4

After validating of my public XMPP service on xmpp.net, I've got the error:

Warning: Server offers no forward-secret ciphers. Grade capped to A-.

Is there an easy way to enable these ciphers? As title states, I have Debian Stable and ejabberd installed from its repository.

ADDITION

I've checked all the servers listed in https://xmpp.net/directory.php which have ejabberd installed with its build date 2011/12/24. This is Debian Wheezy's ejabberd obviously. The top score of any of these servers is A-/A-, so I believe it is really difficult to enable PFS for this software.

Neurotransmitter
  • 2,883
  • 2
  • 19
  • 30

2 Answers2

3

There is no known possibility to restrict Debian 7 Wheezy's ejabberd 2.1.10 to use certain ciphers. The only solution is to upgrade to a more recent ejabberd version, Debian 8 Jessie's ejabberd 14.07 for example.

Neurotransmitter
  • 2,883
  • 2
  • 19
  • 30
1

Set ciphers option to include only cipher suites with DHE in the name (Diffie-Hellman Ephemeral). For the full list of suites please have a look at https://serverfault.com/a/653656

References:

  1. http://docs.ejabberd.im/admin/guide/configuration/
  2. http://linux.die.net/man/1/openssl
Deer Hunter
  • 1,866
  • 3
  • 20
  • 26
  • Thanks for your answer, but `Debian Wheezy`'s (stable) `ejabberd` is of version 2.1.10, which [I believe](http://docs.dvo.ru/ejabberd-2.1.10/html/guide.html) doesn't have `ciphers` setting in its config file. – Neurotransmitter Apr 20 '15 at 14:23