On Freitag, 9. August 2019 09:12:35 CEST Holger Weiß wrote: > * Jonas Schäfer <[email protected]> [2019-08-08 19:14]: > > I was contacted by someone @jabber.ru, but I cannot reply because the DH > > key size used by their server for TLS is too small to be accepted by the > > TLS libraries distributed with Debian stable. > > For what it's worth, the problem is not the OpenSSL library distributed > with Debian (OpenSSL still accepts 512 bit DH keys), but Debian stable's > restrictive default settings in /etc/ssl/openssl.cnf. Those settings > also enforce TLSv1.2 and accept only a small set of ciphers, for > example. While this may work for common (HTTP) use cases, it can of > course easily lead to such backward compatibilty issues for us (and > others; there's various related issues in Debian's bug tracker). On the > Debian systems I maintain, I therefore revert to OpenSSL's upstream > defaults by changing the bottom of /etc/ssl/openssl.cnf to: > > [system_default_sect] > MinProtocol = None > CipherString = DEFAULT > > I'd prefer if a Linux distribution would only apply changes to upstream > software required for integration with the rest of the operating system, > rather than such policy enforcement ... :-/
Right. We had a discussion about this in conversations@ and Holger convinced me that the public channels listed by muclumubs are more IRC-like and applying strict ciphers to a listing of *public* rooms isn’t helping anyone. Luckily, this is a separate xmppd on a separate box so it is trivial for me to lower the requirements. As of now, the dh key size requirement is back to normal (whatever that is) and I see connectivity to both jabber.ru and jabber.org. kind regards, Jonas
signature.asc
Description: This is a digitally signed message part.
