/1-fun-0-',
4,
[{file,"mod_global_distrib_SUITE.erl"},{line,607}]},
{escalus_story,story,4,
[{file,
"/home/travis/build/esl/MongooseIM/big_tests/_build/default/lib/escalus/src/escalus_story.erl"},
{line,72}]},
... 5811.6 / Erlang 19.3 / elasticsearch_and_cassandra_mnesia / 9924bee 5811.4 / Erlang 19.3 / odbc_mssql_mnesia / 9924bee 5811.5 / Erlang 19.3 / ldap_mnesia / 9924bee mod_global_distrib_SUITE:mod_global_distrib:test_pm_with_ungraceful_reconnection_to_different_server{error,
{timeout_when_waiting_for_stanza,
[{escalus_client,wait_for_stanza,
[{client,<<"eve96.792394@localhost/res1">>,escalus_tcp,
<0.12153.1>,
[{event_manager,<0.12144.1>},
{server,<<"localhost">>},
{username,<<"eve96.792394">>},
{resource,<<"res1">>}],
[{event_client,
[{event_manager,<0.12144.1>},
{server,<<"localhost">>},
{username,<<"eve96.792394">>},
{resource,<<"res1">>}]},
{resource,<<"res1">>},
{username,<<"eve96.792394">>},
{server,<<"localhost">>},
{host,<<"localhost">>},
{port,5222},
{auth,{escalus_auth,auth_plain}},
{wspath,undefined},
{username,<<"eve96.792394">>},
{server,<<"localhost">>},
{password,<<"password">>},
{port,5222},
{stream_management,true},
{stream_id,<<"1829E8DB2E981BA7">>}]},
10000],
[{file,
"/home/travis/build/esl/MongooseIM/big_tests/_build/default/lib/escalus/src/escalus_client.erl"},
{line,138}]},
{mod_global_distrib_SUITE,
'-test_pm_with_ungraceful_reconnection_to_different_server/1-fun-0-',
4,
[{file,"mod_global_distrib_SUITE.erl"},{line,607}]},
{escalus_story,story,4,
[{file,
"/home/travis/build/esl/MongooseIM/big_tests/_build/default/lib/escalus/src/escalus_story.erl"},
{line,72}]},
... 5811.8 / Erlang 20.0 / pgsql_mnesia / 9924bee 5811.9 / Erlang 21.0 / riak_mnesia / 9924bee 5811.2 / Erlang 19.3 / internal_mnesia / 9924bee |
Codecov Report
@@ Coverage Diff @@
## master #1527 +/- ##
==========================================
- Coverage 76.91% 76.59% -0.32%
==========================================
Files 323 323
Lines 28116 28173 +57
==========================================
- Hits 21626 21580 -46
- Misses 6490 6593 +103
Continue to review full report at Codecov.
|
* `certfile` (string, default: no certfile will be used) - Path to the X509 PEM file with a certificate and a private key (not protected by a password). | ||
If the certificate is signed by an intermediate CA, you should specify here the whole CA chain by concatenating all public keys together and appending private key after that. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the certificate is signed by an intermediate CA, you should specify here the whole CA chain by concatenating all public keys together and appending the private key after that.