-
Licaon_Kter
rob: > I'm getting the urge to write a bot that monitors various system things on your server and reports issues, but also responds to queries. As though I have time for more projects Like https://observe.jabber.network/ ?
-
tom
Has anyone removed ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA AES256-SHA CAMELLIA256-SHA AES128-SHA CAMELLIA128-SHA from their cipher lists?
-
tom
Also
-
tom
Removed tls1.0 and 1.1
-
tom
I would like to disable old insecure ciphers from my server
-
tom
But i'm am curious if anyone out there is still running and requires these old inscure ciphersuites
-
Licaon_Kter
Remove them all, grep your logs :)
-
tom
jabber.calyxinstitute.org please update your crypto
-
tom
Your the only one in my logs using TLSv1.2 with ECDHE-RSA-AES256-SHA
-
jonas’
concerned about SHA vs. SHA2?
-
tom
I"m concerned about BEAST (CVE-2011-3389)
-
tom
Also LUCKY13 (CVE-2013-0169)
-
tom
Apparently nobody at all is connecting over tls1.1 and lower
-
tom
So i'm going to disable that
-
ernst.on.tour
If your users use Android 4 they could left connectivity.
-
tom
Thanks for the heads up
-
jonas’
maybe use testssl.sh with its client simulation stuff to figure out whom you lock out
-
tom
Nobody except calyx institute
-
mike
Android 4.1 is the min for TLS 1.2, iirc. I dropped 1.1 and down recently and found one single user who had an Android 2.3 device still in use up to that point. The impact was extremely minimal.
-
tom
What was the story with that one mike?
-
tom
And which is your server?
-
mike
No particular story, just that one person mentioned it after the change. I've seen no noticeable change in user numbers overall.
-
tom
Oh
-
mike
This is for chinwag.im
-
tom
I'm curious the know about android 2 devices still in use
-
mike
They just mentioned they still had one among several devices and noticed it stopped connecting after I upgraded the server.
-
ernst.on.tour
Debian dropped TLS1.0/1.1 by default and "all" users with an Android4 lost connectivity. Applications using okhttp up to version xy will fail. Normaly Androud4 is able todo 1.2, but okhttp looks only about enabled not about possible and wouldn't use it.
-
menel
tom: i removed everything not beeing AESGCM and only allowed TLS1.2+ no issues with federation. The server all do tls1.3 or tls.1.2 with curves and clients connecting to my small server are not ancient.
-
jonas’
no issues that you know of ;)
-
menel
Meaning, I can join every muc I like :-)
-
rob
> rob: > Like https://observe.jabber.network/ ? No more like disk, memory, CPU, package updates etc
-
christian
Do you use composer?
-
rob
I don't think so? Like for docker?
-
jayteeuk
That's docker-compose. I only know of composer the package manager for PHP, off the top of my head.
-
rob
Ah, then no. Not that I am aware. I run everything in docker
-
jayteeuk
Sorry, didn't mean to speak on christian's behalf. I may have misunderstood. But regarding monitoring, maybe something like fluentd (or fluent-bit) would be useful?
-
christian
Composer is hart to tell what it is ... something between ftp and git
-
christian
I don't know much about it but it seems it can handle any kind of files
-
jayteeuk
So it's a sort of file transfer program? Do you have a link?
-
tom
Yax.im, your conference server is completely down for me
-
Licaon_Kter
tom: yeah, https://monal.im/blog/vaxbot-continues-to-grow/
-
jonas’
tom, yax.im uses o.j.n, they’re aware. very.
-
tom
Orange juice nancys?
-
tom
Oh
-
tom
Your monitor
-
tom
jonas’: have you thought about making the monitor data public?
-
Licaon_Kter
MattJ: regarding the yax&vaccines situation, was prosody tweaked or the push server or?
-
tom
I think it would be a pretty valuable resource
-
Ge0rG
Sorry, there was a yax.im downtime that seems unrelated to VaxBot
-
tom
jonas’: your bot seems to think my tls certificates are about to expire
-
tom
Which does not seem to be true