On Fri, Sep 13, 2013 at 02:00:59PM +0100, Matthew Wild wrote: > We have a handy bot in the Prosody chatroom to check certificates over > s2s. I'm pleased to inform you that: > > 13:55:29 MattJ> -certinfo shaftnet.org > 13:55:34 Bunneh> MattJ: shaftnet.org has a valid certificate issued > by Gandi Standard SSL CA
Excellent! > but: > > 13:56:50 MattJ> -cipher shaftnet.org > 13:56:50 Bunneh> MattJ: Connection to shaftnet.org uses cipher RC4-MD5 Eww. > RC4 isn't very highly regarded nowadays, as multiple issues have been > found with its security[1]. Note that the bot's server intentionally > negotiates the weakest cipher you support, so it might not be anything > to lose sleep over :) This is actually a big part of what I was curious about. jabberd2's set of ciphers isn't configurable (defaults to ALL:!LOW:!SSLv2:!EXP:!aNULL) so I was curious to what that translated to on the wire, so to speak. I wonder if there's any risk of losing interop if I disable RC4-*.. Thanks for runnig this test for me. - Solomon -- Solomon Peachy pizza at shaftnet dot org Delray Beach, FL ^^ (email/xmpp) ^^ Quidquid latine dictum sit, altum viditur.
pgpsiHEUW9Am9.pgp
Description: PGP signature
