powered by Jive Software

Server uses Diffie-Hellman parameters of < 2048 bits

Hi,

after several updates I’m using Openfire 4.2.1 (openfire_4_2_1_bundledJRE.exe 32-bit, Includes 32-bit Java JRE). IM Observatory tells me the server is running fine but uses weak Diffie-Hellman parameters:

https://check.messaging.one/result.php?domain=jabber.jloh.de&type=client

How can I avoid using weak crypto and pimp up my IM Observatory score?

Regards,
Jürgen

You can tweak which ciphers are enabled in Server Settings > Client Connections > Advanced configuration

I have difficulties to relate IM Observatory’s cyphers to Openfire ones clearly:

DHE-RSA-AES128-GCM-SHA256 (0x9e)
DHE-RSA-AES128-SHA256 (0x67)
DHE-RSA-AES128-SHA (0x33)

ECDHE-RSA-DES-CBC3-SHA (0xc012)
EDH-RSA-DES-CBC3-SHA (0x16)
DES-CBC3-SHA (0xa)

Is there a assignment list?

Can’t help with that. Openfire is probably pulling names from Java.

I found a list of Java ciphers. The hex codes like 0xc02f are the same as IM Observatory is using:

http://grepcode.com/file/repo1.maven.org/maven2/org.bouncycastle/bcprov-jdk15on/1.50/org/bouncycastle/crypto/tls/CipherSuite.java/

To pinp up my IM Observatory score to “A” I disabled all DHE and 3DES ciphers.

1 Like

I understand the desire to get the ‘best’ score when running tests like these, but I do want to warn against blindly chasing down the top score. This is a trade-off between security and usability: requiring more security will make it harder for some software to connect.

Openfire, by default, takes most of its configuration for encryption from the Java Runtime Environment that is being used to run Openfire. I expect that the people that put that maintain that put a lot more effort than us in finding a balance between security and usability.

I’d not change the default settings unless there’s a very explicit need to do this. Instead, make sure that the JRE used to run Openfire is kept up-to-date!