[Operators] Please enable Forward Secrecy for your servers!

Kim Alvefur zash at zash.se
Sat Sep 12 19:33:27 UTC 2015


Hi all!

At the last summit in Brussels, at some point, the issue of how
reporting errors from TLS cipher mismatches is kinda horrible.  So the
idea of allowing a more liberal set of ciphers but throwing a
<stream:error> at the application level came up and I wrote a
proof-of-concept plugin for Prosody doing just this.

http://modules.prosody.im/mod_tls_policy.html

It will basically run a pattern match on the cipher string and, if it
does not match, close the connection with:
<stream:error>
  <policy-violation/>
  <text>TLS cipher 'RC4-MD5' not acceptable</text>
</stream:error>

-- 
Kim "Zash" Alvefur

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20150912/cb330011/attachment.sig>


More information about the Operators mailing list