TLS encryption ciphers

I am trying to determine what ciphers Openfire uses in TLS-protected chat sessions, and to limit those ciphers to “strong” ciphers (such as those listed by openssl with "-tls HIGH:MEDIUM). The Openfire documentation and the discussion boards are silent about either of these questions…

this is specific to the web interface which uses the jetty web engine

I refered to two links (below) but they do not seem relevent

http://www.mirthproject.org/jira/browse/MIRTH-412

http://docs.codehaus.org/display/JETTY/SSL+Cipher+Suites

Is there any way that the weak ciphers (< 56) be blocked?

I too need to block LOW ciphers. Did anyone find a solution to this?

I too need to disable weak ciphers on our Openfire 3.6.4 box as we’re failing our PCI scan.

I’m not a developer by any means, but I think I have a very simple grasp on what might need to be done.

EDIT: yeah, i’m dumb. editing the source code isn’t what we need, it’s just to modify the JRE to accept only certain ciphers…haven’t gotten it working but I think I’m making forward progress.

If anyone has any input, I’d love to hear it as I have to come up with something to get our PCI scan to pass, otherwise we’ll have to find another IM server for our corporation.

Thanks.

WES,

You are right. This is a Java setting and not an Openfire configuration. I don’t remmeber the Java setting that you need to use right now but if you google it you will find it.

– Gato

Gato,

Thanks for the confirmation. I apologize for asking for more help, but I’m stumped.

Here’s what I’ve found and am trying so far:

Added to /etc/sysconfig/openfire:

OPENFIRE_OPTS="-Dcom.sun.management.config.file=/opt/openfire/jre/lib/management /management.properties"

contents of /opt/openfire/jre/lib/management/management.properties:

com.sun.management.jmxremote.ssl=true
com.sun.management.jmxremote.ssl.enabled.cipher.suites=SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

Openfire starts successfully, but querying the server via the openssl client seems to show that LOW cipher strength is still enabled:

openssl s_client -connect :5223 -cipher EXP-RC4-MD5

CONNECTED(00000003)
depth=0 /CN=###############
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=##############
verify return:1

Certificate chain
0 s:/CN=#############
i:/CN=#############

Server certificate
-----BEGIN CERTIFICATE-----


-----END CERTIFICATE-----
subject=/CN=############
issuer=/CN=############

No client certificate CA names sent

SSL handshake has read 1061 bytes and written 216 bytes

New, TLSv1/SSLv3, Cipher is EXP-RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EXP-RC4-MD5
Session-ID: 4A69E6786097E402763AD630C0B6B8255F142FD33202D745616F82B2B73BCC54
Session-ID-ctx:
Master-Key: 05D7B6F220EDCD837776B6A334B90A6D703F2E371CA0D932E79D01BB82D46FFC1DFF3B5DBBF0352 ECF329A4BC2ADEF13
Key-Arg : None
Krb5 Principal: None
Start Time: 1248454264
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)

So, from what I can tell, port 5223 is still respondign to a 56bit cipher, which won’t fly for our PCI scans. If someone can point me in the right direction, it would be greatly appreciated. I have spent the last 5 hours working on this and while I’ve learned a great deal about SSL and JRE, I am still missing something.

Thanks,

Wes

My last post is completely wrong - management.properties is for the JMX monitoring service, not the JVM itself.

Back to square one…if anyone has some input, I’d appreciate it.

Bump, still looking to resolve this but am not making much progress…

OK, so I found a way to pass our scans and it was nothing other than a simple settings change within Openfire itself.

Go to Server Settings -> Security Settings -> Client Connection Security

Set TLS to REQUIRED, and DISABLE old SSL method.

Under Server Connection Security, we set security to Required.

That allowed us to pass our external PCI scan.

Hope this helps someone else out!

I too was looking for a solution to this problem and over the past couple of days only came up with one solution: Modify the code!

I followed the guide on this site on how to setup the build environment with the JDK and ANT.

http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/source-b uild.html

After much searching and trial and error I found the file that needs to be modified: AdminConsolePlugin.java

(You can find this in the source code tree under .\src\java\org\jivesoftware\openfire\container )

I am attaching my modified copy. I made a couple changes but the most important is in the function “public void startup()

I created an array of ciphers I wanted to exclude from being enabled (apparently this is how Jetty works) as such:

String[] weakCiphers = {
“SSL_RSA_WITH_3DES_EDE_CBC_SHA”,
“SSL_DHE_RSA_WITH_DES_CBC_SHA”,
“SSL_DHE_DSS_WITH_DES_CBC_SHA”,
“SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA”,
“SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA”,
“SSL_RSA_WITH_DES_CBC_SHA”,
“SSL_RSA_EXPORT_WITH_RC4_40_MD5”,
“SSL_RSA_EXPORT_WITH_DES40_CBC_SHA”,
“SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA”,
“SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA”,
“SSL_RSA_WITH_NULL_MD5”,
“SSL_RSA_WITH_NULL_SHA”,
“SSL_DH_anon_WITH_3DES_EDE_CBC_SHA”,
“SSL_DH_anon_WITH_DES_CBC_SHA”,
“SSL_DH_anon_EXPORT_WITH_RC4_40_MD5”,
“SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA”
};

Then…a bit lower when the code creates it’s https connector, I call the setExcludeCipherSuites method and pass it my list of weak ciphers:

JiveSslConnector httpsConnector = new JiveSslConnector();

** httpsConnector.setExcludeCipherSuites(weakCiphers);**

With this change I saved the file and rebuilt the program using Ant (refer to those build instructions).

This recompiles all the source files and creates the jar files the program uses. They are placed into a “target” folder at the same level as the “src” folder.

The affected file is in openfire.jar so this is the file that needs to be replaced on the server (located in the lib sub-folder).

I replaced the original openfire.jar file with the my modified copy (while the software was shutdown of course) and viola, no more weak ciphers being reported by our PCI scans.

I know this post falls a little short of being a “how-to” but hopefully will help anyone really wanting to disable those darn weak ciphers so you can admin the software without going through hoops to access it.

**** Note**: I had to make this change for the web based admin console. For client connections follow wes’s advice above to make TLS required. **

Since Openfire is based on Jetty, why not just configure Jetty to disable the weak ciphers as described here?

http://wiki.eclipse.org/Jetty/Howto/CipherSuites#Disabling_Cipher_Suites

Christian,

Well it certainly does not surprise me that I took the long way around to accomplishing my goal. I took a look at the Jetty documentation and was wondering where that configuration would placed in relation to Openfire so that it could make use of it. The documentation refers to $JETTY_HOME/etc/jetty.xml.

Do you know which folder one would need to place that file?

Thanks!

We’re looking into it… It turns out that Openfire’s implementation of Jetty is rather well hidden… We are also going to try another alternative by forcing the cipher suites we want at the JVM level for example:

java -Dhttps.cipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA

Christian,

I have been looking to set up my OpenFire server such that connections (admin and client) must use a certain cipher. Have you or anyone found a way to force the TLS connection to use a specific cipher?

Thanks

Kyle

Hi Kyle,

Unfortunately, we tried a number of approaches to restricting the cipher set to no avail. It would be nice if this was easily configurable…

Good luck!

Any luck on this?

I too would like to use the bosh port directly (an not use a proxy) but cannot due to PCI compliance fail on weak ciphers.

HttpBindmanager.java and AdminConsolePlugins seem to be the used classes. A simple fix could work:

String[] cipherSuites ={"SSL_RSA_WITH_RC4_128_MD5, ..."};
httpsConnector.setIncludeCipherSuites(cipherSuites); // HttpB... - deprecated
sslConnector.setIncludeCipherSuites(cipherSuites); // AdminC... - deprecated

According to the java documentation it would be better to configure the SSL engine like this:

javax.net.ssl.SSLEngine.setEnabledCipherSuites(cipherSuites);

Jeffk,

Unfortunately, after I got this information, my work was re-prioritized and I have not put any focus on this subject since. Furthermore, it looks like we are going to solve this encryption problem some other way, outside of Openfire.

LG,

Is that only for encrypting connections to the admin console? Or for all connections to/from the Openfire server? If the later, does it look like you could put in a “custom” ciphersuite?

Thanks,

Kyle

Just checking in to see if there is any update on this. I would love for my app to work natively with openfire and not have to go through an Apache Proxy.

Are weak cyphers still used in the latest openfire?

Any updates? I need to fix weak ciphers because of security scan failure.