after several updates I’m using Openfire 4.2.1 (openfire_4_2_1_bundledJRE.exe 32-bit, Includes 32-bit Java JRE). IM Observatory tells me the server is running fine but uses weak Diffie-Hellman parameters:
I understand the desire to get the ‘best’ score when running tests like these, but I do want to warn against blindly chasing down the top score. This is a trade-off between security and usability: requiring more security will make it harder for some software to connect.
Openfire, by default, takes most of its configuration for encryption from the Java Runtime Environment that is being used to run Openfire. I expect that the people that put that maintain that put a lot more effort than us in finding a balance between security and usability.
I’d not change the default settings unless there’s a very explicit need to do this. Instead, make sure that the JRE used to run Openfire is kept up-to-date!