[jdev] manifesto 0.4

Thijs Alkemade thijs at xnyhps.nl
Wed Oct 30 16:51:38 UTC 2013


On 30 okt. 2013, at 11:42, Dave Cridland <dave at cridland.net> wrote:

> On Wed, Oct 30, 2013 at 12:44 AM, Thijs Alkemade <thijs at xnyhps.nl> wrote:
> So far, two tests have shown a server supported SSLv3 but not TLS 1.0,
> both for c2s to palemoon.net:
> 
> Drifting from the topic, I know, but just to confirm, this is only testing what versions the servers handle in server-mode, correct? Given the nature of the APIs, do we think this might be different to what versions a server will negotiate given the opportunity in client-mode C2S?
> 
> I know this used to be (and might still be) the situation with TLS based compression, but I can't think right now if it's likely to be the case with cipher suites and TLS versions.

Yes, xmppoke only tests server -> server connections where xmppoke acts as the
TLS client.

Testing the protocol versions and ciphers offered by the other server acting
as the TLS client would be interesting, but tricky to implement. It would
require requesting dialback and xmpp.net having a port open to accept the
connection (causing concurrency problems with different simultaneous tests).
The ciphers wouldn’t need to be tested one by one, but protocol versions still
do, so it would require abandoning and restarting dialback a number of times.
(This is really getting to the point where I whish xmppoke was a Prosody
module, instead of a script...)

If I had to make a guess, I’d expect most servers to support the same
protocols as they accept and that they offer the same ciphers as they accept.
OpenSSL based servers probably follow @STRENGTH: first ordering by bitsize,
then by forward-secrecy (yes, this places 3DES above AES-128). Openfire
probably follows Java’s defaults, which on Java 1.6 means starting with
RC4-MD5, RC4-SHA, AES128-SHA, etc.

Regards,
Thijs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20131030/f5416de9/attachment.pgp>


More information about the JDev mailing list