[jdev] manifesto 0.4

Thijs Alkemade thijs at xnyhps.nl
Wed Oct 30 00:44:39 UTC 2013


On 30 okt. 2013, at 01:21, Mathieu Pasquet <mathieui at mathieui.net> wrote:

> Dropping SSLv2 is all good and I’m not even sure why SSLv2 was
> supported initially (doesn’t xmpp appear after SSLv3 was standardized?),
> but dropping SSLv3, while also a good idea, might cause issues with lots
> of servers (not naming legacy ejabberd or openfire under old debian or
> centos). Hopefully, we have some time to wake up some admins before the
> dates set in the manifesto, but I hope the test days will help
> troubleshooting the ones that don’t get the memo.

That’s what xmpp.net is now for: helping us make these policy decisions. :)

So far, two tests have shown a server supported SSLv3 but not TLS 1.0,
both for c2s to palemoon.net:

http://xmpp.net/result.php?id=324
http://xmpp.net/result.php?id=142

However, considering the cipher list did not finish I would assume the sever
started IP banning xmpp.net, leading to inaccurate results.

So from the directory list, even the servers running ejabberd 2.1.2 (released
3.5 years ago) and Openfire 3.64 (released 4.5 years ago) support TLS 1.0.

How many clients don't support TLS 1.0 I do not (yet) have data of, though.

Regards,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20131030/88ca61a7/attachment.pgp>


More information about the JDev mailing list