Make TLS configs in Debian sample files follow Mozilla security guidelines.

doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example

@@ -15,6 +15,12 @@ cross_domain_bosh = false;
 consider_bosh_secure = true;
 -- https_ports = { }; -- Remove this line to prevent listening on port 5284
 
+-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+ssl = {
+  protocol = "tlsv1_2+";
+  ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+}
+
 VirtualHost "jitmeet.example.com"
         -- enabled = false -- Remove this line to enable this host
         authentication = "anonymous"

doc/debian/jitsi-meet-turn/turnserver.conf

@@ -10,5 +10,9 @@ no-tcp
 listening-port=4446
 tls-listening-port=4445
 external-ip=__external_ip_address__
+no-tlsv1
+no-tlsv1_1
+# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 
 syslog

doc/debian/jitsi-meet/jitsi-meet.example

@@ -21,11 +21,16 @@ server {
     listen [::]:443 ssl;
     server_name jitsi-meet.example.com;
 
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_prefer_server_ciphers on;
-    ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";
+# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
 
-    add_header Strict-Transport-Security "max-age=31536000";
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
 
     ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt;
     ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key;

doc/debian/jitsi-meet/jitsi-meet.example-apache

@@ -11,14 +11,15 @@
 
   ServerName jitsi-meet.example.com
 
-  SSLProtocol TLSv1 TLSv1.1 TLSv1.2
+  # enable HTTP/2, if available
+  Protocols h2 http/1.1
+
   SSLEngine on
   SSLProxyEngine on
   SSLCertificateFile /etc/jitsi/meet/jitsi-meet.example.com.crt
   SSLCertificateKeyFile /etc/jitsi/meet/jitsi-meet.example.com.key
-  SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED"
-  SSLHonorCipherOrder on
-  Header set Strict-Transport-Security "max-age=31536000"
+
+  Header always set Strict-Transport-Security "max-age=63072000"
 
   DocumentRoot "/usr/share/jitsi-meet"
   <Directory "/usr/share/jitsi-meet">
@@ -48,3 +49,9 @@
   RewriteEngine on
   RewriteRule ^/([a-zA-Z0-9]+)$ /index.html
 </VirtualHost>
+
+# Mozilla Guideline v5.4, Apache 2.4.41, OpenSSL 1.1.1d, intermediate configuration, no OCSP
+SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+SSLHonorCipherOrder     off
+SSLSessionTickets       off