[Operators] xmpp.net is back and some logjam stats
Thomas Camaran
camaran at gmail.com
Thu Oct 22 09:23:21 UTC 2015
hi, how i can add a cache copy of xmpp.net on my server?
2015-10-22 11:09 GMT+02:00 Thijs Alkemade <thijs at xnyhps.nl>:
> Hello all,
>
> As discussed previouson this list, xmpp.net was down for a while due to
> hardware failure. It is now back up on a different server. Most of it is
> working again, but some tables on the stats page are still broken.
>
> While doing that, I also made some updates to the test, inspired by the
> updates to ssllabs.com:
>
> * Grades will be capped to B if SSLv3 is supported. The grade will be F if
> SSLv3 is the highest protocol version supported.
>
> * Grades will be capped to C if RC4 is used with TLS 1.1 or TLS 1.2.
>
> * The size of the DH parameters now impacts the key exchange score.
>
> * Grades will be capped to B when using DH parameters of less than 2048
> bits.
>
> * Grades will be capped to C if TLS compression is enabled.
>
> * Grades will be capped to C when TLS 1.2 is not supported.
>
>
> Additionally, the DHE group and the ECDHE curve that were used are now
> stored,
> to see how much the Logjam attack [1] impacts XMPP servers.
>
> With just a couple of days of data, here's some statistics on the standard
> DH
> groups used:
>
> count | group_name
> -------+----------------------------------------------------------------
> 1 | RFC 3526 3072-bit MODP Group
> 1 | RFC 3526 4069-bit MODP Group
> 1 | draft-ietf-tls-negotiated-ff-dhe-10 ffdhe2048
> 1 | RFC 2409 Second Oakley Group
> 1 | RFC 3526 8192-bit MODP Group
> 12 | RFC 3526 2048-bit MODP Group
> 14 | Java sun.security.provider default 512-bit prime
> 22 | Java sun.security.provider default 1024-bit prime
> 60 | Java sun.security.provider default 768-bit prime
> 131 |
> 157 | RFC 5114 1024-bit MODP Group with 160-bit Prime Order Subgroup
>
> This means only 131 of these 410 servers are using custom DH parameters. 60
> servers are using a common 768-bit DH group and 14 servers using a common
> 512-bit prime (which are likely using DHE-EXPORT, so vulnerable to logjam).
>
> [1] estimates that breaking a 768-bit prime is within reach for an academic
> team. The version replies from the servers using the 768-bit prime
> indicates
> they are running Openfire 3.7 - 3.10 or Tigase 5.2.1. All other Openfire
> servers are using the Java sun.security.provider default 1024-bit prime
> (probably the difference between Java 7 and Java 8).
>
> [1] further estimates that breaking a few commonly used 1024-bit groups
> would
> be in range for a nation-state attacker and the RFC 5114 1024-bit MODP
> Group
> is used a lot. Version replies show these servers are running ejabberd 2.1
> -
> 15.09.
>
> It appears ejabberd 15.06 added an option to set your own dh parameters
> [2], I
> strongly recommended to upgrade and generate your own parameters. If you
> are
> running Openfire (or are using ejabberd and unable to update), you might
> want
> to disable DHE completely and rely on ECDHE instead.
>
> [1] = https://weakdh.org/
> [2] = https://www.ejabberd.im/node/24959
>
> Best regards,
> Thijs
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20151022/0545e037/attachment.html>
More information about the Operators
mailing list