[Operators] S2S problems

Solomon Peachy pizza at shaftnet.org
Fri Sep 13 19:46:55 UTC 2013


On Fri, Sep 13, 2013 at 02:00:59PM +0100, Matthew Wild wrote:
> We have a handy bot in the Prosody chatroom to check certificates over
> s2s. I'm pleased to inform you that:
> 
>   13:55:29 MattJ> -certinfo shaftnet.org
>   13:55:34 Bunneh> MattJ: shaftnet.org has a valid certificate issued
> by Gandi Standard SSL CA

Excellent!
 
> but:
> 
>   13:56:50 MattJ> -cipher shaftnet.org
>   13:56:50 Bunneh> MattJ: Connection to shaftnet.org uses cipher RC4-MD5

Eww.
 
> RC4 isn't very highly regarded nowadays, as multiple issues have been
> found with its security[1]. Note that the bot's server intentionally
> negotiates the weakest cipher you support, so it might not be anything
> to lose sleep over :)

This is actually a big part of what I was curious about.  jabberd2's set 
of ciphers isn't configurable (defaults to ALL:!LOW:!SSLv2:!EXP:!aNULL) 
so I was curious to what that translated to on the wire, so to speak.

I wonder if there's any risk of losing interop if I disable RC4-*..

Thanks for runnig this test for me.

 - Solomon
-- 
Solomon Peachy        		       pizza at shaftnet dot org
Delray Beach, FL                          ^^ (email/xmpp) ^^
Quidquid latine dictum sit, altum viditur.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/operators/attachments/20130913/7c9de310/attachment.pgp>


More information about the Operators mailing list