This service enables XMPP users and server administrators to inspect the security of their servers. It can test the TLS configuration and the DNSSEC deployment of XMPP servers, give warnings about issues with certificate chains, show the list of ciphersuites used by a server and their strength, check DANE records, and many more.
Every server is given a grade from A to F, both for their client-to-server and server-to-server TLS configuration. The grades are based on the same principles as the tests of SSL Labs, https://www.ssllabs.com/projects/rating-guide/index.html for details. Scoring 100 on every test is not the goal: this will lead to incompatibility with many XMPP clients. Scoring an A, on the other hand, does not mean that security cannot be improved. For instance: mandatory channel encryption, forward secrecy, and DNSSEC do not (yet) count toward the grade.
The backend of this service is provided by XMPPoke, which can be found on https://bitbucket.org/xnyhps/xmppoke.
The test needs to make a large number of connections to the server to determine what it supports: one connection for every TLS version, one for every cipher it and some more for the other tests, like determining whether the server honors the the client's cipher order. Making 30 connections to the server is not uncommon.
During development it was observed that some servers require very strict rate limiting. Only when waiting 15 seconds between connection attempts it was possible to stay under these strict limits. Therefore the test is expected to take around 8 minutes. This is repeated for every SRV record for the server.How do I improve my Certificate score?
The certificate score is either 0, for untrusted or invalid certificates, or 100. Scoring a 0 means your grade is capped to “F”. To obtain 100, you need a certificate that is trusted and valid for your XMPP domain. See Let’s Encrypt for free XMPP certificates.How do I improve my Public key score?
The public key score depends on two factors: the size of your RSA key pair and whether any cipher suites are enabled that don't use this key.
|1 - 511||20|
|512 - 1023||40|
|1024 - 2047||80|
|2048 - 4095||90|
Enabling an anonymous DH cipher suite (ADH) caps your public key score to 0, as these do not use a public key for authentication. Enabling EXPORT cipher suites caps your score to 40, as these use an ephemeral 512-bit RSA key.
RSA keys larger than 4096 bits have known compatibility problems, notably with OpenSSL.How do I improve my Protocol score?
Your protocol score is the average of the score for the lowest and the highest protocol you support. This means you have two ways of increasing your score: disabling older protocols and adding new ones. Note that it is recommended to keep support for TLS 1.0 for compatibility.
You cipher score is the average of the score of the ciper suite with the smallest key and the cipher suite with the largest key. Note that it is recommended to keep support for 128 bit AES for compatibility.
|0 - 127 DES, EXPORT-*||20|
|128 - 255 AES128, RC4, CAMELLIA128, 3DES||80|
|≥ 256 AES256, CAMELLIA256||100|