How to improve score at IM Observatory?

Openfire Openfire Support
1

Using https://xmpp.net/ (currently / temporarily at https://check.messaging.one/ )

I’m getting an 80 for Key Exchange Score, a 95 for Protocol Score, and a 50 for Cipher Score

Overall Questions:

How can I improve these scores?

And should I really care about these results?

Results from test:

1. No DNSSEC for my SRV records. However, I verified this with namecheap (my registrar and DNS provider) and they said they confirmed the SRV records are returning DNSSEC. Who do I believe?

2. Key Exchange Score: The test seems to give me no feedback on why my Key Exchange Score was only 80. I click on the score and it takes me to look at my Certificates, but my Certificate Score is 100, and there are no flags among the certficates shown. Oh well.

3. Protocol Score: I’m supporting TLS v1 and apparently I shouldn’t be. Can I turn this off in Openfire? Is there a compelling reason to leave it on?

4. Cipher Score: My cipher situation seems to be my main problem (as reflected by my abysmal cipher score). As I interpret the following chart, green is good, grey is meh, orange is bad, and red is really bad.

Cipher suite
Bitsize
Forward secrecy
Info
ECDHE-RSA-AES128-GCM-SHA256(0xc02f)
128
Yes
Curve: prime256v1
ECDHE-RSA-AES128-SHA256(0xc027)
128
Yes
Curve: prime256v1
ECDHE-RSA-AES128-SHA (0xc013)
128
Yes
Curve: prime256v1
DHE-RSA-AES128-GCM-SHA256(0x9e)
128
Yes
Diffie-Hellman:
Group: RFC 2409 First Oakley Default Group
Bitsize: 1024
DHE-RSA-AES128-SHA256 (0x67)
128
Yes
Diffie-Hellman:
Group: RFC 2409 First Oakley Default Group
Bitsize: 1024
DHE-RSA-AES128-SHA (0x33)
128
Yes
Diffie-Hellman:
Group: RFC 2409 First Oakley Default Group
Bitsize: 1024
AES128-GCM-SHA256 (0x9c)
128
No

AES128-SHA256 (0x3c)
128
No

AES128-SHA (0x2f)
128
No

ECDHE-RSA-DES-CBC3-SHA(0xc012) WEAK
112
Yes
Curve: prime256v1
EDH-RSA-DES-CBC3-SHA (0x16)WEAK
112
Yes
Diffie-Hellman:
Group: RFC 2409 First Oakley Default Group
Bitsize: 1024
DES-CBC3-SHA (0xa) WEAK
112
No

Note: I’m running Openfire 4.1.5, but it is an upgrade from 3.10.2. Could this be a legacy from upgrading from the older version?

Note2: My clients use the following jabber clients:

** Spark** on Windows,

** Spark** or Apple Messages on macOS,

** Xabber** on Android,

** JabberB** on iOS

I mention this because perhaps some clients don’t support certain ciphers.

How can I fix these “problems”?

2

This can be controlled from Main Bar> Server

Sub-bar >Server Settings > Server to Server > advanced configuration link

http://localhost:9090/connection-settings-advanced.jsp?connectionType=SOCKET_S2S &connectionMode=plain

and here for client connections

Server Settings > Client Connections > advanced configuration link

http://localhost:9090/connection-settings-advanced.jsp?connectionType=SOCKET_C2S &connectionMode=plain

From there you can select your protocols and cipher suites