[Ach] question ejabberd

Adi Kriegisch adi at kriegisch.at
Fri Dec 13 18:04:41 CET 2013


> So, I have another question to the community of experts. How do I tell ejabberd to only use our cipher suite?
You can't... or wait, no, patch the source! ;-)
I asked the question in their forum[1] some months ago, someone else did[2]

The only real answer to that question gives a recent Debian Security
Update[3] that showed that this is only possible by patching the sources.

Concerning the communication that doesn't matter that much as our
recommendation should be OTR (end-to-end security) anyways. So s2s should
not matter that much.
But Client Logins should matter (c2s) and afaik there is no way to specify
different ciphers for c2s as those used for s2s. :-(

Upstream there is a commit dated Nov. 28th[4] allowing the user to specify
a cipher suite. No idea when this will land in distros.

-- Adi

[1] http://www.ejabberd.im/node/15120
[2] http://www.ejabberd.im/node/15486
[3] http://www.debian.org/security/2013/dsa-2775
[4] https://github.com/processone/ejabberd/commit/1dd94ac0d06822daa8c394ea2da20d91c8209124
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20131213/1a249fba/attachment.sig>

More information about the Ach mailing list