Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #9246 Openfire provided with Tuleap uses a weak DH group
    Actions
    Infos
    #9246
    Thomas Gerbet (tgerbet)
    2016-07-25 10:59
    2016-06-13 16:11
    9529
    Details
    Openfire provided with Tuleap uses a weak DH group
    The Openfire provided with the IM plugin of Tuleap uses an old version of the JVM. This old JVM uses a weak DH group during the key exchange of the TLS session.

    This prevents clients using a modern stack to connect to the server with TLS. For example, Pidgin will refuse to connect to the server and there is no easy workaround/bypass (as it should).
    Also, it allows attackers with a lot of computing power at their disposal to downgrade/break the level of security of the connection.

    CVSSv3 score: 3.1 (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

    Reference:
    https://weakdh.org/
    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2016-07-25
    Attachments
    Artifact links
    Empty
    Empty
    References
    Referencing request #9246

    Artifact Tracker v5

    rel #8983 8.16
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2016-07-25 10:59
    Package have been updated.
    • Status changed from Under review to Closed
    • Close date set to 2016-07-25
    User avatar
    Thomas Gerbet (tgerbet)2016-06-13 18:45
    Commit #6616ccdab3a1d updates the JRE embedded in Openfire and fix the issue.
    • Status changed from Under implementation to Under review