September 2, 2013

The State of TLS on XMPP (3)


One important factor has not yet been covered in my two previous posts: clients. As barely any server uses a pre-defined cipher order, the order set by clients is at least as important as the cipher support of a server.

Full disclosure: one of the reasons I started looking into this was horribly bad SSL cipher selection by Adium 1.5.6 and earlier. Due to problems with elliptic curve suites (which were new in 10.6) and certain XMPP servers, Adium had a hard-coded list of the ciphers supported by 10.5. This included ciphers with anonymous-Diffie-Hellman, which are unauthenticated and crashed Adium. Also included were a number of ciphers with NULL encryption. This was fixed by removing the vulnerable cipher suites in Adium 1.5.7 and I intend to bring back the ECC suites in 1.5.8.

Possible issues

Bad suites

DES and EXPORT cipher suites can be cracked within seconds on modern hardware, yet my tests showed 80% of the servers still have those enabled. Of course, eNULL should never be advertised by a client at all.

RC4 is currently considered “problematic”. Biases are known to exist in the first 256 bytes, yet they require around 2^24 ciphertexts to have a reasonable chance of decryption. When using a normal XMPP SASL PLAIN authentication, with TLSv1.2 RC4-MD5 encryption, around 19 characters of your username+password are within this first 256 byte block. 2^24 sounds like much, but extra assumptions (like the fact that the data is base64 encoded) could bring this down considerably.

SSLv2

SSLv2 was deprecated and known to be broken before the first Jabber server was written, yet many servers also still support it. One of the dangers of SSLv2 is cipher rollback attacks: an attacker could modify the lists of ciphers the client indicates to support to force the server to use weaker ciphers. Combined with DES/EXPORT suites, this could allow an attacker to change the encryption to something they can easily crack. Servers and clients try to detect when SSLv3 connections are downgraded to SSLv2, but this has had bugs in the past.

Forward secrecy

Forward secrecy means a compromised private key will not help decrypting past connections, even if they were logged completely. This means that any adversary with enough legal power or technical skills to steal the private key can not look at your past messages. To support these, DHE, EDH or ECDHE (Ephemeral Diffie-Hellman and Elliptic Curve Ephemeral Diffie-Hellman) must be used as the authentication mechanism. ECDHE offers stronger encryption, yet at less computational cost than DHE or EDH.

Note that ciphers that start with ECDH- and DH- are different authentication mechanisms: these require special certificates and offer no forward-secrecy.

GCM

Due to the BEAST attack, all CBC cipher suites in TLS 1.0 are problematic, but the only alternative is RC4. The AES GCM suites, which are new in TLS 1.2 are not vulnerable to this attack and the safest solution.

Clients

The following results have been found by parsing the ClientHello message that was captured using Wireshark. Note again that this list might also depend on other factors, like the version of other libraries installed.

Windows 8

Jitsi 2.2.4603.9615

ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
AES128-SHA
ECDH-ECDSA-AES128-SHA
ECDH-RSA-AES128-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
ECDHE-ECDSA-RC4-SHA
ECDHE-RSA-RC4-SHA
RC4-SHA
ECDH-ECDSA-RC4-SHA
ECDH-RSA-RC4-SHA
ECDHE-ECDSA-DES-CBC3-SHA
ECDHE-RSA-DES-CBC3-SHA
DES-CBC3-SHA
ECDH-ECDSA-DES-CBC3-SHA
ECDH-RSA-DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
RC4-MD5

Favoring (EC)DHE, RC4-MD5 last, nothing weak. At first glance this list looks good. However, note that there is no 256-bit cipher in there at all. 3DES is theoretically 168-bits, but practically it comes down to 112-bits of security. The best cipher offered is 128-bit AES. So far, this has been the only client that doesn’t support 256-bit encryption that I’ve seen.

Pidgin 2.10.7

DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
DSS-RC4-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
RC4-SHA
RC4-MD5
AES128-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
DES-CBC3-SHA
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
SSL_RSA_FIPS_WITH_DES_CBC_SHA
DES-CBC-SHA
EXP1024-RC4-SHA
EXP1024-DES-CBC-SHA
EXP-RC4-MD5
EXP-RC2-CBC-MD5

Pidgin sadly supports no ECDHE. A lot of weak DES and EXPORT ciphers are included here too.

Gajim 0.15.4

DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
AES128-SHA
IDEA-CBC-SHA
RC4-SHA
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5

Also no ECDHE here and an even longer list of DES/EXPORT ciphers. 3DES, while less secure, is preferred over 128-bit AES.

Windows 7

Psi 0.15

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
SRP-DSS-AES-256-CBC-SHA
SRP-RSA-AES-256-CBC-SHA
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-RSA-AES256-SHA384
ECDH-ECDSA-AES256-SHA384
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
SRP-DSS-3DES-EDE-CBC-SHA
SRP-RSA-3DES-EDE-CBC-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
ECDH-RSA-DES-CBC3-SHA
ECDH-ECDSA-DES-CBC3-SHA
DES-CBC3-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
SRP-DSS-AES-128-CBC-SHA
SRP-RSA-AES-128-CBC-SHA
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
ECDH-RSA-AES128-GCM-SHA256
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
IDEA-CBC-SHA
ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA
ECDH-RSA-RC4-SHA
ECDH-ECDSA-RC4-SHA
RC4-SHA
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5

rullzer sent in this list of Psi on Windows 7. With 79 supported ciphers, it’s the longest list on this page. Psi supports ECDHE and TLS 1.2 goodies like GCM and SHA384. However, encryption strength is prioritized over forward secrecy and 3DES takes priority over AES128. A number of weak suites are also included here.

Miranda NG v0.94.4 #5216 x64, jabber.dll 0.11.0.2

AES128-SHA
AES256-SHA
RC4-SHA
DES-CBC3-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA
DHE-DSS-AES128-SHA
DHE-DSS-AES256-SHA
EDH-DSS-DES-CBC3-SHA
RC4-MD5

Roland Müller sent in this list of Miranda NG v0.94.4 #5216 x64 with jabber.dll 0.11.0.2 on Windows 7 Pro SP1 x64. We see support for ECDHE, but the forward-secrecy suites get prioritized below non-ephemeral cipher suites. Note also that 128 bit AES takes priority over 256 bits, but no weak suites here and RC4-MD5 firmly at the bottom.

OS X 10.8

Adium 1.5.7

AES128-SHA
RC4-SHA
RC4-MD5
AES256-SHA
DES-CBC3-SHA
EXP-RC4-MD5
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
EDH-RSA-DES-CBC3-SHA

I’m not proud of this list, but considering 1.5.7 was about to be released, it was the only improvement I dared to make without beta-testing. The order seems random, EXPORT suites still enabled, no ECDHE.

Jitsi 2.2.4603.9615

RC4-MD5
RC4-SHA
AES128-SHA
AES256-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-DSS-AES128-SHA
DHE-DSS-AES256-SHA
DES-CBC3-SHA
DES-CBC3-MD5
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC-SHA
DES-CBC-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
EXP-RC4-MD5
EXP-DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA

Initially I expected this to be similar to Jitsi’s list on Windows, but it very much isn’t. RC4-MD5 is the first choice, ECDHE and DHE suites are prioritized behind their non-DHE counterparts. Contrary to the Windows version, 256-bit ciphers are present here, yet also DES and EXPORT suites.

Messages 7.0.1 (3322)

ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-RC4-SHA
ECDHE-ECDSA-DES-CBC3-SHA
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-RC4-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDH-ECDSA-AES128-SHA
ECDH-ECDSA-AES256-SHA
ECDH-ECDSA-RC4-SHA
ECDH-ECDSA-DES-CBC3-SHA
ECDH-RSA-AES128-SHA
ECDH-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
ECDH-RSA-DES-CBC3-SHA
AES128-SHA
RC4-SHA
RC4-MD5
AES256-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
EDH-RSA-DES-CBC3-SHA

Very little to criticize about this list. A lot of ECDHE suites enabled, with forward-secrecy prioritized over encryption strength. The only surprising cipher here is AES256-SHA prioritized low among the other non-ephemeral suites.

Trillian 1.4.52

DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DES-CBC3-MD5
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
AES128-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
SEED-SHA
RC2-CBC-MD5
RC4-SHA
RC4-MD5
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
DES-CBC-MD5
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC2-CBC-MD5
EXP-RC4-MD5
EXP-RC4-MD5

No ECDHE here. Ephemeral suites do take priority over the non-ephemeral variants, but encryption strength trumps forward-secrecy. A lot of weak ciphers are included.

Psi 0.15

DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DES-CBC3-MD5
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
AES128-SHA
RC2-CBC-MD5
RC4-SHA
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
DES-CBC-MD5
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5

No ECDHE here either, but priority for DHE. Also here 3DES is taken over AES128 and a number of EXPORT suites are included.

poezio 0.7.5.2

ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
SRP-DSS-AES-256-CBC-SHA
SRP-RSA-AES-256-CBC-SHA
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
AES256-SHA
CAMELLIA256-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
SRP-DSS-3DES-EDE-CBC-SHA
SRP-RSA-3DES-EDE-CBC-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
ECDH-RSA-DES-CBC3-SHA
ECDH-ECDSA-DES-CBC3-SHA
DES-CBC3-SHA
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
SRP-DSS-AES-128-CBC-SHA
SRP-RSA-AES-128-CBC-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
ECDH-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
IDEA-CBC-SHA
ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA
ECDH-RSA-RC4-SHA
ECDH-ECDSA-RC4-SHA
RC4-SHA
RC4-MD5

I tested poezio 0.7.5.2 on OS X 10.8 with Python 3.3 and mathieui sent me a list of poezio git on Arch Linux which was identical. No weak ciphers here and support for ECDHE, which is good, but encryption strength trumps forward secrecy. Also here 3DES is prioritized above AES128, but it does place RC4 at the bottom of everything.

Debian 7.1

Pidgin 2.10.6

DHE-DSS-AES256-SHA
AES256-SHA
DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
RC4-SHA
RC4-MD5
AES128-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA

While 2.10.6 is not the latest version of Pidgin, I decided to stick to what was available in the Debian Wheezy package manager.

No ECDHE, but good prioritization of the DHE suites. No EXPORT suites are included, but the 2 DES suites are definitely weak.

Gajim 0.15.1

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
SRP-DSS-AES-256-CBC-SHA
SRP-RSA-AES-256-CBC-SHA
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-RSA-AES256-SHA384
ECDH-ECDSA-AES256-SHA384
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
SRP-DSS-3DES-EDE-CBC-SHA
SRP-RSA-3DES-EDE-CBC-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
ECDH-RSA-DES-CBC3-SHA
ECDH-ECDSA-DES-CBC3-SHA
DES-CBC3-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
SRP-DSS-AES-128-CBC-SHA
SRP-RSA-AES-128-CBC-SHA
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
ECDH-RSA-AES128-GCM-SHA256
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA
ECDH-RSA-RC4-SHA
ECDH-ECDSA-RC4-SHA
RC4-SHA
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5

Gajim on Debian is also very different from Gajim on Windows. It offers this enormous list of 78 different ciphers it supports. While some of these (SRP, ECSA, DSS) are unlikely to work with your average CA-issued certificate, in certain situations they might be beneficial. The list starts good with a large number of ECDHE and DHE suites, but sadly 3DES also takes priority over AES128. At the end they sneak in a couple of DES and EXPORT suites too.

Empathy 3.4.2.3

DHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-CAMELLIA128-SHA
DHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA256
DHE-RSA-CAMELLIA256-SHA
EDH-RSA-DES-CBC3-SHA
DHE-DSS-AES128-SHA
DHE-DSS-AES128-SHA256
DHE-DSS-CAMELLIA128-SHA
DHE-DSS-AES256-SHA
DHE-DSS-AES256-SHA256
DHE-DSS-CAMELLIA256-SHA
EDH-DSS-DES-CBC3-SHA
AES128-SHA
AES128-SHA256
CAMELLIA128-SHA
AES256-SHA
AES256-SHA256
CAMELLIA256-SHA
DES-CBC3-SHA
RC4-SHA
RC4-MD5

No ECDHE, but DHE takes priority over everything else. Just like Gajim also some Camellia here and support for a member of the SHA2 family (SHA256). Surprisingly AES128 takes priority over AES256 here. No weak suites at all.

Swift 2.0beta1-dev47

ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
SRP-DSS-AES-256-CBC-SHA
SRP-RSA-AES-256-CBC-SHA
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
AES256-SHA
CAMELLIA256-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
SRP-DSS-3DES-EDE-CBC-SHA
SRP-RSA-3DES-EDE-CBC-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
ECDH-RSA-DES-CBC3-SHA
ECDH-ECDSA-DES-CBC3-SHA
DES-CBC3-SHA
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
SRP-DSS-AES-128-CBC-SHA
SRP-RSA-AES-128-CBC-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
ECDH-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA
ECDH-RSA-RC4-SHA
ECDH-ECDSA-RC4-SHA
RC4-SHA
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5

Another long list, but not quite as long as Gajim’s. Ordering seems to be similar: first sorted by bitsize, then by ECDHE, DHE and non-ephemeral. Also here a number of EXPORT and DES suites.

Psi 0.14

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
SRP-DSS-AES-256-CBC-SHA
SRP-RSA-AES-256-CBC-SHA
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-RSA-AES256-SHA384
ECDH-ECDSA-AES256-SHA384
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
SRP-DSS-3DES-EDE-CBC-SHA
SRP-RSA-3DES-EDE-CBC-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
ECDH-RSA-DES-CBC3-SHA
ECDH-ECDSA-DES-CBC3-SHA
DES-CBC3-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
SRP-DSS-AES-128-CBC-SHA
SRP-RSA-AES-128-CBC-SHA
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
ECDH-RSA-AES128-GCM-SHA256
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA
ECDH-RSA-RC4-SHA
ECDH-ECDSA-RC4-SHA
RC4-SHA
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5

Debian definitely likes to package things with long cipher lists. Psi also offers 78 ciphers, but not the same as Gajim. It offers a number of brand new cipher suites introduced in TLS1.2: AES with GCM and SHA256 or SHA384 as MAC. Other than that, the ordering is similar to Swift and Gajim: 3DES gets priority over AES128, even when it includes new features like GCM and SHA256.

irssi-xmpp 0.52

DHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-CAMELLIA128-SHA
DHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA256
DHE-RSA-CAMELLIA256-SHA
EDH-RSA-DES-CBC3-SHA
DHE-DSS-AES128-SHA
DHE-DSS-AES128-SHA256
DHE-DSS-CAMELLIA128-SHA
DHE-DSS-AES256-SHA
DHE-DSS-AES256-SHA256
DHE-DSS-CAMELLIA256-SHA
EDH-DSS-DES-CBC3-SHA
AES128-SHA
AES128-SHA256
CAMELLIA128-SHA
AES256-SHA
AES256-SHA256
CAMELLIA256-SHA
DES-CBC3-SHA
RC4-SHA
RC4-MD5

No ECDHE here, but DHE is above everything else. Surprisingly AES128 is first, followed by 3DES and only then AES256. No weak ciphers to be found here.

Debian Unstable

Kopete 4.10.5

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
SRP-DSS-AES-256-CBC-SHA
SRP-RSA-AES-256-CBC-SHA
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-RSA-AES256-SHA384
ECDH-ECDSA-AES256-SHA384
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
SRP-DSS-3DES-EDE-CBC-SHA
SRP-RSA-3DES-EDE-CBC-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
ECDH-RSA-DES-CBC3-SHA
ECDH-ECDSA-DES-CBC3-SHA
DES-CBC3-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
SRP-DSS-AES-128-CBC-SHA
SRP-RSA-AES-128-CBC-SHA
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
ECDH-RSA-AES128-GCM-SHA256
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
IDEA-CBC-SHA
ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA
ECDH-RSA-RC4-SHA
ECDH-ECDSA-RC4-SHA
RC4-SHA
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5

I received two lists for Kopete, one from [@timb_machine](https://twitter.com/timb_machine) for Debian Unstable and one from Alex Xu on Gentoo. The list was the same except for IDEA-CBC-SHA, which was only on Alex’s list.

The same comments apply as with Gajim and Psi on Debian: the list starts out good with many modern features like GCM, SHA384 and ECHDE, but encryption strength is preferred over forward-secrecy and 3DES over AES128. It also includes a large number of EXPORT suites.

Ubuntu 12.04.3 LTS

Jitsi 2.2.4603.9615

RC4-MD5
RC4-MD5
RC4-SHA
AES128-SHA
AES256-SHA
ECDH-ECDSA-RC4-SHA
ECDH-ECDSA-AES128-SHA
RC4-MD5
ECDH-ECDSA-AES256-SHA
ECDH-RSA-RC4-SHA
ECDH-RSA-AES128-SHA
ECDH-RSA-AES256-SHA
ECDHE-ECDSA-RC4-SHA
IDEA-CBC-MD5
ECDHE-ECDSA-AES128-SHA
DES-CBC-MD5
ECDHE-ECDSA-AES256-SHA
DES-CBC3-MD5
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-DSS-AES128-SHA
DHE-DSS-AES256-SHA
DES-CBC3-SHA
DES-CBC3-MD5
ECDH-ECDSA-DES-CBC3-SHA
EXP-RC4-MD5
ECDH-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
ECDHE-RSA-DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC-SHA
DES-CBC-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
EXP-RC4-MD5
EXP-RC4-MD5
EXP-DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA

Zash sent the following list in for Jitsi on Ubuntu. It is… weird. The first two ciphers aren’t exactly the same (the first is for SSLv3, the second for SSLv2), but #8 is the SSLv2 RC4-MD5 again. It must want it really badly. AES256 is not excluded here, but the sorting does prefer RC4 over AES128 and AES128 over RC4. ECDHE suites are present, but prioritized below their non-ephemeral variants.

Weak ciphers are also included here, DES-CBC-MD5 even at a dangerously high place in the list.

Gentoo

MCabber 0.10.1

DHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-CAMELLIA128-SHA
DHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA256
DHE-RSA-CAMELLIA256-SHA
EDH-RSA-DES-CBC3-SHA
DHE-DSS-AES128-SHA
DHE-DSS-AES128-SHA256
DHE-DSS-CAMELLIA128-SHA
DHE-DSS-AES256-SHA
DHE-DSS-AES256-SHA256
DHE-DSS-CAMELLIA256-SHA
EDH-DSS-DES-CBC3-SHA
DHE-DSS-RC4-SHA
AES128-SHA
AES128-SHA256
CAMELLIA128-SHA
AES256-SHA
AES256-SHA256
CAMELLIA256-SHA
DES-CBC3-SHA
RC4-SHA
RC4-MD5

rullzer sent in this list with the ciphers of MCabber on Gentoo with OpenSSL 1.0.1c. Interesting about this list is that TLS 1.2 support is present (some use SHA256 for the MAC), yet no support for GCM. ECDHE support is also absent, but DHE suites do get priority over non-DHE. 128 bit AES/Camellia is preferred over those with 256 bit, but at least RC4 is at the very bottom here.

Android 4.3

The following result has been obtained with the Android emulator running 4.3. The results could be different for real phones.

GibberBot 0.0.11RC5/yaxim 0.8.6b/Xabber 0.2.29a/Beem 0.1.8

RC4-MD5
RC4-SHA
AES128-SHA
AES256-SHA
ECDH-ECDSA-RC4-SHA
ECDH-ECDSA-AES128-SHA
ECDH-ECDSA-AES256-SHA
ECDH-RSA-RC4-SHA
ECDH-RSA-AES128-SHA
ECDH-RSA-AES256-SHA
ECDHE-ECDSA-RC4-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-DSS-AES128-SHA
DHE-DSS-AES256-SHA
DES-CBC3-SHA
ECDH-ECDSA-DES-CBC3-SHA
ECDH-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
ECDHE-RSA-DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC-SHA
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
EXP-RC4-MD5
EXP-DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA

All 4 Android clients I checked offered the same list. Of course phones might have power-concerns but still this list is pretty bad. Ephemeral suites are listed below the non-ephemeral variant, a number of DES and EXPORT suites are included, RC4-MD5 is the first choice and 128-bit ciphers take priority over the 256-bit variants.

iOS 6.1

This has been tested with the iOS simulator and might therefore not match a real iPhone/iPad.

ChatSecure (git revision 17101703401ea09b887000fdddade2854f7dbdf9)

ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-RC4-SHA
ECDHE-ECDSA-DES-CBC3-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-RC4-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDH-ECDSA-AES256-SHA384
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA
ECDH-ECDSA-AES256-SHA
ECDH-ECDSA-RC4-SHA
ECDH-ECDSA-DES-CBC3-SHA
ECDH-RSA-AES128-SHA
ECDH-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
ECDH-RSA-DES-CBC3-SHA
AES256-SHA256
AES128-SHA256
AES128-SHA
RC4-SHA
RC4-MD5
AES256-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
EDH-RSA-DES-CBC3-SHA
ECDHE-ECDSA-NULL-SHA
ECDHE-RSA-NULL-SHA
ECDH-ECDSA-NULL-SHA
ECDH-RSA-NULL-SHA
NULL-SHA256
NULL-SHA
NULL-MD5

This list starts out really good, with ECDHE and SHA2 MACs. AES128 and 256 variants aren’t always ordered in the same way, but usually AES256 > AES128, similar to Messages. But the list ends really bad. The last couple of ciphers aren’t just weak, those are unencrypted. Your connection is still authenticated (you can notice if someone changes a message), but any eavesdropper can listen in. I really hope this is just a mistake in the iOS simulator and these ciphers don’t actually exist on an iPhone. Anyway, not something I’d expect from a client named “Secure”.

N900

Empathy

DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
AES128-SHA
RC4-SHA
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5

Zash sent in this list for Empathy on the Nokia N900. No ECDHE here either, but priority for DHE. Also here 3DES is sorted before AES128 and a number of weak ciphers are enabled.

Conclusion

Just like servers, many clients also include support for weak ciphers. Though they are always sorted at the bottom, it would be safer to not enable them. A mis-configured server or a new rollback attack could force clients to use these, making the connection appear encrypted to the user, but the attacker might be able to listen in in almost real time. (Edit: In the list Zash sent in of Jitsi on Ubuntu this no longer holds true, DES-CBC-MD5 is not at the bottom.)

ECDHE support is still quite rare, but every client supports at least DHE. These are not always sorted favorably, so a server that wants to promote forward-secrecy should disable non-ephemeral suites, or let the server enforce its own order.

Jitsi on Windows 8 is the only client not offering 256-bit encryption, so don’t disable that to improve your score unless you know nobody uses Jitsi.

In fact, Jitsi on OS X and all Android clients putting RC4-MD5 at the top make it look even better to turn a server enforced cipher ordering on, or at least disable RC4 completely.

AES GCM support is currently limited to Gajim an Psi on Linux and Windows.

Future work

If you have information from other clients, you can let me know. These can be found in Wireshark in the “Client Hello” message, search for the “Cipher Suite” field and right click “Copy > Bytes > Hex Stream”. You can email me at , please include the version of the client and your OS version.