Majic Projects ~ [CLOSED] MAR-64 - [BACKPORT] Restrictive TLS configuration limits s2s connectivity for Prosody XMPP server

Majic Projects

Majic Ansible Roles

Projects
Wiki
- Quick links
- Wiki
- Project wikis
- Conntrackt
- Django Pydenticon
- Gimmecert
- Majic Ansible Roles
- Pydenticon
- Scripts
- Global content

Majic Ansible Roles / Closed Bug report MAR-64 [BACKPORT] Restrictive TLS configuration limits s2s connectivity for Prosody XMPP server

This issue has been closed with status "Closed" and resolution "RESOLVED".

- No additional actions available

Issue basics

Type of issue

Bug report Unknown issue type
Issue label

No label set
Category

Not determined
Targetted for

1.0.1 Not determined
Status

Closed

Status not determined
Progress
Priority

Not determined

Affected by this issue (1)

1.0.0
Unknown
- New
- Investigating
- Confirmed
- Not a bug
- Being worked on
- Near completion
- Ready for testing / QA
- Testing / QA
- Closed
- Postponed
- Done
- Fixed
- New
- Investigating
- Confirmed
- Not a bug
- Being worked on
- Near completion
- Ready for testing / QA
- Testing / QA
- Closed
- Postponed
- Done
- Fixed
- In progress
- Ready to test
- Resolved
- Reopened
- Open
- In progress
- Resolved
- Reopened
- Please wait...
Unconfirmed (1.0.0)

People involved

Posted by
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 23, 2024 - 21:32

Show user details
Owned by

Not owned by anyone
Assigned to
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 23, 2024 - 21:32

Show user details
Not assigned to anyone
Subscribers

1 subscriber(s)

Click here to show the list of subscribers

Times and dates

Posted at

Aug 29, 2016
Last updated

Aug 29, 2016
Estimated time

Not estimated
Time spent

No time spent

Click here to see time logged against this issue

Issue details

Resolution

RESOLVED Not determined
Reproducability

Often Not determined
Severity

Not determined

Attachments (0)

There is nothing attached to this issue

Child issues (0)

This issue does not have any child issues

Duplicate issues (0)

This issue does not have any duplicates

Show / hide more details »

Description

Due to the way Prosody TLS configuration has been hardened, it will often happen for outgoing and incoming s2s connections to fail - depending on how recent the remote server accessing/being accessed is old.

This is a big problem that could cause a lot of interoperability issues.

Unfortunately, until version 0.10 comes out, it is not possible to implement distinct protocol/cipher configuration per-c2s or per-s2s - it has to be done for both.

The only solution for now is to disable hardening altogether, and update documentation. Documentation should clearly reflect the fact that TLS has not been hardened, why it has not been hardened, and point to the fact that once Prosody 0.10 is out, it should be possible to harden it appropriately.

Steps to reproduce this issue

Set-up XMPP server via xmpp_server Ansible role.
Connect to the XMPP server via client.
Try to add a contact from a somewhat older server.

Todos (0 / 0)

Options

There are no comments

Welcome to The Bug Genie

Log in with your username and password