[Operators] Please enable Forward Secrecy for your servers!

A a at creep.im
Mon Jul 27 17:42:18 UTC 2015


Had upgraded from Wheezy's ejabberd to Jessie's in a week the latter was 
released and can say that it was not that hard. Now ejabberd is 
relatively up-to-date and works great. The configuration format changed 
to YAML, but ejabberd is shipped with a conversion tool, which converts 
old config into a new format:

ejabberdctl convert_to_yaml /etc/ejabberd/ejabberd.cfg 
/etc/ejabberd/ejabberd.yml

However, typically there are more, than just XMPP service is running on 
the server and all of that should be adapted to a new version of Debian 
too, which of course may seem difficult. None the less I suggest all of 
the users of Jessie to take your time and schedule the upgrade, it is 
worth it.

On 07/27/2015 08:22 PM, David Mohr wrote:
> I second this a little bit.
>
> In my case I need to upgrade from Debian wheezy to jessie to get PFS, 
> so there is more work involved. And I'd expect a decent number of 
> servers to be in the same situation. Jessie came out in April, so it's 
> not brand new. But it is still fairly recent and you can't just expect 
> everyone to have upgraded already.
>
> On the other hand, there will never be a perfect time to make such a 
> switch and I do appreciate the push for more security.
>
> ~David
>
> On 2015-07-27 07:46, Eric Koldeweij wrote:
>> Yes, my server would be one of those who cannot reach jabber.ccc.de 
>> any more.
>> I did not get around to turning it on yet, I need a software upgrade 
>> for that.
>>
>> I understand the need for extra security but enforcing it right away
>> without giving fellow operators time to upgrade as well will only hurt
>> the community. I thought I had until end of september for this.
>>
>> Not happy.
>>
>> Eric.
>>
>> On 07/27/15 15:07, Peter Schwindt wrote:
>>> Hi Mike,
>>>
>>> On 07/10/2015 01:11 PM, Mike Barnes wrote:
>>>
>>>> Do you have any details on which client software and versions you've
>>>> tested, Mathias? I've been looking at doing this but I've been more
>>>> concerned about the client experience than s2s issues.
>>> At jabber.ccc.de, I had (forcing Forward Secrecy for a week now) not a
>>> single person experiencing (and messaging me about it) client issues.
>>>
>>> But, and that's quite a lot more than Mathias observed, we're missing
>>> about 1/3 of all the S2S connections.
>>>
>>> Best,
>>> Peter



More information about the Operators mailing list