[Operators] s2s connectivity to jabber.ru -- dh key too small

Jonas Schäfer jonas at wielicki.name
Sun Aug 11 11:55:21 UTC 2019

On Freitag, 9. August 2019 09:12:35 CEST Holger Weiß wrote:
> * Jonas Schäfer <jonas at wielicki.name> [2019-08-08 19:14]:
> > I was contacted by someone @jabber.ru, but I cannot reply because the DH
> > key size used by their server for TLS is too small to be accepted by the
> > TLS libraries distributed with Debian stable.
> For what it's worth, the problem is not the OpenSSL library distributed
> with Debian (OpenSSL still accepts 512 bit DH keys), but Debian stable's
> restrictive default settings in /etc/ssl/openssl.cnf.  Those settings
> also enforce TLSv1.2 and accept only a small set of ciphers, for
> example.  While this may work for common (HTTP) use cases, it can of
> course easily lead to such backward compatibilty issues for us (and
> others; there's various related issues in Debian's bug tracker).  On the
> Debian systems I maintain, I therefore revert to OpenSSL's upstream
> defaults by changing the bottom of /etc/ssl/openssl.cnf to:
> 	[system_default_sect]
> 	MinProtocol = None
> 	CipherString = DEFAULT
> I'd prefer if a Linux distribution would only apply changes to upstream
> software required for integration with the rest of the operating system,
> rather than such policy enforcement ... :-/

Right. We had a discussion about this in conversations@ and Holger convinced 
me that the public channels listed by muclumubs are more IRC-like and applying 
strict ciphers to a listing of *public* rooms isn’t helping anyone.

Luckily, this is a separate xmppd on a separate box so it is trivial for me to 
lower the requirements. As of now, the dh key size requirement is back to 
normal (whatever that is) and I see connectivity to both jabber.ru and 

kind regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.jabber.org/pipermail/operators/attachments/20190811/a98caf6d/attachment.sig>

More information about the Operators mailing list