XMPP Service Operators - 2017-02-20

hm, it seems the failure from the other day is related to my _xmpp-server._tcp SRV entry, which points to a different sub-domain

but this is the point of a SRV entry, and I fail to see how it could be a problem

hm

your SRV entry seems fine

I changed it

aha

I'll change it back

$ dig +short -t SRV _xmpp-server._tcp.sitedethib.com 10 0 5269 sitedethib.com.

I'm testing things

that's what I see

yeah

it was pointing to warp.sitedethib.com.

which is the same machine

compare to the jabber.org SRV: $ dig +short -t SRV _xmpp-server._tcp.jabber.org 31 30 5269 hermes2v6.jabber.org. 30 30 5269 hermes2.jabber.org.

my guess so far is that xmpp.net uses warp.sitedethib.com to check the certificate

which is obviously wrong

bbiaf, time for lunch here

ThibG: The SRV target is not used for certificate validation.

I have no idea what the issue is, then

sitedethib.com and warp.sitedethib.com happen to have the same A RRs

Except

https://q.zash.se/269bfe745c2f.txt there's no response

wait. what

it resolves just fine here

oh sorry

I made a mistake when changing back the RRs

should be better now

If the bare domain and the default port works then you don't strictly need SRV records at all

sure

it was just in case I switch to having different machines for my services

(which was actually the case some time ago)

I could get rid of the SRV RRs, but still, I don't understand what's going on

ThibG: I notice when typing `telnet warp.sitedethib.com 5269` that IPv6 was attempted first, but timed out. However, I'm pretty sure that the xmpp.net code has a fallback to IPv4 if IPv6 times out.

hm

unfortunately, I only have my server with IPv6 connectivity, and it obviously connects just fine to itself

sitedethib.com has the same IPv6 address too

anyway, I guess it doesn't fail at TCP level, but at TLS level, as it successfuly displays my server's version

stpeter, from here it works.

Maybe some pairing issue?

From both my home server (in Paris) and my company’s servers (in the UK).

Yeah it could be an ISP issue for me.

huh, should have changed the RRs' TTL beforehand…

Let me check from the machine where xmpp.net is running. ;-)

stpeter, thanks!

connected to IPv6 very quickly

both with and without `warp.`

so that's not the issue

my only bet is that it somehow checks the certificate against warp.sitedethib.com instead of sitedethib.com

No, the XMPP specs have always been clear on the fact that you don't check against the SRV pointer.

yeah, that's what I understand too, but I have no idea why xmpp.net kept failing with my SRV pointing to warp.sitedethib.com, and works now that it is pointing to sitedethib.com

In fact, Thijs and I (proprietors of xmpp.net) co-wrote the RFC on TLS checking in XMPP. ;-) https://datatracker.ietf.org/doc/rfc7590/

(should be pointing back to warp.sitedethib.com, now, but alas the TTL is huge)

let me see if I can find any logs on the machine that will provide some more information

ThibG: I believe it fetches the server version through jabber.org, not by itself.

So, it being able to display that has no relation to its ability to connect to your server

Zash: really? that doesn't sound familiar

Zash, oh, ok, I think I did see an incoming s2s connection from jabber.org at that time

stpeter: My memory says that it at least does a ping via a jabber.org account first

Zash: OK I will check the code for that, too

huh yeah imobservatory@jabber.org

I'd forgotten about that, I guess.

so now I log into the jabber.org machine and see what the logs there have to say in the matter :-)

thanks!

I see things like this: TLS conn IP=2001:910:1369:ffff::1 version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 secret-bits=256 processed-bits=256 compression="(None)" preliminary certificate verification failed

the last one of those was 40 minutes ago

hm, last failed xmpp.net test should be much older

I can retry a test, but I guess my working SRV RRs will still be in cache

nope, it's ok, the test is running against warp.sitedethib.com now

ThibG: this was on jabber.org, not xmpp.net

stpeter: I don't see any explicit IPv6 support, so what exactly it connects with depends on the LuaSocket version.

Zash: aha, interesting

https://xmpp.net/result.php?domain=sitedethib.com&type=server fails again

sigh

This thing where network libraries never do nice things like handle dualstack for you, such disappoint.

well

https://xmpp.net/result.php?domain=jabber.org&type=server

https://xmpp.net/result.php?domain=sitedethib.com&type=client is fine, though (other than that whole certificate thing).

still uses the old SRV

(sitedethib.com instead of warp.sitedethib.com)

re-running it, it fails the same way

TTLs?

ah

right

ok

both perseus (xmpp.net machine) and hermes2 (jabber.org machine) show warp in the SRV results

I guess I could regenerate a certificate with an additionnal warp.sitedethib.com subjectAltName to test my theory…

ThibG: How is the certificate going to affect it not being able to connect *at all*, or what problem is it you are trying to debug?

Zash, I have no idea what the problem is

Then how do you even know that there is a problem?

it should be able to connect regardless of whether the SRV is warp.sitedethib.com or sitedethib.com

when the SRV points to warp, it fails to connect, when it points to sitedethib.com, it doens't

but those have the same A/AAAA

Based on " Error: Connection failed. " happening with the IPv6 only jabber.org SRV target, and my knowledge that the XMPP library it uses does not support IPv6, I'm going to theorize that the problem is missing IPv6 support.

still, both warp.sitedethib.com and sitedethib.com have the same AAAA RR

I need to go heads-down on a task, bbiab.

let me try something else

I'm guessing it ends up relying on the OS-es DNS lookup, which I've noticed sometimes returns an error code that becomes a fatal error

ok

I'll add yet another sub-domain with only A RRs and make the SRV point to it, then

ah, I did not see the jabber.org test eventually succeeding

ThibG: yeah the tests can take quite a while - there is a lot to check and the script needs to back off sometimes so that it doesn't get disconnected for too many attempts (etc.)

anyway bbiab :-)

see you, and thanks for your help _o/

I wonder if I should split the SRVs into two sub-domains, one with only A RRs, then

Shouldn't be required

or just accept that xmpp.net may not be able to connect to my server :/

W: connect() to warp2.sitedethib.com.:5222 failed: Operation already in progress

That error

It's the subdomain I just added to try with only A RRs

I mean, that's likely the real error it gets when it says "Error: Connection failed"

I don't really know why, but it seems to happen sometimes when there's more than one IP address associated with a name.

hm… I've tried a bunch of times, though, and it *always* failed

oh ok

EALREADY The socket is nonblocking and a previous connection attempt has not yet been completed.

luasocket bug?

I don't know.

ok, well, thanks anyway

at least I now know it's TCP-IP related and not cert-related as I initially thought

Low-level socket fiddlery isn't my area of expertise.

https://github.com/diegonehab/luasocket/issues/99

ok, that's it, thanks!

I'll just drop the DNS round-robin thing, it's a hack with little value