[Operators] Please enable Forward Secrecy for your servers!
a at creep.im
Mon Jul 27 17:42:18 UTC 2015
Had upgraded from Wheezy's ejabberd to Jessie's in a week the latter was
released and can say that it was not that hard. Now ejabberd is
relatively up-to-date and works great. The configuration format changed
to YAML, but ejabberd is shipped with a conversion tool, which converts
old config into a new format:
ejabberdctl convert_to_yaml /etc/ejabberd/ejabberd.cfg
However, typically there are more, than just XMPP service is running on
the server and all of that should be adapted to a new version of Debian
too, which of course may seem difficult. None the less I suggest all of
the users of Jessie to take your time and schedule the upgrade, it is
On 07/27/2015 08:22 PM, David Mohr wrote:
> I second this a little bit.
> In my case I need to upgrade from Debian wheezy to jessie to get PFS,
> so there is more work involved. And I'd expect a decent number of
> servers to be in the same situation. Jessie came out in April, so it's
> not brand new. But it is still fairly recent and you can't just expect
> everyone to have upgraded already.
> On the other hand, there will never be a perfect time to make such a
> switch and I do appreciate the push for more security.
> On 2015-07-27 07:46, Eric Koldeweij wrote:
>> Yes, my server would be one of those who cannot reach jabber.ccc.de
>> any more.
>> I did not get around to turning it on yet, I need a software upgrade
>> for that.
>> I understand the need for extra security but enforcing it right away
>> without giving fellow operators time to upgrade as well will only hurt
>> the community. I thought I had until end of september for this.
>> Not happy.
>> On 07/27/15 15:07, Peter Schwindt wrote:
>>> Hi Mike,
>>> On 07/10/2015 01:11 PM, Mike Barnes wrote:
>>>> Do you have any details on which client software and versions you've
>>>> tested, Mathias? I've been looking at doing this but I've been more
>>>> concerned about the client experience than s2s issues.
>>> At jabber.ccc.de, I had (forcing Forward Secrecy for a week now) not a
>>> single person experiencing (and messaging me about it) client issues.
>>> But, and that's quite a lot more than Mathias observed, we're missing
>>> about 1/3 of all the S2S connections.
More information about the Operators