We're updating the issue view to help you get more done. 

Unable to disable weak ciphers

Description

We have set up an Openfire Server with HTTP-Binding enabled but that has
caused us to fail a PCI Compliance Scan. In order to pass, we had to
disable HTTP-Binding.

The issue is tied to the Week SSL Ciphers when enabling port 7443. I
cannot seem to locate any documentation about disabling certain SSL
Ciphers.

Environment

None

Acceptance Test - Entry

None

Activity

Show:
LG
January 21, 2012, 5:28 PM

see http://www.techstacks.com/howto/j2se5_ssl_cipher_strength.html - this should fix it:
String[] goodCiphers ={"SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA"};
socket.setEnabledCipherSuites(goodCiphers);
As the page is old one may need to remove more ciphers, so a property may be fine. And another property for the admin page, also there the security scan may identify weak ciphers.
Are the old SSL ports still supported or was support dropped as they are not really mentioned in the RFC ("It was common practice ... to use ports 5223 and 5270)"?

Neustradamus
February 12, 2014, 9:50 PM
Edited

Do not forget that there are not 5223 and 5270 ports for XMPP.

There are:
5222 for C2S
5269 for S2S
5280 for BOSH (HTTP/HTTPS)

Daryl Herzmann
November 2, 2015, 5:14 PM

Given the SSL work that went into 3.10, I wonder if this ticket is relevant anymore...

Guus der Kinderen
January 5, 2016, 11:15 AM

I've added the requested functionality as part of OF-956.

Dave Cridland
January 6, 2016, 11:42 AM

Guus's patches in this area have fixed this one.

Assignee

Guus der Kinderen

Reporter

Daryl Herzmann

Expected Effort

None

Components

Fix versions

Affects versions

Priority

Major
Configure