From 069a0a14d95c4681f3803fe35db38b418b320a19 Mon Sep 17 00:00:00 2001
From: inference <admin@inferencium.net>
Date: Sun, 19 Feb 2023 19:24:26 +0000
Subject: [PATCH] Prepare to upgrade password hashes from SCRAM-SHA-256 to
 SCRAM-SHA-512. Enforce specific ciphersuites. Disallow SSLv2 and TLSv1.1.

---
 server/xb000-0/ejabberd/ejabberd.yml | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/server/xb000-0/ejabberd/ejabberd.yml b/server/xb000-0/ejabberd/ejabberd.yml
index 293faf0..f1a13a5 100644
--- a/server/xb000-0/ejabberd/ejabberd.yml
+++ b/server/xb000-0/ejabberd/ejabberd.yml
@@ -4,7 +4,7 @@
 # Copyright 2022-2023 Jake Winters
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-# Version: 2.0.0.3
+# Version: 3.0.0.4
 
 
 # Hosts
@@ -26,23 +26,30 @@ language: en
 ## Passwords
 auth_password_format: scram
 auth_scram_hash: sha256
+### Upgrade password hashes to SHA-512 when possible. Currently infeasible due to current users
+### having passwords created using SHA-256.
+# auth_scram_hash: sha512
 
 ## Client-to-Server
 c2s_ciphers:
-  - HIGH
+  - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
 c2s_protocol_options:
+  - no_sslv2
   - no_sslv3
   - no_tlsv1
+  - no_tlsv1_1
   - no_compression
   - cipher_server_preferences
 c2s_tls_compression: false
 
 ## Server-to-Server
 s2s_ciphers:
-  - HIGH
+  - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
 s2s_protocol_options:
+  - no_sslv2
   - no_sslv3
   - no_tlsv1
+  - no_tlsv1_1
   - no_compression
   - cipher_server_preferences
 s2s_use_starttls: required