[Operators] OpenFire Ciphers/ Certificates article

Christian Reiß email at christian-reiss.de
Wed Dec 17 12:25:57 UTC 2014


Hey Mathieu,

thanks for the nice words :)

Regarding the Pre-TLS auth options I honestly do not know. I always took
comfort in the fact that no auth can proceed before startssl took place,
so I always saw those options as "there, but defunct".

If anyone here knows how to disable all auth mechanisms prior to
startssl I am more than happy to extend that article :)

-Chris.


On 17/12/14 13:00, Mathieu Pasquet wrote:
> Hello,
> 
> It was a good read, thank you. I have been assuming for a while that
> achieving decent security levels with openfire was close to impossible,
> and I am glad to see that while it needs some tinkering, it is still
> possible.
> 
> That being said, it appears your server still offers the possibility of
> unencrypted connection and, more concerning, PLAIN through an unencrypted
> connection, which is quite bad from a security point of view. Is that
> impossible to prevent using openfire?
> 
> I would also suggest the subjectAltName extension instead of the Common
> Name for setting up the certificate, but it works anyway.
> 
> 

-- 

 Christian Reiss - email at christian-reiss.de       /"\  ASCII Ribbon
                                                  \ /    Campaign
 GPG Key: http://gpg.christian-reiss.de            X   against HTML
 Jabber : chris at alpha-labs.net                    / \   in eMails

 "It's better to reign in hell than to serve in heaven.",
                                        John Milton, Paradise lost.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20141217/82d99fe2/attachment.sig>


More information about the Operators mailing list