Prepare to upgrade password hashes from SCRAM-SHA-256 to SCRAM-SHA-512. Enforce specific ciphersuites. Disallow SSLv2 and TLSv1.1.

server/xb000-0/ejabberd/ejabberd.yml

@@ -4,7 +4,7 @@
 # Copyright 2022-2023 Jake Winters
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-# Version: 2.0.0.3
+# Version: 3.0.0.4
 
 
 # Hosts
@@ -26,23 +26,30 @@ language: en
 ## Passwords
 auth_password_format: scram
 auth_scram_hash: sha256
+### Upgrade password hashes to SHA-512 when possible. Currently infeasible due to current users
+### having passwords created using SHA-256.
+# auth_scram_hash: sha512
 
 ## Client-to-Server
 c2s_ciphers:
-  - HIGH
+  - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
 c2s_protocol_options:
+  - no_sslv2
   - no_sslv3
   - no_tlsv1
+  - no_tlsv1_1
   - no_compression
   - cipher_server_preferences
 c2s_tls_compression: false
 
 ## Server-to-Server
 s2s_ciphers:
-  - HIGH
+  - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
 s2s_protocol_options:
+  - no_sslv2
   - no_sslv3
   - no_tlsv1
+  - no_tlsv1_1
   - no_compression
   - cipher_server_preferences
 s2s_use_starttls: required