[Operators] SSLv3 is out.

Matthew Wild mwild1 at gmail.com
Wed Oct 15 09:15:29 UTC 2014


On 15 October 2014 09:59, Christoph Gebhardt <chris at exosphere.de> wrote:
> Quoting Jonas Wielicki (2014-10-15 09:47:23)
>> I’m not confident that this attack is (like BEAST and CRIME) relevant
>> for XMPP.
>
> But is SSLv3 relevant in the XMPP world?
> In the web world this is a problem with ancient Internet Explorers on
> Windows XP machines, everything else supports TLS, at least according
> to ssllabs.com.
>
> Does anyone know of any XMPP client that needs the server to offer SSLv3?

I ran some stats on a few large public servers a while ago. There are
quite a number of SSLv3 users still out there. It wasn't easy to get
client versions, but one example is Trillian on Windows XP. There were
also some old bots, and some mobile clients, and I think one of the
proxy-based clients used it (IM+?).

I think the best way forward is to disable it and let them come out of
the woodwork. We were planning to make this change in the next major
Prosody release, as it's a bit invasive for a bugfix release. However
I think this new development justifies it - SSLv3 just isn't an option
if you want security, and I think we're at the point that it would be
better to prevent these insecure clients from connecting than let them
continue thinking everything is ok.

Regards,
Matthew


More information about the Operators mailing list