[Operators] S2S problems

Matthew Wild mwild1 at gmail.com
Fri Sep 13 13:00:59 UTC 2013


On 13 September 2013 12:45, Solomon Peachy <pizza at shaftnet.org> wrote:
> On Fri, Sep 13, 2013 at 09:25:15AM +0200, Torsten Reichard wrote:
>> Hey Peter,
>>
>> seems to be good.
>
> Out of curiousity, what are you using to run these tests?  I'd like to
> validate that I have my certs set up properly, but nobody on my roster
> is on a server that supports encrypted S2S.  (Just in case, I have it
> set up to be as permissive as possible when it comes to cert validation)
>
> I'm pretty sure my C2S stuff is set up properly -- None of the
> clients I use complain about the cert/cachain I'm using.
>
> (shaftnet.org, running jabberd2 with external authentication)

We have a handy bot in the Prosody chatroom to check certificates over
s2s. I'm pleased to inform you that:

  13:55:29 MattJ> -certinfo shaftnet.org
  13:55:34 Bunneh> MattJ: shaftnet.org has a valid certificate issued
by Gandi Standard SSL CA

but:

  13:56:50 MattJ> -cipher shaftnet.org
  13:56:50 Bunneh> MattJ: Connection to shaftnet.org uses cipher RC4-MD5

RC4 isn't very highly regarded nowadays, as multiple issues have been
found with its security[1]. Note that the bot's server intentionally
negotiates the weakest cipher you support, so it might not be anything
to lose sleep over :)

Regards,
Matthew

[1]: https://en.wikipedia.org/wiki/RC4#Security


More information about the Operators mailing list