From 8d0a76a4f7cb5b5d2105a012fd2589842901e017 Mon Sep 17 00:00:00 2001
From: Alex Palaistras <alex@deuill.org>
Date: Tue, 22 Mar 2022 22:02:33 +0000
Subject: [PATCH] prosody: Allow less secure ciphers for old clients

This extends SSL/TLS configuration for client connections to allow for a
set of additional ciphers over the current "intermediate" set of
defaults applied, in support of older clients.
---
 .../prosody/container/config/prosody.cfg.lua  | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/service/prosody/container/config/prosody.cfg.lua b/service/prosody/container/config/prosody.cfg.lua
index ec7ca65..81cf3e6 100644
--- a/service/prosody/container/config/prosody.cfg.lua
+++ b/service/prosody/container/config/prosody.cfg.lua
@@ -184,6 +184,30 @@ turn_external_secret = os.getenv("PROSODY_TURN_SECRET") or ""
 -- Location of directory to find certificates in (relative to main config file):
 certificates = "/etc/ssl/private/certificates"
 
+-- Allow TLS connections with additional, less secure ciphers, for compatibility with older clients.
+ssl = {
+    protocol = "tlsv1_2+";
+    ciphers = {
+        "ECDHE-ECDSA-AES128-GCM-SHA256";
+        "ECDHE-RSA-AES128-GCM-SHA256";
+        "ECDHE-ECDSA-AES256-GCM-SHA384";
+        "ECDHE-RSA-AES256-GCM-SHA384";
+        "ECDHE-ECDSA-CHACHA20-POLY1305";
+        "ECDHE-RSA-CHACHA20-POLY1305";
+        "DHE-RSA-AES128-GCM-SHA256";
+        "DHE-RSA-AES256-GCM-SHA384";
+        "DHE-RSA-CHACHA20-POLY1305";
+        "ECDHE-ECDSA-AES128-SHA256";
+        "ECDHE-RSA-AES128-SHA256";
+        "ECDHE-ECDSA-AES128-SHA";
+        "ECDHE-RSA-AES128-SHA";
+        "ECDHE-ECDSA-AES256-SHA384";
+        "ECDHE-RSA-AES256-SHA384";
+        "ECDHE-ECDSA-AES256-SHA";
+        "ECDHE-RSA-AES256-SHA";
+    };
+}
+
 -- Listen on all interfaces for component connections.
 component_interface = "0.0.0.0"