prefer PFS cipher suites and TLS 1.2; optionally disable SSLv3, SSLv2
Submitted by Simon McVittie
Assigned to Telepathy bugs list
Description
https://github.com/stpeter/manifesto/blob/master/manifesto.txt says:
o prefer the latest version of TLS (TLS 1.2)
o disable support for the older and less secure SSL standard (SSLv2 and SSLv3)
o provide configuration options to require channel encryption for client-to-server and server-to-server connections
o provide configuration options to prefer or require cipher suites that enable forward secrecy
We should do that.
For interop with defective corporate XMPP servers, we should probably offer a boolean allow-ssl3 parameter, and perhaps a allow-ssl2 parameter too. They can be off by default, hopefully.
I hope we won't need an allow-tls1.2 parameter (on by default) for interop with servers that choke on that... but perhaps we will.
We'll eventually need allow-tls1.1 and allow-tls1.0 parameters, probably. While we're adding things we might as well complete the set!
Version: git master