1 Reply Latest reply on Sep 5, 2017 9:12 PM by speedy

    How to improve score at IM Observatory?

    Daniel Castellanos

      Using https://xmpp.net/ (currently / temporarily at https://check.messaging.one/ )

       

      I'm getting an 80 for Key Exchange Score, a 95 for Protocol Score, and a 50 for Cipher Score

       

      Overall Questions:

      How can I improve these scores?

      And should I really care about these results?

       

      Results from test:

       

      1. No DNSSEC for my SRV records.  However, I verified this with namecheap (my registrar and DNS provider) and they said they confirmed the SRV records are returning DNSSEC.  Who do I believe?

       

      2. Key Exchange Score: The test seems to give me no feedback on why my Key Exchange Score was only 80.  I click on the score and it takes me to look at my Certificates, but my Certificate Score is 100, and there are no flags among the certficates shown.  Oh well.

       

      3. Protocol Score: I'm supporting TLS v1 and apparently I shouldn't be.  Can I turn this off in Openfire?  Is there a compelling reason to leave it on?

       

      4. Cipher Score: My cipher situation seems to be my main problem (as reflected by my abysmal cipher score).  As I interpret the following chart, green is good, grey is meh, orange is bad, and red is really bad.

       

      Cipher suiteBitsizeForward secrecyInfo
      ECDHE-RSA-AES128-GCM-SHA256(0xc02f)128YesCurve: prime256v1
      ECDHE-RSA-AES128-SHA256(0xc027)128YesCurve: prime256v1
      ECDHE-RSA-AES128-SHA (0xc013)128YesCurve: prime256v1
      DHE-RSA-AES128-GCM-SHA256(0x9e)128YesDiffie-Hellman:
      Group: RFC 2409 First Oakley Default Group
      Bitsize: 1024
      DHE-RSA-AES128-SHA256 (0x67)128YesDiffie-Hellman:
      Group: RFC 2409 First Oakley Default Group
      Bitsize: 1024
      DHE-RSA-AES128-SHA (0x33)128YesDiffie-Hellman:
      Group: RFC 2409 First Oakley Default Group
      Bitsize: 1024
      AES128-GCM-SHA256 (0x9c)128No-
      AES128-SHA256 (0x3c)128No-
      AES128-SHA (0x2f)128No-
      ECDHE-RSA-DES-CBC3-SHA(0xc012) WEAK112YesCurve: prime256v1
      EDH-RSA-DES-CBC3-SHA (0x16)WEAK112YesDiffie-Hellman:
      Group: RFC 2409 First Oakley Default Group
      Bitsize: 1024
      DES-CBC3-SHA (0xa) WEAK112No-

      Note: I'm running Openfire 4.1.5, but it is an upgrade from 3.10.2.  Could this be a legacy from upgrading from the older version?

      Note2: My clients use the following jabber clients:

                     Spark on Windows,

                     Spark or Apple Messages on macOS,

                     Xabber on Android,

                     JabberB on iOS

           I mention this because perhaps some clients don't support certain ciphers.

       

      How can I fix these "problems"?