Skip navigation
Up to Discussions in Openfire Support
4570 Views 9 Replies Latest reply: Sep 9, 2009 11:48 AM by glnarter RSS
Bronze
Theodore Wong
2 posts since
Feb 22, 2008
Currently Being Moderated

May 15, 2008 12:43 PM

TLS encryption ciphers

 

I am trying to determine what ciphers Openfire uses in TLS-protected chat sessions, and to limit those ciphers to "strong" ciphers (such as those listed by openssl with "-tls  HIGH:MEDIUM). The Openfire documentation and the discussion boards are silent about either of these questions...

 

 

  • IGA14302 Bronze
    IGA14302
    12 posts since
    Jan 23, 2007
    Currently Being Moderated
    Oct 7, 2008 9:16 PM (in response to Theodore Wong)
    Re: TLS encryption ciphers

    this is specific to the web interface which uses the jetty web engine

    I refered to two links (below) but they do not seem relevent

    http://www.mirthproject.org/jira/browse/MIRTH-412

    http://docs.codehaus.org/display/JETTY/SSL+Cipher+Suites

     

    Is there any way that the weak ciphers (< 56) be blocked?

  • BWH Bronze
    BWH
    1 posts since
    Oct 16, 2008
    Currently Being Moderated
    Oct 16, 2008 12:09 PM (in response to Theodore Wong)
    Re: TLS encryption ciphers

    I too need to block LOW ciphers.  Did anyone find a solution to this?

  • wes Bronze
    wes
    20 posts since
    Feb 13, 2006
    Currently Being Moderated
    Jul 24, 2009 7:55 AM (in response to Theodore Wong)
    Re: TLS encryption ciphers

    I too need to disable weak ciphers on our Openfire 3.6.4 box as we're failing our PCI scan.

     

    I'm not a developer by any means, but I think I have a very simple grasp on what might need to be done.

     

    EDIT:  yeah, i'm dumb.  editing the source code isn't what we need, it's just to modify the JRE to accept only certain ciphers...haven't gotten it working but I think I'm making forward progress.

     

    If anyone has any input, I'd love to hear it as I have to come up with something to get our PCI scan to pass, otherwise we'll have to find another IM server for our corporation.

     

    Thanks.

    • Gaston Dombiak Jiver
      Gaston Dombiak
      3,858 posts since
      Sep 26, 2001
      Currently Being Moderated
      Jul 24, 2009 9:21 AM (in response to wes)
      Re: TLS encryption ciphers

      WES,

       

      You are right. This is a Java setting and not an Openfire configuration. I don't remmeber the Java setting that you need to use right now but if you google it you will find it.

       

        -- Gato

      • wes Bronze
        wes
        20 posts since
        Feb 13, 2006
        Currently Being Moderated
        Jul 24, 2009 9:56 AM (in response to Gaston Dombiak)
        Re: TLS encryption ciphers

        Gato,

         

        Thanks for the confirmation.  I apologize for asking for more help, but I'm stumped.

         

        Here's what I've found and am trying so far:

         

        Added to /etc/sysconfig/openfire:

         

        OPENFIRE_OPTS="-Dcom.sun.management.config.file=/opt/openfire/jre/lib/management /management.properties"

         

        contents of /opt/openfire/jre/lib/management/management.properties:

         

        com.sun.management.jmxremote.ssl=true
        com.sun.management.jmxremote.ssl.enabled.cipher.suites=SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

         

        Openfire starts successfully, but querying the server via the openssl client seems to show that LOW cipher strength is still enabled:

         

        # openssl s_client -connect <OPENFIRE IP ADDR>:5223 -cipher EXP-RC4-MD5

         

        CONNECTED(00000003)
        depth=0 /CN=###############
        verify error:num=18:self signed certificate
        verify return:1
        depth=0 /CN=##############
        verify return:1
        ---
        Certificate chain
        0 s:/CN=#############
           i:/CN=#############
        ---
        Server certificate
        -----BEGIN CERTIFICATE-----

        <snip>
        -----END CERTIFICATE-----
        subject=/CN=############
        issuer=/CN=############
        ---
        No client certificate CA names sent
        ---
        SSL handshake has read 1061 bytes and written 216 bytes
        ---
        New, TLSv1/SSLv3, Cipher is EXP-RC4-MD5
        Server public key is 1024 bit
        Compression: NONE
        Expansion: NONE
        SSL-Session:
            Protocol  : TLSv1
            Cipher    : EXP-RC4-MD5
            Session-ID: 4A69E6786097E402763AD630C0B6B8255F142FD33202D745616F82B2B73BCC54
            Session-ID-ctx:
            Master-Key: 05D7B6F220EDCD837776B6A334B90A6D703F2E371CA0D932E79D01BB82D46FFC1DFF3B5DBBF0352 ECF329A4BC2ADEF13
            Key-Arg   : None
            Krb5 Principal: None
            Start Time: 1248454264
            Timeout   : 300 (sec)
            Verify return code: 18 (self signed certificate)
        ---

         

         

        So, from what I can tell, port 5223 is still respondign to a 56bit cipher, which won't fly for our PCI scans.  If someone can point me in the right direction, it would be greatly appreciated.  I have spent the last 5 hours working on this and while I've learned a great deal about SSL and JRE, I am still missing something.

         

        Thanks,

        Wes

  • wes Bronze
    wes
    20 posts since
    Feb 13, 2006
    Currently Being Moderated
    Jul 30, 2009 5:34 AM (in response to Theodore Wong)
    Re: TLS encryption ciphers

    My last post is completely wrong - management.properties is for the JMX monitoring service, not the JVM itself.

     

    Back to square one...if anyone has some input, I'd appreciate it.

    • wes Bronze
      wes
      20 posts since
      Feb 13, 2006
      Currently Being Moderated
      Aug 18, 2009 6:41 AM (in response to wes)
      Re: TLS encryption ciphers
      Bump, still looking to resolve this but am not making much progress...
      • wes Bronze
        wes
        20 posts since
        Feb 13, 2006
        Currently Being Moderated
        Aug 20, 2009 1:30 PM (in response to wes)
        Re: TLS encryption ciphers

        OK, so I found a way to pass our scans and it was nothing other than a simple settings change within Openfire itself.

         

        Go to Server Settings -> Security Settings -> Client Connection Security

        Set TLS to REQUIRED, and DISABLE old SSL method.

         

        Under Server Connection Security, we set security to Required.

         

        That allowed us to pass our external PCI scan.

         

        Hope this helps someone else out!

      • glnarter Bronze
        glnarter
        1 posts since
        Sep 9, 2009
        Currently Being Moderated
        Sep 9, 2009 11:48 AM (in response to wes)
        Re: TLS encryption ciphers

        I too was looking for a solution to this problem and over the past couple of days only came up with one solution: Modify the code!

         

        I followed the guide on this site on how to setup the build environment with the JDK and ANT.

        http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/source-b uild.html

         

        After much searching and trial and error I found the file that needs to be modified:  AdminConsolePlugin.java

        (You can find this in the source code tree under .\src\java\org\jivesoftware\openfire\container )

         

        I am attaching my modified copy.  I made a couple changes but the most important is in the function "public void startup()"

         

        I created an array of ciphers I wanted to exclude from being enabled (apparently this is how Jetty works) as such:

         

                String[] weakCiphers = {
                   "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
                   "SSL_DHE_RSA_WITH_DES_CBC_SHA",
                   "SSL_DHE_DSS_WITH_DES_CBC_SHA",
                   "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
                   "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
                   "SSL_RSA_WITH_DES_CBC_SHA",
                   "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
                   "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
                   "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
                   "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
                   "SSL_RSA_WITH_NULL_MD5",
                   "SSL_RSA_WITH_NULL_SHA",
                   "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
                   "SSL_DH_anon_WITH_DES_CBC_SHA",
                   "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
                   "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA"
                   };

         

         

        Then..a bit lower when the code creates it's https connector, I call the setExcludeCipherSuites method and pass it my list of weak ciphers:

         

             JiveSslConnector httpsConnector = new JiveSslConnector();

             httpsConnector.setExcludeCipherSuites(weakCiphers);

         

         

        With this change I saved the file and rebuilt the program using Ant (refer to those build instructions).

        This recompiles all the source files and creates the jar files the program uses.  They are placed into a "target" folder at the same level as the "src" folder.

         

        The affected file is in openfire.jar so this is the file that needs to be replaced on the server (located in the lib sub-folder).

         

        I replaced the original openfire.jar file with the my modified copy (while the software was shutdown of course) and viola, no more weak ciphers being reported by our PCI scans.

         


        I know this post falls a little short of being a "how-to" but hopefully will help anyone really wanting to disable those darn weak ciphers so you can admin the software without going through hoops to access it.

         

         

        ** Note:  I had to make this change for the web based admin console.  For client connections follow wes's advice above to make TLS required. **

        Attachments:

More Like This

  • Retrieving data ...

Incoming Links

Bookmarked By (0)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points