Following up on test results from the new xmpp.net observatory, I've been trying to find a way to disable weak SSL/TLS ciphers in OpenFire.
According to the Observatory test, Openfire supports a number of really weak ciphers by default which I want to disable, but can't seem to be able to configure anywhere:
Ciphers
Server does respect the client's cipher ordering.
| Cipher suite | Bitsize | Forward secrecy |
|---|---|---|
| ECDHE-RSA-AES128-SHA(0xc013) | 128 | Yes |
| ECDHE-RSA-RC4-SHA(0xc011) | 128 | Yes |
| DHE-RSA-AES128-SHA(0x33) | 128 | Yes |
| DHE-DSS-AES128-SHA(0x32) | 128 | Yes |
| RC4-MD5(0x10080) | 128 | No |
| AES128-SHA(0x2f) | 128 | No |
| RC4-SHA(0x5) | 128 | No |
| ECDHE-RSA-DES-CBC3-SHA(0xc012)WEAK | 112 | Yes |
| EDH-RSA-DES-CBC3-SHA(0x16)WEAK | 112 | Yes |
| EDH-DSS-DES-CBC3-SHA(0x13)WEAK | 112 | Yes |
| DES-CBC3-SHA(0xa)WEAK | 112 | No |
| EDH-RSA-DES-CBC-SHA(0x15)VERY WEAK | 56 | Yes |
| EDH-DSS-DES-CBC-SHA(0x12)VERY WEAK | 56 | Yes |
| DES-CBC-SHA(0x9)VERY WEAK | 56 | No |
| EXP-EDH-RSA-DES-CBC-SHA(0x14)VERY WEAK | 40 | Yes |
| EXP-EDH-DSS-DES-CBC-SHA(0x11)VERY WEAK | 40 | Yes |
| EXP-RC4-MD5(0x20080)VERY WEAK | 40 | No |
| EXP-DES-CBC-SHA(0x8)VERY WEAK | 40 | No |
Anything less than 128 bit should preferably be disabled, but at the very least the 40 bit and 56 bit ones since those are terrible. How do I do this?
Also, it seems openfire doesn't support 256 bit ciphers at all?