Let’s Encrypt on Prosody & enable Forward secrecy

Below is my setup to enable Forward secrecy

Generate DH parameters:

# openssl dhparam -out /etc/pki/tls/dh-2048.pem 2048

and then configure your prosody with Let’s Encrypt certificates

VirtualHost ""

  ssl = {
      key = "/etc/letsencrypt/live/";
      certificate = "/etc/letsencrypt/live/";
      cafile = "/etc/pki/tls/certs/ca-bundle.crt";

      # enable strong encryption
      dhparam = "/etc/pki/tls/dh-2048.pem";

if you only want to accept TLS connection from clients and servers, change your settings to these:

c2s_require_encryption = true
s2s_secure_auth = true

Check your setup

XMPP Observatory

or check your certificates with openssl:

Server: # openssl s_client -connect  -starttls xmpp < /dev/null
Client: # openssl s_client -connect  -starttls xmpp < /dev/null