Project

General

Profile

DH key parameters

Daniele Ricci
Added about 3 years ago

Hi all,

is there anyway to set custom DH key parameters[1] on Tigase?

Thanks!

[1] https://weakdh.org/


Replies (8)

Avatar?id=6098&size=32x32

Added by Bartosz Malkowski TigaseTeam about 3 years ago

You can provide own javax.net.ssl.SSLSocketFactory:

jaxmpp.getSessionObject().setUserProperty(SocketConnector.SSL_SOCKET_FACTORY_KEY, sslSocketFactory);

or I will add a way to call setEnabledCipherSuites() with array of allowed ciphers (like TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256…)

If you choose gate two, please create a case in Redmine :-)

Added by Daniele Ricci about 3 years ago

Wait I'm talking about the server. Isn't jaxmpp a client-only library?

Avatar?id=6098&size=32x32

Added by Bartosz Malkowski TigaseTeam about 3 years ago

Damn!

Sorry, my mistake! I just worked with jaxmpp and I was thinking about jaxmpp still.

In Tigase Server just add to init.properties:

--hardened-mode==true

Added by Daniele Ricci about 3 years ago

I did, and it provided a safer alternative, still it got my results on ssllabs.com capped to B because the DH params were still too weak:

https://www.ssllabs.com/ssltest/analyze.html?d=beta.kontalk.net

I know it's a minor issue, I just wanted to know if there is something I could do by using just configuration.

Or... I can always hack into the code :)

Avatar?id=6098&size=32x32

Added by Bartosz Malkowski TigaseTeam about 3 years ago

We manipulate only lists of enabled cipher suites. Maybe list is still to long?

Added by Daniele Ricci about 3 years ago

I'm sorry I expressed myself very badly.

I'm talking about DH key exchange parameters, also explained here:

https://weakdh.org/sysadmin.html

If you insert "beta.kontalk.net" and test it with that web tool it says a 1024-bit DH group is not enough, and it recommends using a 2048-bit one.

However I can see from here [1] that I can set the number of bits with a system property. I'll try it and get back to you soon.

[1] http://stackoverflow.com/a/30406500/1045199

Added by Daniele Ricci about 3 years ago

The system property solved the issue.

You should recommend it or put it into the default tigase.conf file IMHO.

Thanks!

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam about 3 years ago

Thank you, added ticket for this: #3670

    (1-8/8)