Re: [Operators] Please enable Forward Secrecy for your servers!

Mon, 27 Jul 2015 10:45:04 -0700

Had upgraded from Wheezy's ejabberd to Jessie's in a week the latter was released and can say that it was not that hard. Now ejabberd is relatively up-to-date and works great. The configuration format changed to YAML, but ejabberd is shipped with a conversion tool, which converts old config into a new format:
ejabberdctl convert_to_yaml /etc/ejabberd/ejabberd.cfg /etc/ejabberd/ejabberd.yml 


However, typically there are more, than just XMPP service is running on 
the server and all of that should be adapted to a new version of Debian 
too, which of course may seem difficult. None the less I suggest all of 
the users of Jessie to take your time and schedule the upgrade, it is 
worth it.


On 07/27/2015 08:22 PM, David Mohr wrote:

I second this a little bit.


In my case I need to upgrade from Debian wheezy to jessie to get PFS, 
so there is more work involved. And I'd expect a decent number of 
servers to be in the same situation. Jessie came out in April, so it's 
not brand new. But it is still fairly recent and you can't just expect 
everyone to have upgraded already.



On the other hand, there will never be a perfect time to make such a 
switch and I do appreciate the push for more security.


~David

On 2015-07-27 07:46, Eric Koldeweij wrote:

Yes, my server would be one of those who cannot reach jabber.ccc.de 
any more.
I did not get around to turning it on yet, I need a software upgrade 
for that.


I understand the need for extra security but enforcing it right away
without giving fellow operators time to upgrade as well will only hurt
the community. I thought I had until end of september for this.

Not happy.

Eric.

On 07/27/15 15:07, Peter Schwindt wrote:

Hi Mike,

On 07/10/2015 01:11 PM, Mike Barnes wrote:


Do you have any details on which client software and versions you've
tested, Mathias? I've been looking at doing this but I've been more
concerned about the client experience than s2s issues.

At jabber.ccc.de, I had (forcing Forward Secrecy for a week now) not a
single person experiencing (and messaging me about it) client issues.

But, and that's quite a lot more than Mathias observed, we're missing
about 1/3 of all the S2S connections.

Best,
Peter
























					Reply via email to