On 6 sep. 2013, at 20:04, Peter Saint-Andre <[email protected]> wrote:
> On 9/6/13 10:40 AM, Peter Saint-Andre wrote: > > On 8/28/13 10:14 AM, Simon Tennant wrote: > >> I'm attempting to gather the details in one place on how to > >> secure XMPP servers C2S and S2S traffic: > > > >> http://wiki.xmpp.org/web/Securing_XMPP > > > > Thanks. > > > > As you've seen from the news over the last 24 hours, things are > > even worse than we thought. > > > > Among other things, forcing the use of SSL/TLS is not enough. We > > need to be careful about what ciphersuites we allow. Some of the > > older, weaker ciphersuites need to be disabled (e.g., RC4 / MD5). > > We need to start preferring ciphersuites that enable perfect > > forward secrecy (PFS). > > To be clear, those are suites with EDH/DHE/ECDH in the name. It would > be interesting to see how widely those are supported in current XMPP > software. > > Peter I have gathered some data on that: https://blog.thijsalkema.de/blog/2013/08/26/the-state-of-tls-on-xmpp-1/ https://blog.thijsalkema.de/blog/2013/09/02/the-state-of-tls-on-xmpp-3/ 29 of the 100 servers from xmpp.net that I could reach have at least one ephemeral suite enabled. All clients I've tested have some variant of EDH/DHE enabled. 8 of the 18 different client/OS combinations have ECDHE enabled. However, a large number of clients do not prioritize (EC)DHE above the non- ephemeral variants. To enforce that these are used, it is therefore required to either disable all non-ephemeral suites or configure the server to override the client's order with the server's order. Regards, Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
