On 15 October 2014 09:59, Christoph Gebhardt <[email protected]> wrote: > Quoting Jonas Wielicki (2014-10-15 09:47:23) >> I’m not confident that this attack is (like BEAST and CRIME) relevant >> for XMPP. > > But is SSLv3 relevant in the XMPP world? > In the web world this is a problem with ancient Internet Explorers on > Windows XP machines, everything else supports TLS, at least according > to ssllabs.com. > > Does anyone know of any XMPP client that needs the server to offer SSLv3?
I ran some stats on a few large public servers a while ago. There are quite a number of SSLv3 users still out there. It wasn't easy to get client versions, but one example is Trillian on Windows XP. There were also some old bots, and some mobile clients, and I think one of the proxy-based clients used it (IM+?). I think the best way forward is to disable it and let them come out of the woodwork. We were planning to make this change in the next major Prosody release, as it's a bit invasive for a bugfix release. However I think this new development justifies it - SSLv3 just isn't an option if you want security, and I think we're at the point that it would be better to prevent these insecure clients from connecting than let them continue thinking everything is ok. Regards, Matthew
