AnsweredAssumed Answered

How to improve score at IM Observatory?

Question asked by Daniel Castellanos on Sep 5, 2017
Latest reply on Sep 5, 2017 by speedy

Using (currently / temporarily at )


I'm getting an 80 for Key Exchange Score, a 95 for Protocol Score, and a 50 for Cipher Score


Overall Questions:

How can I improve these scores?

And should I really care about these results?


Results from test:


1. No DNSSEC for my SRV records.  However, I verified this with namecheap (my registrar and DNS provider) and they said they confirmed the SRV records are returning DNSSEC.  Who do I believe?


2. Key Exchange Score: The test seems to give me no feedback on why my Key Exchange Score was only 80.  I click on the score and it takes me to look at my Certificates, but my Certificate Score is 100, and there are no flags among the certficates shown.  Oh well.


3. Protocol Score: I'm supporting TLS v1 and apparently I shouldn't be.  Can I turn this off in Openfire?  Is there a compelling reason to leave it on?


4. Cipher Score: My cipher situation seems to be my main problem (as reflected by my abysmal cipher score).  As I interpret the following chart, green is good, grey is meh, orange is bad, and red is really bad.


Cipher suiteBitsizeForward secrecyInfo
ECDHE-RSA-AES128-GCM-SHA256(0xc02f)128YesCurve: prime256v1
ECDHE-RSA-AES128-SHA256(0xc027)128YesCurve: prime256v1
ECDHE-RSA-AES128-SHA (0xc013)128YesCurve: prime256v1
Group: RFC 2409 First Oakley Default Group
Bitsize: 1024
DHE-RSA-AES128-SHA256 (0x67)128YesDiffie-Hellman:
Group: RFC 2409 First Oakley Default Group
Bitsize: 1024
DHE-RSA-AES128-SHA (0x33)128YesDiffie-Hellman:
Group: RFC 2409 First Oakley Default Group
Bitsize: 1024
AES128-GCM-SHA256 (0x9c)128No-
AES128-SHA256 (0x3c)128No-
AES128-SHA (0x2f)128No-
ECDHE-RSA-DES-CBC3-SHA(0xc012) WEAK112YesCurve: prime256v1
EDH-RSA-DES-CBC3-SHA (0x16)WEAK112YesDiffie-Hellman:
Group: RFC 2409 First Oakley Default Group
Bitsize: 1024
DES-CBC3-SHA (0xa) WEAK112No-

Note: I'm running Openfire 4.1.5, but it is an upgrade from 3.10.2.  Could this be a legacy from upgrading from the older version?

Note2: My clients use the following jabber clients:

               Spark on Windows,

               Spark or Apple Messages on macOS,

               Xabber on Android,

               JabberB on iOS

     I mention this because perhaps some clients don't support certain ciphers.


How can I fix these "problems"?