[Operators] SSLv3 is out.

Peter Saint-Andre - &yet peter at andyet.net
Wed Oct 15 13:04:55 UTC 2014


On 10/15/14, 2:15 AM, Matthew Wild wrote:
> On 15 October 2014 09:59, Christoph Gebhardt <chris at exosphere.de> wrote:
>> Quoting Jonas Wielicki (2014-10-15 09:47:23)
>>> I’m not confident that this attack is (like BEAST and CRIME) relevant
>>> for XMPP.
>>
>> But is SSLv3 relevant in the XMPP world?
>> In the web world this is a problem with ancient Internet Explorers on
>> Windows XP machines, everything else supports TLS, at least according
>> to ssllabs.com.
>>
>> Does anyone know of any XMPP client that needs the server to offer SSLv3?
>
> I ran some stats on a few large public servers a while ago. There are
> quite a number of SSLv3 users still out there. It wasn't easy to get
> client versions, but one example is Trillian on Windows XP. There were
> also some old bots, and some mobile clients, and I think one of the
> proxy-based clients used it (IM+?).
>
> I think the best way forward is to disable it and let them come out of
> the woodwork. We were planning to make this change in the next major
> Prosody release, as it's a bit invasive for a bugfix release. However
> I think this new development justifies it - SSLv3 just isn't an option
> if you want security, and I think we're at the point that it would be
> better to prevent these insecure clients from connecting than let them
> continue thinking everything is ok.

+1

That's consistent with the UTA work:

https://datatracker.ietf.org/doc/draft-ietf-uta-xmpp/
https://datatracker.ietf.org/doc/draft-ietf-uta-tls-bcp/

Peter

-- 
Peter Saint-Andre
https://andyet.com/


More information about the Operators mailing list