Hi Mathias, Happy to read this!
Cheers, Ludovic Le 10/07/2015 11:47, Mathias Ertl a écrit : > Dear fellow operators, > > We at jabber.at would like to announce that we will exclusively support > forward secrecy[1] enabled ciphers starting *October 1st, 2015*. Servers > that do not support any of those ciphers by then, will not be able to > federate with us until they upgrade. > > We already tested this setup, and there were very few users with > connection problems (e.g. with a 7 year old Pidgin). The biggest problem > are very old servers that use far outdated software. For a "secure > network", that's just sad. > > You can test if you're ready at https://xmpp.net. If you support any > forward secrecy cipher, you are fine. If you use the versions of > ejabberd and Prosody that ship with the current Debian Stable or Ubuntu > LTS, you're fine as well. If you use e.g. Debian Squeeze, you definitely > should update. > > For everyone, here's a short reminder about current best security > practices (none of them have caused *any* problems with our users!): > > * Enforce encryption for both c2s and s2s connections. > * Disable SSLv3 (very broken), enable TLSv1.2. > * Disable RC4 ciphers (also very broken). > * Have a valid 4096 bit certificate with at least a sha256 signature. > > greetings, Mati > (from jabber.at) > > [1] https://en.wikipedia.org/wiki/Forward_secrecy >
smime.p7s
Description: Signature cryptographique S/MIME