[Ach] Review needed for new ejabberd config

Max Maass max at velcommuta.de
Thu May 21 16:06:33 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

While testing my ejabberd for the LogJam vulnerability, I noticed that
it negotiates 1024 bit keys. The current cipherstring is
"EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA",
as per the recommendations in the Guide (Cipher String B, page 67),
and the same cipher string is used in the config in the PR.

I am not quite clear on whether this is the fault of the cipher string
or the implementation of ejabberd. As far as I know, ejabberd uses
openssl, which properly negotiates 4096 bit keys for my apache web
server with a slightly different cipher string, namely:
EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4

I'd like to fix this problem, both for my own server and for the
config in the pull request. Does anyone have an idea what is going on
here and what would have to be changed to get ejabberd to use better
DH keys?

Thanks in advance,
Max

On 10.05.2015 12:25, Max Maass wrote:
> Hi,
> 
> in january, I created a PR (#90, [0]) with an updated ejabberd
> config, using the new config file syntax, in use for about a year
> now.
> 
> So far, the PR is lacking some more reviews by people familiar
> with ejabberd. If anyone is familiar with ejabberd, or knows
> someone who is, some more reviews would be appreciated so we can
> move the PR along. As far as I can tell, everything is fine with
> it, but since I wrote the PR, that's probably not the most reliable
> indicator. :)
> 
> Thanks in advance, Max
> 
> [0]
> https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/90 
> _______________________________________________ Ach mailing list 
> Ach at lists.cert.at 
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQJ8BAEBCgBmBQJVXeZpXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEM0ODA5N0EzQUY3RDU1MTg5QTc3QUMx
NjlGOTYyNDM0MDg4MjVFAAoJEBafliQ0CIJe+CkP/3aP4WAFbG9TAFsu815wSoTJ
lb2/MrefOPRYcxBv7kqdVkGpwyFVbdkTYa4r1BUXsl4Ot1W+13vF4PX1K6XsHuKR
k697/eEcXGyIpfKFMKG4DMn3OD66igEoFarfi3J4oO5rNHejOK+9nUkLfDaqvGIT
jkR1OTOGtBVnpZIMeLlhwaoDjf6+rKEJRngrQqciElr5wp1vth6Gr9FtXmeze90p
jRE9yuBDxV6fOkJzwsH4ynhMuKIwrsaK2c7PS2OcKx9HuKuaeSY3TleX/bIgdRlf
wrhpYaTYUb+FW5VhZYIw92xHChSxPT/u3cQefqv9ezFWgSo92z2lksY/IySzeuAN
xmqS5Ik+sM8NvAuM/gqh3cIVBAjw1xcsfeUHbY5VAtX1/dE2VmhopaAMhN79SFFi
jaEyw9pSMutBLpXbGptEnPLrl+Q8fAzdIsyvg8csBxTDBh8HqEennNqqgogqCt5o
fuDDuBDAemHZRwAuAxVvYaHcp45rMrFFdip0eId2jqWEXnuajEJjYDI7wc60Qg+c
pdmiZ0yXfdUIXMHDgxGTOlcYmaIpuCIxihISx0zR0yVqKGY5x9AraRaMKbUX5c6S
4QikNvl4yilS7PF4oCShWZGfRignFrQlpud2gUH0hPHeDqSX7LLle/CZ4fHgSGXR
RAReXP9GNIKlxRWCGWh6
=sWE1
-----END PGP SIGNATURE-----



More information about the Ach mailing list