[jdev] manifesto 0.4
stpeter at stpeter.im
Wed Oct 30 01:40:48 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 10/29/2013 06:44 PM, Thijs Alkemade wrote:
> On 30 okt. 2013, at 01:21, Mathieu Pasquet <mathieui at mathieui.net>
>> Dropping SSLv2 is all good and I?m not even sure why SSLv2 was
>> supported initially (doesn?t xmpp appear after SSLv3 was
>> standardized?), but dropping SSLv3, while also a good idea, might
>> cause issues with lots of servers (not naming legacy ejabberd or
>> openfire under old debian or centos). Hopefully, we have some
>> time to wake up some admins before the dates set in the
>> manifesto, but I hope the test days will help troubleshooting the
>> ones that don?t get the memo.
> That?s what xmpp.net is now for: helping us make these policy
> decisions. :)
> So far, two tests have shown a server supported SSLv3 but not TLS
> 1.0, both for c2s to palemoon.net:
> However, considering the cipher list did not finish I would assume
> the sever started IP banning xmpp.net, leading to inaccurate
> So from the directory list, even the servers running ejabberd 2.1.2
> (released 3.5 years ago) and Openfire 3.64 (released 4.5 years ago)
> support TLS 1.0.
That result for palemoon.net is odd, since it's using Openfire 3.8.2.
> How many clients don't support TLS 1.0 I do not (yet) have data of,
We'll find out.
A few years ago, at the jabber.org server we required SSL/TLS for
client connections and a fair number of users couldn't connect.
However, most of them were using an old version of MacOS (10.4, IIRC).
I expect the results to be better this time around.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the JDev