[Operators] upgrade xmpp.net
thijs at xnyhps.nl
Sat Aug 23 19:09:55 UTC 2014
On 23 aug. 2014, at 19:45, Moonchild <moonchild at palemoon.org> wrote:
> Signed PGP part
> On 2014-08-22 23:33, Skhaen wrote:
> > Ohai everybody!
> > We need an upgrade for xmpp.net: if a server is running with SSLv3 or
> > without PFS, the score *must* be downgraded to B.
> I also wanted to chime in and say that you shouldn't be punishing operators
> who support SSLv3. It should be considered in the same class as TLS 1.0
> since it suffers from the same potential issues for the most part.
> The same goes for FS (I prefer to leave out the P since there is no such
> thing ;) ) since offering ciphers and methods that do not have FS is just
> being flexible. We do want to keep the federation flexible enough for
> everyone in the world to use it, I hope.
> Just my $0.02.
The situation with SSLv3 is a little complicated. I've made the following
* Practically, the differences between SSLv3 and TLS 1.0 are so small they are
* However, TLS being the first one standardized by the IETF means many (if not
all) extra TLS extensions are only specified for TLS. For example RFC 4492
("ECC Cipher Suites for Transport Layer Security") only references TLS. This
doesn't stop OpenSSL from offering ECDHE when using SSLv3, however, it does
leave out its "Supported Elliptic Curves" extension from the handshake. So the
client hasn't told the server what named curves it supports and the server
just guesses. In the current, OpenSSL-dominated world that isn't that bad,
most servers and clients support the set of curves OpenSSL supports, but it
does mean we can't easily negotiate new curves.
* For HTTPS there's a real risk of being downgraded to SSLv3 because the browser
will retry when a handshake failed, sometimes even 4 or more times, eventually
down to bare-bones SSLv3. I don't think any XMPP clients will do that, making
the previous point impossible to exploit.
* I haven't seen any clients that didn't support at least TLS 1.0, but some
people claim they exist. TLS is nearly 15 years old. Even SChannel on Windows
XP has it.
* An OpenSSL server configured to *only* enable SSLv3 will not succeed its
handshake with a OpenSSL client doing a "automatically negotiate version"
handshake (SSLv23_method with SSL_OP_NO_SSLv2). So disabling SSLv3 for
outgoing s2s connections will not have any impact on your compatibility.
In conclusion, I'm not inclined to penalize SSLv3 more than it is for now. If I
get proven wrong about XMPP clients retrying when a handshake fails I might
reconsider this. I would also really like to know which clients don't use SSLv3,
maybe Evgeny can shed some light on that.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Operators