We have an Openfire instance with a couple of Connection Manager instances pointing to the outside world in our DMZ. We hit a snag today when a routine PCI security scan noted that the connection manager allows ‘weak’ SSLv3 protocols to connect to it. Something like DES-CBC-SHA, which is only 56bit, seems to work on port 5223 and I verified with openssl s_client.
Is there a patch or modification out there which reduces the number of ciphers connection manager supports? It explicitly excludes SSLv1/2 in the code, however there are still a number of low/medium grade ciphers in both of these standards.
If there is not a patch, can anyone point me in the right direction for changing the code in a useful way?