SSL 3.0 fallback vulnerability encounters to openfire/bouncycastle?

Christian4 · December 17, 2014, 12:09pm

Hey,

here is my article on how to “fix” weak ciphers: https://alpha-labs.net/2014/12/openfire-and-ciphers/

Hope it helps.

Florian_Buchmeier · December 17, 2014, 1:34pm

Hi Christian,

thank you very much for your detailed post.

However, what do we do to disable SSLv3 without disabling all cipher suites that can be used with SSLv3 (because they are the same as the ones used with TLS 1.0 and 1.1, according to this post: Why doesn’t the TLS protocol work without the SSLv3 ciphersuites? - Information Security Stack Exchange )?

I added the following cipher suites to the list from your post:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA

After that the connection using openssl s_client -connect is no longer possible when forcing SSLv3, TLS 1.0 or TLS 1.1. It only works with TLS 1.2

Thank you very much,

Florian.

PS: A list of cipher suites supported in Java 7 can be found here: http://docs.huihoo.com/java/javase/7/technotes/guides/security/SunProviders.html #SunJSSEProvider

wroot · December 18, 2014, 6:41pm

sm’s proposed patch is already in the code and you can download this build and test it Project-Windows-distribution-files

CSH · December 18, 2014, 6:51pm

There were actually two Pull Requests.

The suggestion from this thread is not yet merged to master.

(https://github.com/igniterealtime/Openfire/pull/139 )

It’s only for Admin Console (9090) and BOSH.

I did another Pull Request to handle the XMPP port 5222 (which is already merged):

If anybody is reading this, maybe somebody has suggestions for improvements on this!?

guus · February 2, 2016, 10:07am

Note that in addition to other suggestions in this thread, Openfire supports configuration of TLS protocols and cipher suites (via the Admin Console) since the 4.0.0 release.

Jabber-Server.de · February 3, 2016, 1:47pm

Right @Guus der Kinderen! Since my initial post is now two years old, much has changed. Maybe worth to mention, if you would like to have strong(er) chiphers you have to manually add them. I downloaded the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 and replaced them with the default files within openfire/bin directory (running on windows server). After a quick restart of openfire i was able to choose ciphers widely.

guus · February 3, 2016, 1:49pm

Absolutely! That’s not specific to Openfire though, but a generic Java challenge. The admin console makes note of it, if I recall correctly.