[Bug 71304] New: prefer PFS cipher suites and TLS 1.2; optionally disable SSLv3, SSLv2

[bugzilla-daemon at freedesktop.org]

https://bugs.freedesktop.org/show_bug.cgi?id=71304

          Priority: medium
            Bug ID: 71304
          Keywords: love
          Assignee: telepathy-bugs at lists.freedesktop.org
           Summary: prefer PFS cipher suites and TLS 1.2; optionally
                    disable SSLv3, SSLv2
        QA Contact: telepathy-bugs at lists.freedesktop.org
          Severity: enhancement
    Classification: Unclassified
                OS: All
          Reporter: simon.mcvittie at collabora.co.uk
          Hardware: Other
            Status: NEW
           Version: git master
         Component: gabble
           Product: Telepathy

https://github.com/stpeter/manifesto/blob/master/manifesto.txt says:

o prefer the latest version of TLS (TLS 1.2)

o disable support for the older and less secure SSL standard
  (SSLv2 and SSLv3)

o provide configuration options to require channel encryption for
  client-to-server and server-to-server connections

o provide configuration options to prefer or require cipher
  suites that enable forward secrecy

We should do that.

For interop with defective corporate XMPP servers, we should probably offer a
boolean allow-ssl3 parameter, and perhaps a allow-ssl2 parameter too. They can
be off by default, hopefully.

I hope we won't need an allow-tls1.2 parameter (on by default) for interop with
servers that choke on that... but perhaps we will.

We'll eventually need allow-tls1.1 and allow-tls1.0 parameters, probably. While
we're adding things we might as well complete the set!

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.