ejabberd starttls_required in c2s/s2s and disable SSLv3 + unsecure Ciphers

Solution 1:

Requiring StartTLS:

{s2s_use_starttls, require}. instead of {s2s_use_starttls, true}. (keep in mind this will currently make you unable to connect to gmail.com and all domains they host).

Weak ciphers:

See http://www.process-one.net/docs/ejabberd/guide_en.html#sec27. I think this means doing something like adding {ciphers, "..."} to the ejabberd_c2s options. Check with openssl ciphers -V '...' to see what ciphers a cipher string will enable.

As far as I can tell, it's not possible to disable SSLv3 without recompiling ejabberd yourself. See some discussion here.

Solution 2:

This is an old question, but I wanted to add an updated answer for anyone searching and finding this, but using a more modern version of ejabberd (14.12 at the time of this writing). The following options (in the new YAML configuration format) should make starttls required, change the ciphers list to something decent, and disable legacy SSL support for s2s connections:

s2s_use_starttls: required
s2s_ciphers: "HIGH:!3DES:!aNULL:!SSLv2:@STRENGTH"
s2s_protocol_options:                                                            
  - "no_sslv2"                                                                   
  - "no_sslv3" 

for c2s connections you can do something similar, except that it goes under the c2s listen directive:

-
  port: 5222
  module: ejabberd_c2s
  protocol_options:                                                            
    - "no_sslv2"                                                               
    - "no_sslv3" 
  ciphers: ...