Implement TLSv1.1+ encryption
I'm (@alexander-pace) starting this ticket to track some changes I had to make server-side and client-side changes to get it to work.
Client-side: This was pretty easy. This commit changes the ssl protocol to TLSv1.1. Curiously, even though ssl was being imported, it wasn't being used to set the protocol anywhere in the code. Also, SleekXMPP had the default protocol set to ssl.PROTOCOL_SSLv23, and according to the docs:
#: Default ssl_version is ``PROTOCOL_SSLv23``, but despite the name,
#: ``PROTOCOL_SSLv23`` means to enable all possible SSL/TLS versions.
#: In addition, SSLv2 & SSLv3 is insecure, we have explictly disabled
#: them during the connections, which is considered as the best practice.
#: Thus, ironically, ``PROTOCOL_SSLv23`` enables everything except SSLv2/3.
But, despite that, when disabling TLSv1 in the server settings (see below), LVAlert with sleekxmpp would not connect unless explicitly setting the ssl.protocol to TLSV1_1.
Server-side: As far as I can tell, there are two settings that need to be changed. The first is under Advanced security settings; uncheck every protocol except TLSv1.1 and TLSv1.2:
And then change the system property xmpp.socket.ssl.client.certificate.accept-selfsigned
to true:
It was initially set to false by default. I have no idea how this was working before now.
Either way, forcing encryption >= TLSv1.1 allows the sleekxmpp clients to work, but breaks the overseer. So, I disabled this for now until I figure out how to fix that.