Security Bug Report
Richard Laager
rlaager at wiktel.com
Thu Aug 13 07:14:20 EDT 2015
I don't know who has handled this in the past, but I feel I'm reasonably
well-versed in this stuff from work, so I took a look at the situation
and made some small changes. I also responded directly to Sumit Jain,
who reported this.
I switched to the standard (RFC 3526) 2048-bit DH params for pidgin.im,
which is using lighttpd. If people feel like custom DH params are the
way to go, I did generate 2048-bit params on rock.pidgin.im and could
easily switch to those.
I can't upgrade the DH params on developer.pidgin.im, as Apache 2.2 does
not support it. We should probably look at upgrading nicobar, which
currently runs Debian Wheezy (which is now oldstable).
I also changed the SSL cipher lists to match the (without RC4)
suggestion here, which I believe is still the current best practice:
https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
The difference between what we were running and that suggestion were
pretty minimal in practice. Basically, it means that a number of clients
will use AES GCM ciphers instead of AES CBC.
--
Richard
More information about the security
mailing list