We have set up an Openfire Server with HTTP-Binding enabled but that has caused us to fail a PCI Compliance Scan. In order to pass, we had to disable HTTP-Binding.
The issue is tied to the Week SSL Ciphers when enabling port 7443. I cannot seem to locate any documentation about disabling certain SSL Ciphers.
I've added the requested functionality as part of OF-956.
Daryl Herzmann November 2, 2015 at 5:14 PM
Given the SSL work that went into 3.10, I wonder if this ticket is relevant anymore...
Neustradamus February 12, 2014 at 9:50 PM
Edited
Do not forget that there are not 5223 and 5270 ports for XMPP.
There are: 5222 for C2S 5269 for S2S 5280 for BOSH (HTTP/HTTPS)
LG January 21, 2012 at 5:28 PM
see http://www.techstacks.com/howto/j2se5_ssl_cipher_strength.html - this should fix it: String[] goodCiphers ={"SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA"}; socket.setEnabledCipherSuites(goodCiphers); As the page is old one may need to remove more ciphers, so a property may be fine. And another property for the admin page, also there the security scan may identify weak ciphers. Are the old SSL ports still supported or was support dropped as they are not really mentioned in the RFC ("It was common practice ... to use ports 5223 and 5270)"?
We have set up an Openfire Server with HTTP-Binding enabled but that has
caused us to fail a PCI Compliance Scan. In order to pass, we had to
disable HTTP-Binding.
The issue is tied to the Week SSL Ciphers when enabling port 7443. I
cannot seem to locate any documentation about disabling certain SSL
Ciphers.