[Operators] Please enable Forward Secrecy for your servers!

Ludovic BOCQUET lbxmpp at live.com
Fri Jul 10 19:24:58 UTC 2015


Hi Mathias,

Happy to read this!

Cheers,

Ludovic

Le 10/07/2015 11:47, Mathias Ertl a écrit :
> Dear fellow operators,
>
> We at jabber.at would like to announce that we will exclusively support
> forward secrecy[1] enabled ciphers starting *October 1st, 2015*. Servers
> that do not support any of those ciphers by then, will not be able to
> federate with us until they upgrade.
>
> We already tested this setup, and there were very few users with
> connection problems (e.g. with a 7 year old Pidgin). The biggest problem
> are very old servers that use far outdated software. For a "secure
> network", that's just sad.
>
> You can test if you're ready at https://xmpp.net. If you support any
> forward secrecy cipher, you are fine. If you use the versions of
> ejabberd and Prosody that ship with the current Debian Stable or Ubuntu
> LTS, you're fine as well. If you use e.g. Debian Squeeze, you definitely
> should update.
>
> For everyone, here's a short reminder about current best security
> practices (none of them have caused *any* problems with our users!):
>
> * Enforce encryption for both c2s and s2s connections.
> * Disable SSLv3 (very broken), enable TLSv1.2.
> * Disable RC4 ciphers (also very broken).
> * Have a valid 4096 bit certificate with at least a sha256 signature.
>
> greetings, Mati
> (from jabber.at)
>
> [1] https://en.wikipedia.org/wiki/Forward_secrecy
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: Signature cryptographique S/MIME
URL: <http://mail.jabber.org/pipermail/operators/attachments/20150710/2c01ac5d/attachment.bin>


More information about the Operators mailing list