Bug #1823

SECURITY: TLS uses weak ciphers to connect

Added by Anonymous over 4 years ago. Updated over 2 years ago.

Status:ResolvedStart date:09/04/2013
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:v14.2 bug fix update!
Component:

Description

Please see the results of TLS cipher testing:
https://blog.thijsalkema.de/blog/2013/09/02/the-state-of-tls-on-xmpp-3/

GibberBot currently prefers weak RC4-MD5, RC4-SHA ciphers. Ephemeral suites and elliptic curve modes should be preferred when available, something like:

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-RSA-AES256-SHA384
ECDH-ECDSA-AES256-SHA384
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA

History

#1 Updated by n8fr8 over 4 years ago

  • Target version set to v12 - March Mantra

#2 Updated by n8fr8 over 4 years ago

  • Status changed from New to Feedback
  • Target version changed from v12 - March Mantra to v13 - October Oooya

we have patched the ASMACK library to use a custom set of cipher suites, in line with what is deemed best practices. we will further tune and verify this in our next v13 release this month.

#3 Updated by n8fr8 about 4 years ago

  • Target version changed from v13 - October Oooya to v14 - Armadillo's Agram

#4 Updated by n8fr8 over 2 years ago

  • Target version changed from v14 - Armadillo's Agram to v14.2 bug fix update!

#5 Updated by n8fr8 over 2 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF