[Operators] xmpp.net is back and some logjam stats
camaran at gmail.com
Thu Oct 22 09:23:21 UTC 2015
hi, how i can add a cache copy of xmpp.net on my server?
2015-10-22 11:09 GMT+02:00 Thijs Alkemade <thijs at xnyhps.nl>:
> Hello all,
> As discussed previouson this list, xmpp.net was down for a while due to
> hardware failure. It is now back up on a different server. Most of it is
> working again, but some tables on the stats page are still broken.
> While doing that, I also made some updates to the test, inspired by the
> updates to ssllabs.com:
> * Grades will be capped to B if SSLv3 is supported. The grade will be F if
> SSLv3 is the highest protocol version supported.
> * Grades will be capped to C if RC4 is used with TLS 1.1 or TLS 1.2.
> * The size of the DH parameters now impacts the key exchange score.
> * Grades will be capped to B when using DH parameters of less than 2048
> * Grades will be capped to C if TLS compression is enabled.
> * Grades will be capped to C when TLS 1.2 is not supported.
> Additionally, the DHE group and the ECDHE curve that were used are now
> to see how much the Logjam attack  impacts XMPP servers.
> With just a couple of days of data, here's some statistics on the standard
> groups used:
> count | group_name
> 1 | RFC 3526 3072-bit MODP Group
> 1 | RFC 3526 4069-bit MODP Group
> 1 | draft-ietf-tls-negotiated-ff-dhe-10 ffdhe2048
> 1 | RFC 2409 Second Oakley Group
> 1 | RFC 3526 8192-bit MODP Group
> 12 | RFC 3526 2048-bit MODP Group
> 14 | Java sun.security.provider default 512-bit prime
> 22 | Java sun.security.provider default 1024-bit prime
> 60 | Java sun.security.provider default 768-bit prime
> 131 |
> 157 | RFC 5114 1024-bit MODP Group with 160-bit Prime Order Subgroup
> This means only 131 of these 410 servers are using custom DH parameters. 60
> servers are using a common 768-bit DH group and 14 servers using a common
> 512-bit prime (which are likely using DHE-EXPORT, so vulnerable to logjam).
>  estimates that breaking a 768-bit prime is within reach for an academic
> team. The version replies from the servers using the 768-bit prime
> they are running Openfire 3.7 - 3.10 or Tigase 5.2.1. All other Openfire
> servers are using the Java sun.security.provider default 1024-bit prime
> (probably the difference between Java 7 and Java 8).
>  further estimates that breaking a few commonly used 1024-bit groups
> be in range for a nation-state attacker and the RFC 5114 1024-bit MODP
> is used a lot. Version replies show these servers are running ejabberd 2.1
> It appears ejabberd 15.06 added an option to set your own dh parameters
> , I
> strongly recommended to upgrade and generate your own parameters. If you
> running Openfire (or are using ejabberd and unable to update), you might
> to disable DHE completely and rely on ECDHE instead.
>  = https://weakdh.org/
>  = https://www.ejabberd.im/node/24959
> Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Operators