[Operators] S2S problems

Matthew Wild mwild1 at gmail.com
Fri Sep 13 22:26:43 UTC 2013


On 13 September 2013 20:46, Solomon Peachy <pizza at shaftnet.org> wrote:
> On Fri, Sep 13, 2013 at 02:00:59PM +0100, Matthew Wild wrote:
>> We have a handy bot in the Prosody chatroom to check certificates over
>> s2s. I'm pleased to inform you that:
>>
>>   13:55:29 MattJ> -certinfo shaftnet.org
>>   13:55:34 Bunneh> MattJ: shaftnet.org has a valid certificate issued
>> by Gandi Standard SSL CA
>
> Excellent!
>
>> but:
>>
>>   13:56:50 MattJ> -cipher shaftnet.org
>>   13:56:50 Bunneh> MattJ: Connection to shaftnet.org uses cipher RC4-MD5
>
> Eww.
>
>> RC4 isn't very highly regarded nowadays, as multiple issues have been
>> found with its security[1]. Note that the bot's server intentionally
>> negotiates the weakest cipher you support, so it might not be anything
>> to lose sleep over :)
>
> This is actually a big part of what I was curious about.  jabberd2's set
> of ciphers isn't configurable (defaults to ALL:!LOW:!SSLv2:!EXP:!aNULL)
> so I was curious to what that translated to on the wire, so to speak.
>
> I wonder if there's any risk of losing interop if I disable RC4-*..

Prosody 0.9's default cipher string is "HIGH:!DSS:!aNULL at STRENGTH",
which doesn't include RC4 (at least on OpenSSL 1.0.0). We've seen no
interop issues so far.

You might also be interested in this series of blog posts if you
haven't seen it already:
https://blog.thijsalkema.de/blog/2013/08/26/the-state-of-tls-on-xmpp-1/

Regards,
Matthew


More information about the Operators mailing list