[Operators] Removing SSLv3 from ejabberd 2.1.x and 13.x

Justin Bull me at justinbull.ca
Tue Jan 7 01:41:56 UTC 2014


On 1/6/2014, 8:31 PM, Matthew Wild wrote:
> I believe the best thing we can do for now is to fix and update the
> clients, rather than just cutting them off on the server-side. It
> shouldn't be that hard...

That makes sense, thanks for the quick reply.

On 1/6/2014, 8:31 PM, Matthew Wild wrote:
> Also note that SSLv3 hasn't been shown to be any less secure than
> TLSv1 (in fact they are essentially the same), but TLSv1 is still very
> widely used. Therefore there is no security reason to disable SSLv3,
> unless you also plan to disable TLSv1 at the same time.

In accordance with IETF draft for TLS and XMPP[1] would it be wise to
push for both the removal of SSLv3 and TLS 1.0 in clients or is that too
pushy?

Personally, I think we need to be aggressive in order to provide secure
messaging in a timely fashion.


[1]: https://datatracker.ietf.org/doc/draft-saintandre-xmpp-tls/

-- 
Best Regards,
Justin Bull
E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20140106/021d13ad/attachment.pgp>


More information about the Operators mailing list