Project

General

Profile

updating encryption protocols

Marc Jackson
Added 10 months ago

I'm running an old version of tigase [5.1 or so ] and I'm wondering if there's
a way to update the encryption protocols. A nessus scan indicated a
vulnerability.


Replies (5)

Added by Wojciech Kapcia TigaseTeam 10 months ago

Marc Jackson wrote:

I'm running an old version of tigase [5.1 or so ] and I'm wondering if there's
a way to update the encryption protocols. A nessus scan indicated a
vulnerability.

Hi,
could you share exact version of the Tigase and JVM used (as well as flavour: openjdk or Oracle's)?

Added by Marc Jackson 10 months ago

Hi Wojciech,

Tigase XMPP (Jabber) server ver 5.1.0-beta8-b2937

java -version

java version "1.7.0_17"

Java(TM) SE Runtime Environment (build 1.7.0_17-b02)

Java HotSpot(TM) 64-Bit Server VM (build 23.7-b01, mixed mode)


From: support@tigase.net support@tigase.net
Sent: Thursday, March 8, 2018 12:23 PM
Subject: [Tigase XMPP Server - Installation and maintenance - msg7612] RE: updating encryption protocols

Added by Marc Jackson 10 months ago

Hi Wojciech,

Tigase XMPP (Jabber) server ver 5.1.0-beta8-b2937

java -version

java version "1.7.0_17"

Java(TM) SE Runtime Environment (build 1.7.0_17-b02)

Java HotSpot(TM) 64-Bit Server VM (build 23.7-b01, mixed mode)

Added by Wojciech Kapcia TigaseTeam 10 months ago

Marc Jackson wrote:

A nessus scan indicated a vulnerability.

Could you expound on the details of the vulnerability.

Let me start by recommending updating the software to more recent versions - 5.1.x was released quite a while ago. In version 5.2.0 we introduced --hardened-mode:

It turns off workaround for SSL issues, turns off SSLv2 and forces enabling more secure ciphers suites. It also forces requirement of StartTLS.
And it also sports explicit configuration of enabled protocols with --tls-enabled-protocols=… configuration option.

As per Instructions to disable SSL v3.0 in Oracle JDK and JRE:

There is no general System or Security property to disable a specific protocol for applications using the javax.net.ssl.SSLSocket and javax.net.ssl.SSLEngine APIs (See below for one exception on the JDK 8 client side.)

Unfortunately as you are using Java 1.7 the only way to change available ciphers/protocols is to modify the sources.

Added by Marc Jackson 10 months ago

Thanks for the information!

    (1-5/5)