XMPP Service Operators - 2017-09-27

  1. random

    Holger: hi, on check.messaging.one there's a thing not covered in faqs that I don't understand: in cipher section what means ""

  2. random

    Server does not rspect client cipher ordering?

  3. Ge0rG

    random: it means that the server will choose the best cipher from the client's list, instead of the first one.

  4. Holger

    Both the server and the client advertise a list of supported ciphers. The client might advertise A|B|C and the server C|B|A. The question is whether A or C is chosen.

  5. random

    I see, can it be solved so the server is the one that decides?

  6. random

    Any way to force it

  7. Ge0rG

    random: that's exactly what the message says.

  8. Zash

    Ackshhhhually, Client advertises, server picks one that is mutually supported. :) </pedantic>

  9. Holger

    Yes, the recommendation seems to be C, i.e. "don't respect the client's ordering". The assumption seems to be that the server knows more about ciphers than the client.

  10. Holger

    Zash: Right.

  11. Zash

    Server may take the clients ordering into consideration, or not.

  12. random

    Oooh i understand. So that's not a bad message

  13. Holger


  14. Zash

    It's just a message.

  15. Holger

    But yes it's worded in a somewhat negative way :-)

  16. Zash

    If the client has a terrible ordering then ignoring it is good. If the client has put thought into its ordering then ignoring it is .. less good.

  17. random

    I understand now, thanks everybody

  18. Zash

    xnyphs did some research into a the ordering of a bunch of clients and they weren't very nice, so having the server prefer its own order seemed like a sensible choice at the time

  19. Zash

    That situation may or may not have changed, and probably varies with clients.

  20. Zash

    I kinda wish TLS APIs had more flexibility than either-or ordering. I think some Google / Chrome people (agl?) looked into that, but I don't think any changes have made it into eg OpenSSL