Hello,
We have upgraded the xmpp server on jit.si and now we have an A rating on
xmppnet:
https://xmpp.net/result.php?domain=jit.si&type=client
https://xmpp.net/result.php?domain=jit.si&type=server
Enjoy!
--
Yasen Pramatarov
sysadmin, https://jitsi.org
Hi Yasen,
Hello,
We have upgraded the xmpp server on jit.si and now we have an A rating on
xmppnet:
Just curious why you decided to leave SSlv3 enabled.
On 9 March 2015 at 06:45, Yasen Pramatarov <yasen@bluejimp.com> wrote:
Enjoy!
--
-------
inum: 883510009027723
sip: jungleboogie@sip2sip.info
xmpp: jungle-boogie@jit.si
interoperability
On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie <jungleboogie0@gmail.com> wrote:
Just curious why you decided to leave SSlv3 enabled.
--
Yasen Pramatarov
sysadmin, https://jitsi.org
It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.
Emil
On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov <yasen@bluejimp.com> wrote:
On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie <jungleboogie0@gmail.com> > wrote:
Just curious why you decided to leave SSlv3 enabled.
interoperability
--
Yasen Pramatarov
sysadmin, https://jitsi.org_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
Leaving SSLv3 on in 2015 for "interop." says a lot about the privacy and security goals of a project.
Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.Emil
On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov <yasen@bluejimp.com> >wrote:
On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie ><jungleboogie0@gmail.com> >> wrote:
Just curious why you decided to leave SSlv3 enabled.
interoperability
--
Yasen Pramatarov
sysadmin, https://jitsi.org_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
If that is true, then hammering on the subject right after we have
stated we will disable it says a lot about a person.
Emil
On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de> wrote:
Leaving SSLv3 on in 2015 for "interop." says a lot about the privacy and security goals of a project.
Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.Emil
On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov <yasen@bluejimp.com> >>wrote:
On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie >><jungleboogie0@gmail.com> >>> wrote:
Just curious why you decided to leave SSlv3 enabled.
interoperability
--
Yasen Pramatarov
sysadmin, https://jitsi.org_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
... I wrote you about that 3 month ago on the list. And reminded you two times since then. Feel free to check the archives.
Am 10. März 2015 11:22:31 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
If that is true, then hammering on the subject right after we have
stated we will disable it says a lot about a person.Emil
On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de> wrote:
Leaving SSLv3 on in 2015 for "interop." says a lot about the privacy
and security goals of a project.
Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.Emil
On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov ><yasen@bluejimp.com> >>>wrote:
On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie >>><jungleboogie0@gmail.com> >>>> wrote:
Just curious why you decided to leave SSlv3 enabled.
interoperability
--
Yasen Pramatarov
sysadmin, https://jitsi.org_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
You also wrote 21 minutes ago after I acknowledged we will disable it
... so not sure what the point of that was.
Emil
On Tue, Mar 10, 2015 at 11:31 AM, Axel Hübl <axel.huebl@web.de> wrote:
... I wrote you about that 3 month ago on the list. And reminded you two times since then. Feel free to check the archives.
Am 10. März 2015 11:22:31 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
If that is true, then hammering on the subject right after we have
stated we will disable it says a lot about a person.Emil
On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de> wrote:
Leaving SSLv3 on in 2015 for "interop." says a lot about the privacy
and security goals of a project.
Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.Emil
On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov >><yasen@bluejimp.com> >>>>wrote:
On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie >>>><jungleboogie0@gmail.com> >>>>> wrote:
Just curious why you decided to leave SSlv3 enabled.
interoperability
--
Yasen Pramatarov
sysadmin, https://jitsi.org_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
Were did anyone say it is going to be disabled (finally)?
All I got was: "still on" - "interop" - "oh, probably we should remove it".
Yes, you should. Months ago when I wrote you about it. Also: xmpp.net still shows cert chain issues. Should be fixed, too 
Am 10. März 2015 11:39:01 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
You also wrote 21 minutes ago after I acknowledged we will disable it
... so not sure what the point of that was.Emil
On Tue, Mar 10, 2015 at 11:31 AM, Axel Hübl <axel.huebl@web.de> wrote:
... I wrote you about that 3 month ago on the list. And reminded you
two times since then. Feel free to check the archives.
Am 10. März 2015 11:22:31 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
If that is true, then hammering on the subject right after we have
stated we will disable it says a lot about a person.Emil
On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de> >wrote:
Leaving SSLv3 on in 2015 for "interop." says a lot about the
privacy
and security goals of a project.
Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.Emil
On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov >>><yasen@bluejimp.com> >>>>>wrote:
On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie >>>>><jungleboogie0@gmail.com> >>>>>> wrote:
Just curious why you decided to leave SSlv3 enabled.
interoperability
--
Yasen Pramatarov
sysadmin, https://jitsi.org_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
Hello Axel,
it is great that you show some engagement concerning improvement of security.
However, do you really think that you are providing help to this project by using the online test of xmpp.net and then being reproachful? The tonality you are using is not really encouraging.
Thomas
Were did anyone say it is going to be disabled (finally)?
All I got was: "still on" - "interop" - "oh, probably we should remove it".
Yes, you should. Months ago when I wrote you about it. Also: xmpp.net still shows cert chain issues. Should be fixed, too
Am 10.03.2015 um 11:46 schrieb Axel Hübl <axel.huebl@web.de>:
Am 10. März 2015 11:39:01 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
You also wrote 21 minutes ago after I acknowledged we will disable it
... so not sure what the point of that was.Emil
On Tue, Mar 10, 2015 at 11:31 AM, Axel Hübl <axel.huebl@web.de> wrote:
... I wrote you about that 3 month ago on the list. And reminded you
two times since then. Feel free to check the archives.
Am 10. März 2015 11:22:31 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
If that is true, then hammering on the subject right after we have
stated we will disable it says a lot about a person.Emil
On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de> > wrote:
Leaving SSLv3 on in 2015 for "interop." says a lot about the
privacy
and security goals of a project.
Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.Emil
On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov >>> <yasen@bluejimp.com> >>>>> wrote:
On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie >>>>> <jungleboogie0@gmail.com> >>>>>> wrote:
Just curious why you decided to leave SSlv3 enabled.
interoperability
--
Yasen Pramatarov
sysadmin, https://jitsi.org_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
Hey Thomas,
no hard feelings about that - my statement was meant to provoke so
someone finally change the few lines in the config.
The problem I want to highlight is the fact, that the jit.si community
puts a lot of awesome and great work into thousands of lines of code a
year, but changing the three lines in the server config of it's own
server does not happen in months, even if SSLv3 is incredible broken.
(Not talking about the idea to switch to TLS1.2 only.)
Since a lot of your users use the service at jit.si, a weakened setup
there weakens the overall security of the software and puts your users
at risk.
First report of mine (in a very encouraging language ):
January, 6th
-> dead end after Jan 9th
Reminder:
February, 12th
-> no response
I am sorry for the harsh language - a one-word answer from Yasen after
two reminders on the topic is simply not ideal (and I was responding to
that). But pls try to understand my argument, that putting a little more
effort in easy-to-change configs is actually necessary.
Axel
On 10.03.2015 11:58, Thomas Odorfer wrote:
Hello Axel,
it is great that you show some engagement concerning improvement of security.
However, do you really think that you are providing help to this project by using the online test of xmpp.net and then being reproachful? The tonality you are using is not really encouraging.Thomas
Am 10.03.2015 um 11:46 schrieb Axel Hübl <axel.huebl@web.de>:
Were did anyone say it is going to be disabled (finally)?
All I got was: "still on" - "interop" - "oh, probably we should remove it".
Yes, you should. Months ago when I wrote you about it. Also: xmpp.net still shows cert chain issues. Should be fixed, too
Am 10. März 2015 11:39:01 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
You also wrote 21 minutes ago after I acknowledged we will disable it
... so not sure what the point of that was.Emil
On Tue, Mar 10, 2015 at 11:31 AM, Axel Hübl <axel.huebl@web.de> wrote:
... I wrote you about that 3 month ago on the list. And reminded you
two times since then. Feel free to check the archives.
Am 10. März 2015 11:22:31 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
If that is true, then hammering on the subject right after we have
stated we will disable it says a lot about a person.Emil
On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de> >> wrote:
Leaving SSLv3 on in 2015 for "interop." says a lot about the
privacy
and security goals of a project.
Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.Emil
On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov >>>> <yasen@bluejimp.com> >>>>>> wrote:
On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie >>>>>> <jungleboogie0@gmail.com> >>>>>>> wrote:
Just curious why you decided to leave SSlv3 enabled.
interoperability
--
Yasen Pramatarov
sysadmin, https://jitsi.org
Axel,
We'd be happy to have your patch for the config lines you mention!
Emil
On Tuesday, March 10, 2015, Axel Hübl <axel.huebl@web.de> wrote:
Hey Thomas,
no hard feelings about that - my statement was meant to provoke so
someone finally change the few lines in the config.The problem I want to highlight is the fact, that the jit.si community
puts a lot of awesome and great work into thousands of lines of code a
year, but changing the three lines in the server config of it's own
server does not happen in months, even if SSLv3 is incredible broken.
(Not talking about the idea to switch to TLS1.2 only.)Since a lot of your users use the service at jit.si, a weakened setup
there weakens the overall security of the software and puts your users
at risk.First report of mine (in a very encouraging language
):
January, 6th
-> dead end after Jan 9thReminder:
February, 12th
-> no responseI am sorry for the harsh language - a one-word answer from Yasen after
two reminders on the topic is simply not ideal (and I was responding to
that). But pls try to understand my argument, that putting a little more
effort in easy-to-change configs is actually necessary.Axel
On 10.03.2015 11:58, Thomas Odorfer wrote:
> Hello Axel,
>
> it is great that you show some engagement concerning improvement of
security.
> However, do you really think that you are providing help to this project
by using the online test of xmpp.net and then being reproachful? The
tonality you are using is not really encouraging.
>
> Thomas
>
>
> Am 10.03.2015 um 11:46 schrieb Axel Hübl <axel.huebl@web.de
<javascript:;>>:
>
> Were did anyone say it is going to be disabled (finally)?
>
> All I got was: "still on" - "interop" - "oh, probably we should remove
it".
>
> Yes, you should. Months ago when I wrote you about it. Also: xmpp.net
still shows cert chain issues. Should be fixed, too
>
> Am 10. März 2015 11:39:01 MEZ, schrieb Emil Ivov <emcho@jitsi.org
<javascript:;>>:
>> You also wrote 21 minutes ago after I acknowledged we will disable it
>> ... so not sure what the point of that was.
>>
>> Emil
>>
>> On Tue, Mar 10, 2015 at 11:31 AM, Axel Hübl <axel.huebl@web.de > <javascript:;>> wrote:
>>> ... I wrote you about that 3 month ago on the list. And reminded you
>> two times since then. Feel free to check the archives.
>>>
>>> Am 10. März 2015 11:22:31 MEZ, schrieb Emil Ivov <emcho@jitsi.org
<javascript:;>>:
>>>> If that is true, then hammering on the subject right after we have
>>>> stated we will disable it says a lot about a person.
>>>>
>>>> Emil
>>>>
>>>> On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de > <javascript:;>> > >> wrote:
>>>>> Leaving SSLv3 on in 2015 for "interop." says a lot about the
>> privacy
>>>> and security goals of a project.
>>>>>
>>>>> Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org
<javascript:;>>:
>>>>>> It would probably be better to remove it. It might indeed entail a
>>>>>> small interop tradeoff but I don't think it would be a big deal.
>>>>>>
>>>>>> Emil
>>>>>>
>>>>>> On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov > >>>> <yasen@bluejimp.com <javascript:;>> > >>>>>> wrote:
>>>>>>> On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie > >>>>>> <jungleboogie0@gmail.com <javascript:;>> > >>>>>>> wrote:
>>>>>>>>
>>>>>>>> Just curious why you decided to leave SSlv3 enabled.
>>>>>>>
>>>>>>>
>>>>>>> interoperability
>>>>>>>
>>>>>>> --
>>>>>>> Yasen Pramatarov
>>>>>>> sysadmin, https://jitsi.org
>>>>>>>
--
--sent from my mobile
Great,
now I did read the parallel thread of Yasen:
This plus switching to OpenJDK8 allowed us to easier fix the
problems we had with weaker ciphers and certificate trust.
I understand your argument now Emil, sorry that looks dumb from my side!
I did only read:
Just curious why you decided to leave SSlv3 enabled.
interoperability
Keep up the good work and sorry again!
That's absolutely my fault, I did not see the announcement 15min earlier.
Axel
On 10.03.2015 11:01, Yasen Pramatarov wrote:
On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov >>>>>>> wrote:
On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie >>>>>>>> wrote:
On 10.03.2015 13:19, Axel Hübl wrote:
Hey Thomas,
no hard feelings about that - my statement was meant to provoke so
someone finally change the few lines in the config.The problem I want to highlight is the fact, that the jit.si community
puts a lot of awesome and great work into thousands of lines of code a
year, but changing the three lines in the server config of it's own
server does not happen in months, even if SSLv3 is incredible broken.
(Not talking about the idea to switch to TLS1.2 only.)Since a lot of your users use the service at jit.si, a weakened setup
there weakens the overall security of the software and puts your users
at risk.First report of mine (in a very encouraging language
January, 6th
-> dead end after Jan 9thReminder:
February, 12th
-> no responseI am sorry for the harsh language - a one-word answer from Yasen after
two reminders on the topic is simply not ideal (and I was responding to
that). But pls try to understand my argument, that putting a little more
effort in easy-to-change configs is actually necessary.Axel
On 10.03.2015 11:58, Thomas Odorfer wrote:
Hello Axel,
it is great that you show some engagement concerning improvement of security.
However, do you really think that you are providing help to this project by using the online test of xmpp.net and then being reproachful? The tonality you are using is not really encouraging.Thomas
Am 10.03.2015 um 11:46 schrieb Axel Hübl <axel.huebl@web.de>:
Were did anyone say it is going to be disabled (finally)?
All I got was: "still on" - "interop" - "oh, probably we should remove it".
Yes, you should. Months ago when I wrote you about it. Also: xmpp.net still shows cert chain issues. Should be fixed, too
Am 10. März 2015 11:39:01 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
You also wrote 21 minutes ago after I acknowledged we will disable it
... so not sure what the point of that was.Emil
On Tue, Mar 10, 2015 at 11:31 AM, Axel Hübl <axel.huebl@web.de> wrote:
... I wrote you about that 3 month ago on the list. And reminded you
two times since then. Feel free to check the archives.
Am 10. März 2015 11:22:31 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
If that is true, then hammering on the subject right after we have
stated we will disable it says a lot about a person.Emil
On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de> >>> wrote:
Leaving SSLv3 on in 2015 for "interop." says a lot about the
privacy
and security goals of a project.
Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:
It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.Emil
On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov >>>>> <yasen@bluejimp.com> >>>>>>> wrote:
On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie >>>>>>> <jungleboogie0@gmail.com> >>>>>>>> wrote:
Just curious why you decided to leave SSlv3 enabled.
interoperability
--
Yasen Pramatarov
sysadmin, https://jitsi.org
Emil,
what about answering to the community: "we are looking into updating
that but our software currently does not support XYZ. Thanks for reporting."
All I got was
"It's on our tasklist, thanks for the reminder."
in January and the two other mails ignored, hard to interpret what is
causing the problems if it is not communicated
Axel
On 10.03.2015 13:22, Emil Ivov wrote:
Axel,
We'd be happy to have your patch for the config lines you mention!
Emil
On Tuesday, March 10, 2015, Axel Hübl <axel.huebl@web.de > <mailto:axel.huebl@web.de>> wrote:
Hey Thomas,
no hard feelings about that - my statement was meant to provoke so
someone finally change the few lines in the config.The problem I want to highlight is the fact, that the jit.si
<http://jit.si> community
puts a lot of awesome and great work into thousands of lines of code a
year, but changing the three lines in the server config of it's own
server does not happen in months, even if SSLv3 is incredible broken.
(Not talking about the idea to switch to TLS1.2 only.)Since a lot of your users use the service at jit.si <http://jit.si>,
a weakened setup
there weakens the overall security of the software and puts your users
at risk.First report of mine (in a very encouraging language
January, 6th
-> dead end after Jan 9thReminder:
February, 12th
-> no responseI am sorry for the harsh language - a one-word answer from Yasen after
two reminders on the topic is simply not ideal (and I was responding to
that). But pls try to understand my argument, that putting a little more
effort in easy-to-change configs is actually necessary.Axel
On 10.03.2015 11:58, Thomas Odorfer wrote:
> Hello Axel,
>
> it is great that you show some engagement concerning improvement
of security.
> However, do you really think that you are providing help to this
project by using the online test of xmpp.net <http://xmpp.net> and
then being reproachful? The tonality you are using is not really
encouraging.
>
> Thomas
>
>
> Am 10.03.2015 um 11:46 schrieb Axel Hübl <axel.huebl@web.de
<javascript:;>>:
>
> Were did anyone say it is going to be disabled (finally)?
>
> All I got was: "still on" - "interop" - "oh, probably we should
remove it".
>
> Yes, you should. Months ago when I wrote you about it. Also:
xmpp.net <http://xmpp.net> still shows cert chain issues. Should be
fixed, too
>
> Am 10. März 2015 11:39:01 MEZ, schrieb Emil Ivov <emcho@jitsi.org
<javascript:;>>:
>> You also wrote 21 minutes ago after I acknowledged we will disable it
>> ... so not sure what the point of that was.
>>
>> Emil
>>
>> On Tue, Mar 10, 2015 at 11:31 AM, Axel Hübl <axel.huebl@web.de > <javascript:;>> wrote:
>>> ... I wrote you about that 3 month ago on the list. And reminded you
>> two times since then. Feel free to check the archives.
>>>
>>> Am 10. März 2015 11:22:31 MEZ, schrieb Emil Ivov
<emcho@jitsi.org <javascript:;>>:
>>>> If that is true, then hammering on the subject right after we have
>>>> stated we will disable it says a lot about a person.
>>>>
>>>> Emil
>>>>
>>>> On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de > <javascript:;>> > >> wrote:
>>>>> Leaving SSLv3 on in 2015 for "interop." says a lot about the
>> privacy
>>>> and security goals of a project.
>>>>>
>>>>> Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov
<emcho@jitsi.org <javascript:;>>:
>>>>>> It would probably be better to remove it. It might indeed
entail a
>>>>>> small interop tradeoff but I don't think it would be a big deal.
>>>>>>
>>>>>> Emil
>>>>>>
>>>>>> On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov > >>>> <yasen@bluejimp.com <javascript:;>> > >>>>>> wrote:
>>>>>>> On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie > >>>>>> <jungleboogie0@gmail.com <javascript:;>> > >>>>>>> wrote:
>>>>>>>>
>>>>>>>> Just curious why you decided to leave SSlv3 enabled.
>>>>>>>
>>>>>>>
>>>>>>> interoperability
>>>>>>>
>>>>>>> --
>>>>>>> Yasen Pramatarov
>>>>>>> sysadmin, https://jitsi.org
>>>>>>>--
--sent from my mobile_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
my statement was meant to provoke so
someone finally change the few lines in the config.The problem I want to highlight is the fact, that the jit.si community
puts a lot of awesome and great work into thousands of lines of code a
year, but changing the three lines in the server config of it's own
server does not happen in months, even if SSLv3 is incredible broken.
(Not talking about the idea to switch to TLS1.2 only.)
Axel, i am a plain Jitsi user. I just wanted to thank you for your
attentiveness and persistence.
We all use Jitsi and not skype/eciga/etc MAINLY because of the security
issue. And if security is not important enough for the devs, then it is a
complete failure of the whole project whose main purpose is SECURITY. And
not just usability.
The security very important for the devs.
What happened is that I replied that the only reason I left sslv3 is
interoperability -- which I as a sysadmin care about not less than I care
about security. So Axel, everyone -- if you would like to blame someone,
please feel free blame me for that.
And right after that we decided to ditch sslv3, so there is really no
problem here. And as for the long period this issue has been reported, you
can also take it on the sysadmin for not managing to fix it on time. I mean
it, this took time -- and as I've said before, it's on my tasklist and I'm
sorry for the inconvenience and the delay.
Now SSLv3 should be disabled, I tested with openssl and testssl.sh from
another host and I'm waiting now for the xmpp.net test to be available
again (BTW someone is re-scheduling this test there all the time, pls don't
use this as an "is it online" check for our server)
On Tue, Mar 10, 2015 at 3:07 PM, Александр <afalex169@gmail.com> wrote:
We all use Jitsi and not skype/eciga/etc MAINLY because of the security
issue. And if security is not important enough for the devs, then it is a
complete failure of the whole project whose main purpose is SECURITY. And
not just usability.
--
Yasen Pramatarov
sysadmin, https://jitsi.org
the А> devs, then it is a complete failure of the whole project whose А> main purpose is SECURITY.
Out of interest, where is it stated on the jitsi.org that the /main/ purpose (i.e. not simply /a/ purpose) of Jitsi is security?
Alexis.
On 2015-03-11T00:07:02+1100, Александр <afalex169@gmail.com> said:
> We all use Jitsi and not skype/eciga/etc MAINLY because of the > security issue. And if security is not important enough for
Yansen,
thank you for upgrading the services!
Sorry again for the harsh words - of course they were solely for the
sysadmin >:)
I think xmpp.net is just a bit slow, I just posted it initially because
it's easier to link something than to post the noisy output of openssl.
Axel
On 10.03.2015 14:22, Yasen Pramatarov wrote:
On Tue, Mar 10, 2015 at 3:07 PM, Александр <afalex169@gmail.com > <mailto:afalex169@gmail.com>> wrote:
We all use Jitsi and not skype/eciga/etc MAINLY because of the
security issue. And if security is not important enough for the
devs, then it is a complete failure of the whole project whose
main purpose is SECURITY. And not just usability.The security very important for the devs.
What happened is that I replied that the only reason I left sslv3 is
interoperability -- which I as a sysadmin care about not less than I
care about security. So Axel, everyone -- if you would like to blame
someone, please feel free blame me for that.And right after that we decided to ditch sslv3, so there is really no
problem here. And as for the long period this issue has been reported,
you can also take it on the sysadmin for not managing to fix it on time.
I mean it, this took time -- and as I've said before, it's on my
tasklist and I'm sorry for the inconvenience and the delay.Now SSLv3 should be disabled, I tested with openssl and testssl.sh from
another host and I'm waiting now for the xmpp.net <http://xmpp.net> test
to be available again (BTW someone is re-scheduling this test there all
the time, pls don't use this as an "is it online" check for our server)--
Yasen Pramatarov
sysadmin, https://jitsi.org
Out of interest, where is it stated on the jitsi.org that the /main/
purpose (i.e. not simply /a/ purpose) of Jitsi is security?
oh come on!
zrtp. otr.Isnt enough for you?
Or should i bring quotations from forums?
This is trolling. And an attempt to change the topic. Instead of focusing
on solving the problem.
And no. I (and most of us) am not a programmer to make a patch for this
security issue. But this does'nt mean that Axel/the community should get
this sort of answers from devs like those he gets in this thread.
Nobody is trying to insult the devs. But there are some things that must be
done. One way or another.
When the man (Axel) is pointing to a clear problem associated with security
of Jitsi, there must be much more serious attitude. Which is expressed in
action. Here we see something very "strange". Therefore, Axel wrote about
the problem with indignation.
Yasen,
Thank you for your broad answer. Things are getting clearer now.
_________________
if you would like to blame someone, please feel free blame me for that
No, Yasen. I am not searching to blame anybody. I am searching to keep
Jitsi Safe. Like you do.