[Secure-testing-team] Bug#747673: Horrid default cipher settings without option to adjust them to sane values

Benny Baumann BenBE at geshi.org
Sat May 10 22:07:18 UTC 2014 

Package: ejabberd
Version: 2.1.11-1
Severity: grave
Tags: security

When setting up ejabberd with a default configuration it allows only connections
with a weak SSL configuration - if this is even configured:

1.  By default ejabberd allows SSLv3 which is broken in various ways
    and thus should no longer be used.

2.  By default ejabberd uses weak cipher suites that make use of weak primitives
    like DES, RC2, RC4, MD5, export ciphers.

3.  By default ejabberd does not provide ANY ciphers that make use of forward
    secrecy and thus jeopardizes the communication of users that crossed this
    server in case of a private key compromise.

4.  Most importantly ejabberd does not provide any way to adjust the accepted
    security parameters (acceptable protocol versions, cipher string, cipher
    ordering, used ECC curves, used ECDHE/DHE parameters)

Please make sure that a default configuration can be configured to use strong
cryptography, using non-broken primitives and does so by default.

Kind regards,
Benny Baumann

P.S.: By courtesy of #747453.

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'stable'), (750, 'experimental'), (700, 'unstable'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.13-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ejabberd depends on:
ii  adduser                        3.113+nmu3
ii  debconf [debconf-2.0]          1.5.53
ii  erlang-asn1                    1:17.0-dfsg-1
ii  erlang-base [erlang-abi-15.b]  1:17.0-dfsg-1
ii  erlang-crypto                  1:17.0-dfsg-1
ii  erlang-inets                   1:17.0-dfsg-1
ii  erlang-mnesia                  1:17.0-dfsg-1
ii  erlang-odbc                    1:17.0-dfsg-1
ii  erlang-public-key              1:17.0-dfsg-1
ii  erlang-ssl                     1:17.0-dfsg-1
ii  erlang-syntax-tools            1:17.0-dfsg-1
ii  libc6                          2.18-5
ii  libexpat1                      2.1.0-4
ii  libpam0g                       1.1.8-3
ii  libssl1.0.0                    1.0.1g-3
ii  openssl                        1.0.1g-3
ii  ucf                            3.0028
ii  zlib1g                         1:1.2.8.dfsg-1

ejabberd recommends no packages.

Versions of packages ejabberd suggests:
ii  imagemagick          8:6.7.7.10+dfsg-1
ii  libunix-syslog-perl  1.1-2+b3

-- debconf information excluded

More information about the Secure-testing-team mailing list