[Operators] s2s connectivity to jabber.ru -- dh key too small
jonas at wielicki.name
Sun Aug 11 11:55:21 UTC 2019
On Freitag, 9. August 2019 09:12:35 CEST Holger Weiß wrote:
> * Jonas Schäfer <jonas at wielicki.name> [2019-08-08 19:14]:
> > I was contacted by someone @jabber.ru, but I cannot reply because the DH
> > key size used by their server for TLS is too small to be accepted by the
> > TLS libraries distributed with Debian stable.
> For what it's worth, the problem is not the OpenSSL library distributed
> with Debian (OpenSSL still accepts 512 bit DH keys), but Debian stable's
> restrictive default settings in /etc/ssl/openssl.cnf. Those settings
> also enforce TLSv1.2 and accept only a small set of ciphers, for
> example. While this may work for common (HTTP) use cases, it can of
> course easily lead to such backward compatibilty issues for us (and
> others; there's various related issues in Debian's bug tracker). On the
> Debian systems I maintain, I therefore revert to OpenSSL's upstream
> defaults by changing the bottom of /etc/ssl/openssl.cnf to:
> MinProtocol = None
> CipherString = DEFAULT
> I'd prefer if a Linux distribution would only apply changes to upstream
> software required for integration with the rest of the operating system,
> rather than such policy enforcement ... :-/
Right. We had a discussion about this in conversations@ and Holger convinced
me that the public channels listed by muclumubs are more IRC-like and applying
strict ciphers to a listing of *public* rooms isn’t helping anyone.
Luckily, this is a separate xmppd on a separate box so it is trivial for me to
lower the requirements. As of now, the dh key size requirement is back to
normal (whatever that is) and I see connectivity to both jabber.ru and
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: This is a digitally signed message part.
More information about the Operators