[Operators] Please enable Forward Secrecy for your servers!

Mathias Ertl mati at fsinf.at
Fri Jul 10 09:47:26 UTC 2015

Dear fellow operators,

We at jabber.at would like to announce that we will exclusively support
forward secrecy[1] enabled ciphers starting *October 1st, 2015*. Servers
that do not support any of those ciphers by then, will not be able to
federate with us until they upgrade.

We already tested this setup, and there were very few users with
connection problems (e.g. with a 7 year old Pidgin). The biggest problem
are very old servers that use far outdated software. For a "secure
network", that's just sad.

You can test if you're ready at https://xmpp.net. If you support any
forward secrecy cipher, you are fine. If you use the versions of
ejabberd and Prosody that ship with the current Debian Stable or Ubuntu
LTS, you're fine as well. If you use e.g. Debian Squeeze, you definitely
should update.

For everyone, here's a short reminder about current best security
practices (none of them have caused *any* problems with our users!):

* Enforce encryption for both c2s and s2s connections.
* Disable SSLv3 (very broken), enable TLSv1.2.
* Disable RC4 ciphers (also very broken).
* Have a valid 4096 bit certificate with at least a sha256 signature.

greetings, Mati
(from jabber.at)

[1] https://en.wikipedia.org/wiki/Forward_secrecy

twitter: @mathiasertl | xing: Mathias Ertl | email: mati at er.tl
I only read plain-text mail!  I prefer signed/encrypted mail!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6044 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20150710/29bfaa5e/attachment.bin>

More information about the Operators mailing list