[Operators] upgrade xmpp.net

Thijs Alkemade thijs at xnyhps.nl
Sat Aug 23 19:09:55 UTC 2014


On 23 aug. 2014, at 19:45, Moonchild <moonchild at palemoon.org> wrote:

> Signed PGP part
> On 2014-08-22 23:33, Skhaen wrote:
> > Ohai everybody!
> >
> > We need an upgrade for xmpp.net: if a server is running with SSLv3 or
> > without PFS, the score *must* be downgraded to B.
> >
> 
> I also wanted to chime in and say that you shouldn't be punishing operators
> who support SSLv3. It should be considered in the same class as TLS 1.0
> since it suffers from the same potential issues for the most part.
> 
> The same goes for FS (I prefer to leave out the P since there is no such
> thing ;) ) since offering ciphers and methods that do not have FS is just
> being flexible. We do want to keep the federation flexible enough for
> everyone in the world to use it, I hope.
> 
> Just my $0.02.
> 
>   Mark.

The situation with SSLv3 is a little complicated. I've made the following
observations:

* Practically, the differences between SSLv3 and TLS 1.0 are so small they are
  equally secure.

* However, TLS being the first one standardized by the IETF means many (if not
  all) extra TLS extensions are only specified for TLS. For example RFC 4492
  ("ECC Cipher Suites for Transport Layer Security") only references TLS. This
  doesn't stop OpenSSL from offering ECDHE when using SSLv3, however, it does
  leave out its "Supported Elliptic Curves" extension from the handshake. So the
  client hasn't told the server what named curves it supports and the server
  just guesses. In the current, OpenSSL-dominated world that isn't that bad,
  most servers and clients support the set of curves OpenSSL supports, but it
  does mean we can't easily negotiate new curves.

* For HTTPS there's a real risk of being downgraded to SSLv3 because the browser
  will retry when a handshake failed, sometimes even 4 or more times, eventually
  down to bare-bones SSLv3. I don't think any XMPP clients will do that, making
  the previous point impossible to exploit.

* I haven't seen any clients that didn't support at least TLS 1.0, but some
  people claim they exist. TLS is nearly 15 years old. Even SChannel on Windows
  XP has it.

* An OpenSSL server configured to *only* enable SSLv3 will not succeed its
  handshake with a OpenSSL client doing a "automatically negotiate version"
  handshake (SSLv23_method with SSL_OP_NO_SSLv2). So disabling SSLv3 for
  outgoing s2s connections will not have any impact on your compatibility.

In conclusion, I'm not inclined to penalize SSLv3 more than it is for now. If I
get proven wrong about XMPP clients retrying when a handshake fails I might
reconsider this. I would also really like to know which clients don't use SSLv3,
maybe Evgeny can shed some light on that.

Regards,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/operators/attachments/20140823/86675d8a/attachment.sig>


More information about the Operators mailing list