-
MattJ
Bouncing prosody8
-
MattJ
fippo, awake?
-
MattJ
psyced-sasl doesn't like me
-
MattJ
Everything else seems to work
-
MattJ
Dec 10 01:44:05 s2souta052b68 debug Received[s2sout_unauthed]: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> Dec 10 01:44:05 prosody8.xmpptest.com:saslauth debug SASL EXTERNAL with psyced-sasl.xmpptest.com succeeded
-
MattJ
but I don't receive a pong
-
MattJ
Ah
-
MattJ
It would help if I trusted the interop CA cert, wouldn't it? :)
-
Zash
This host does not serve notls.xmpptest.com
-
Zash
notls.xmpptest.com. 3600 IN A 89.16.172.47
-
Zash
^^
-
Zash
no srv
-
MattJ
Ah yes, thanks for reminding me
-
MattJ
!uptime matthewwild.co.uk
-
MattJ
!slap Kanchil
- Kanchil slaps Kanchil with large trout
-
MattJ
Actually I don't need to restart
-
Zash
!version
-
Kanchil
Zash: Kanchil is running Riddim version alpha on an unknown platform
-
Zash
MattJ: btw, that reminds me, Riddim has no !uptime plugin yet
-
Zash
!slap MattJ
- Kanchil slaps MattJ with large trout
-
Zash
And can do that ;)
-
MattJ
I'll have more time for even Riddim soon :)
-
Zash
Bot interop event! \o/ ... ;P
-
Kev
Right then, Friday.
-
remko
and still need to set up the servers of thursday :)
-
Kev
So, today's plan. Make servers require TLS, and require trusted and valid certs.
-
Kev
And if MattJ hasn't done notls yet, that still needs doing.
-
Kev
remko: Just notls?
-
remko
yes, and i still need an account on tigase (Florian?)
-
Kev
So the failures machines are all in place apart from expiredcert, which is presenting the wrong cert (although it's also expired), and notls.
-
steve.kille
Kev: I would have thought that expiredcert should be valid in every way, except that it has expired??
-
Kev
Yes.
-
Kev
That's why I said expiredcert isn't in place yet.
-
steve.kille
ah yes - can parse your sentence now!
-
Kev
expiredcert is in place now too.
-
badlop
yes, and ejabberd connects using tls to all of them :S
-
Kev
Well, that's one up from connecting without TLS to them :)
-
Dave Cridland
Right, I'll give it a run though.
-
Kev
We still don't have notls, but that's largely just interesting for the clients^h testing.
-
Kev
Given that we have Tigase.
-
Kev
tigasetrunk, rather
-
steve.kille
why do we need notls in addition to Tigase?
-
Kev
steve.kille: It would be good to test it against an XMPP server not offering TLS, as well as the legacy protocol.
-
Kev
But largely, it's so that the clients can test correct handling of not having TLS when PLAIN is the only available mech.
-
Dave Cridland
Okay, that's odd. I seem to be able to connect to everything except Tigase, and NoTls. So I suspect my settings are out, but I thought I'd checked them...
-
Kev
I haven't verified that the expired cert is actually expired, or that the revoked cert is actually revoked, mind.
-
Dave Cridland
It was yesterday.
-
Dave Cridland
And the expiredcert being expired forced us into using SodiumCA instead of OpenSSL to build the PKCS#12, if you recall.
-
Kev
Yes.
-
Dave Cridland
12/10 10:44:39 xmppd 21382 (root ) I-MBOX-Info Verifying certificate 12/10 10:44:39 xmppd 21382 (root ) I-MBOX-Info certificate (subject emailA ddress=xmpp@revokedcert.xmpptest.com,OU=XMPP Department,O=Your Organisation,L=Th e Internet,C=GB,CN=revokedcert.xmpptest.com), detail (email=xmpp\\40revokedcert. xmpptest.com,ou=XMPP Department,o=Your Organisation,l=The Internet,c=GB,cn=revok edcert.xmpptest.com) error certificate has been revoked (unspecified reason) 12/10 10:44:39 xmppd 21382 (root ) N-MBOX-Notice TLS certificate verificat ion failed 12/10 10:44:39 xmppd 21382 (root ) I-MBOX-Info successful setup of a recei ving db connection from mlinktrunk.xmpptest.com to revokedcert.xmpptest.com
-
Dave Cridland
Right, so this is acting as if strong auth isn't required, which isn't right.
-
Dave Cridland
Re-running gives me the (internal) errors I'd expect. So we may have a bug with reloading, since I suspect the option simply didn't take.
-
Dave Cridland
SO I'm not getting a connection (TCP level) to fippo's psyced-db or psyced-dwd at the moment. I'll give those another go later.
-
Dave Cridland
Otherwise, prosody8, ejabberd21, mlinkrelease, psyced-sasl all work, the rest fail.
-
Dave Cridland
Okay, psyced-db now works, but -dwd still gives me a connection refused.
-
fippo
psyced-db works? it should not currently
-
fippo
as both -db and -dwd are down
-
Dave Cridland
12/10 11:15:37 xmppd 21687 (root ) I-MBOX-Info Verifying certificate 12/10 11:15:37 xmppd 21687 (root ) I-MBOX-Info certificate (subject emailA ddress=fippo@mail.symlynx.com,OU=hangtime department,O=hangtime,L=The Internet,C =DE,CN=psyced-db.xmpptest.com) verified ok
-
Dave Cridland
Pretty sure it's the right server I'm talking to.
-
fippo
oh wait... my bad
-
fippo
it's supposed to be down
-
Dave Cridland
Okay. COnnecting securely to servers that aren't actually online would be quite a trick.
-
fippo
badlop: would you mind sending a from in the stream header?
-
badlop
yes, show me an example of problematic stream header
-
badlop
ok, patch applied and verified
-
fippo
thanks
-
badlop
yet another patch from interop to next release :)
-
fippo
that might even increase the chance of using sasl on the public network from 5% to 15%
-
Tobias
heh
-
Dave Cridland
badlop, I've a bunch of those too, now.
- fippo too
-
Dave Cridland
fippo, Reminds me - you should be seeing tls as <required/> by mlinktrunk now?
-
Kev
I'd say that would justify claiming the interop week has been a success, then.
-
Dave Cridland
In as much as we've got most things to work and fixed a bunch of bugs.
-
fippo
and we have a better plan how to organize the next interop event
-
steve.kille
What might be test targets in the next event?
-
Dave Cridland
steve.kille, Well, we still have a day on this one. I'm aiming to spend this afternoon seeing if I can get XEP-0288 to work with fippo's servers.
-
fippo
dave: whoop!
-
steve.kille
\o/
-
Dave Cridland
fippo, DO you have a XEP-0288 that'll accept non-TLS connections from anywhere? It'll speed up my testing.
-
steve.kille
Are these extras getting recorded in the Wiki?
-
fippo
dave: i'll change the config of -dwd so it doesn't require tls
-
fippo
dialback without dial-back worked quite well, too. So we just need someone to write it up :-)
-
Dave Cridland
steve.kille, The extras are getting recorded, but I've not written up the '198 testing that Matt and I did yesterday, mostly because I didn't stay to see it complete. But we certainly got close.
-
Dave Cridland
fippo, Yes. Don't you have a draft XEP?
-
Dave Cridland
fippo, I should have probably mentioned that mlinktrunk does dialback without dialback as well. I don't know if anyone actually used it, though.
-
fippo
dave: i think psyced-db should have been using it the last two days
-
Dave Cridland
fippo, Ah, good.
-
Dave Cridland
Right. So it must be time to implement XEP-0288, then.
-
Zash
!xep 288
-
Kanchil
Zash: XEP-0288: Bidirectional Server-to-Server Connections is Standards Track (Experimental, 2010-10-04) See: http://xmpp.org/extensions/xep-0288.html
-
Zash
Yes, it's already a week old, clearly it's time to implement it!! :D
-
will.thompson
Dave Cridland: your implementation of google:queue works perfectly. It did highlight that our keepalive pings are *way* too frequent though :p
-
Tobias
google:queue?
-
Dave Cridland
Tobias, Evil closed standard thing. But a good idea, so I've implemented it and started to draft a XEP.
-
Bob (BJ)
Anyone care to give me an account on their server so I can test my client?
-
MattJ
Does google:queue have client-facing controls?
-
Tobias
Dave Cridland: is that draft already published as a XEP?
-
Dave Cridland
MattJ, Yes,
-
Dave Cridland
Tobias, No.
-
Tobias
k
-
will.thompson
http://mail.jabber.org/pipermail/summit/2010-February/000528.html
-
Dave Cridland
Tobias, I need to write up both Google's implementation and a more standardsish one.
-
MattJ
Oh well, I have an implementation minus any controls
-
will.thompson
we hacked it into Gabble for the N900. It's particularly important on GTalk because, unless you engage it, they whitespace-ping you every 30 seconds, so even if you have a sensible interval between pings... you still wake up all the time
-
MattJ
Heh
-
Tobias
ahh, this thing, i remember it now :)
-
MattJ
Bob (BJ), xmpptest@prosody8.xmpptest.com, password xmpptest
-
MattJ
Kev, notls should be working since last night
-
Kev
Ah, gerat.
-
Kev
remko: ^
-
Bob (BJ)
You got an IP address for that. I don't seem to be able to resolve via DNS.
-
MattJ
Bob (BJ), does your client support SRV records?
-
MattJ
If not, interop failure #1 :)
-
will.thompson
Dave Cridland: ah, one catch. the version of Gabble on the N900 only looks for google:roster to trigger queue, not google:queue. (Google doesn't actually advertise the latter; I guess we only added that speculative check in a later version.) Annoying.
-
MattJ
Dave Cridland, fippo, anyone: any familiarity with "unhandled critical CRL extension"?
-
Dave Cridland
MattJ, I can ask the X.509 people. Any idea what the extension in question *is*?
-
MattJ
Looking at the certs, my suspicion is CRLissuer
-
MattJ
which is present in all the certs
-
MattJ
and OpenSSL prints <unknown> as its value when it prints the cert
-
Dave Cridland
I'll look into it - I suspect this is an issue with what Sodium's putting into the certs.
-
MattJ
Thanks
-
MattJ
How does it work for you? :)
-
MattJ
OpenSSL source comment:
-
MattJ
/* See if we have any critical CRL extensions: since we * currently don't handle any CRL extensions the CRL must be * rejected.
-
Dave Cridland
MattJ, We don't use OpenSSL for CRL checking, so we'd be affected in entirely different ways (if at all).
-
MattJ
Ah, ok
-
Dave Cridland
So if it's complaining about the CRL itself, then it has to be the CRL, not the certs.
-
fippo
mattj: I can look into that when I found out who _removed_ my crl code
-
remko
Kev, MattJ: thanks, i'll see if i can't connect to notls tonight
-
MattJ
Dave Cridland, no, I think it's the certs
-
MattJ
let me check
-
MattJ
Ah no, you may be right
-
Kev
remko: Well, you shouldn't be able to connect to it :)
-
remko
right
-
Dave Cridland
MattJ, Okay, so Sodium CA is inserting an extension into the CRL incorrectly.
-
MattJ
Yay
-
Dave Cridland
MattJ, If I understand correctly, the extension "MUST NOT" be there because the CRL is being issued directly by the CA, but as far as I can tell it's mandatory in every other case, so OpenSSL could run into issues potentially with other CAs.
-
MattJ
So it seems
-
MattJ
You can disable the check (which is what I've done for now), but that's clearly not ideal :)
-
fippo
mattj: verify error code 36?
-
MattJ
If that's X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION, yes
-
MattJ
Yes, 36
-
fippo
I get that too (but at least revokedcert. fails properly
-
MattJ
but so do all the other certs, no?
-
fippo
yes, but revokedcert fails with X509_V_ERR_CERT_REVOKED at least
-
MattJ
fippo, what version of OpenSSL are you using?
-
fippo
mattj: it claims to be 0.9.8g but is probably debian pimped
-
Dave Cridland
MattJ, The only extension in the CRL itself that's critical is the Issuing DP - but that's optionally generated by Sodium CA. Just uncheck the box on the "Generate CRL..." dialog.
-
MattJ
Ok, thanks
-
MattJ
fippo, they changed the code in OpenSSL 1.x
-
MattJ
that comment now reads:
-
MattJ
/* The rules changed for this... previously if a CRL contained * unhandled critical extensions it could still be used to indicate * a certificate was revoked. This has since been changed since * critical extension can change the meaning of CRL entries. */
-
Kev
So, is there anything people need of me today?
-
Kev
Is there anything else we should have on the test plan? I'm fairly comfortable with both the server and client tests.
-
MattJ
Looks fine
-
Kev
MattJ: Just checking - is notls set to only offer PLAIN?
-
MattJ
Aha, good point - Prosody won't offer PLAIN on unencrypted connections either
-
MattJ
I'll set it to offer just PLAIN
-
fippo
Kev: for the next time I have some dialback failures - but I need to write them up and think about how to test them
-
Kev
fippo: That'd be great, thanks.
-
Kev
We can start planning the tests for next time as soon as we're done here, if you want.
-
MattJ
We should set up more tricky DNS situations next time
-
Zash
mixed A and SRV?
-
MattJ
Like testing correct SRV target selection
-
Kev
That's hard, but sure.
-
MattJ
and IDNA
-
Zash
and make a SRV query return a CNAME ?
-
MattJ
Kev, it's not really hard, is it?
-
Kev
Zash: That's not an interesting test, I think.
-
Kev
Something working against invalid input isn't as interesting as it failing against valid :)
-
fippo
zash: I wanted to test that, but bind won't do it anymore
-
Kev
Or am I missing a security consideration why that's worth testing?
-
Zash
Iduno, but I have a CNAME catch-all thingy :)
-
Zash
But IDN and IPv6
-
Kev
Both worth testing.
-
Dave Cridland
Zash, IDN with X.509 is particularly interesting. I know we fail that one right now.
-
fippo
IDN + x509 sounds like fun!
-
Zash
!ping nödåtgärd.se
-
MattJ
+1
-
Zash
aw
-
Kanchil
Zash: Pong from nödåtgärd.se in 7.021 seconds
-
MattJ
:D
-
MattJ
UTF8 processing overhead? :)
-
Kev
BTW Zash / MattJ, I upgraded Kanchil
-
Zash
!version
-
Kanchil
Zash: Kanchil is running Riddim version alpha on an unknown platform
-
Zash
Kev: You say?
-
MattJ
I guess I should go and fix verse, riddim and clix to squish with the latest Prosody repo
-
Zash
:)
-
Zash
Also, latest says "I am running .."
-
Kev
Zash: Well, I should have updated.
-
Kev
I certainly tried to.
-
MattJ
did you hg pull -u? :)
-
MattJ
I think git updates the working copy by default when you pull
-
MattJ
hg doesn't
-
Kev
Gotcha.
-
Zash
MattJ: git, true
-
MattJ
hg up
-
Zash
hg pull says you should do hg up iirc
-
MattJ
Bouncing prosody8
-
MattJ
fippo, have you broken -db and -dwd? :)
-
MattJ
I can't see the stream header you send, but Prosody is rejecting your stream:features, with "unbound prefix"
-
fippo
mattj: -db is down and I just changed sth in -dwd (which is mostly for dave)
-
MattJ
Apt
- Zash wants a SRV aware netcat :/
-
MattJ
Zash, "clix raw"
-
MattJ
kind of
-
fippo
mattj: -dwd should work again
-
fippo
(not sure how it behaves in that test though :-)
-
Zash
MattJ: ohrly
-
MattJ
Zash, it does XMPP auth for you, then acts as telnet
-
Zash
MattJ: But, for testing non-xmpp things :)
-
MattJ
How would SRV help then? :)
-
Dave Cridland
(14:32:34) Send (217) <?xml version='1.0'?><stream:stream xmlns='jabber:server' xmlns:db='jabber:server:dialback' xmlns:stream='http://etherx.jabber.org/streams' to='psyced-dwd.xmpptest.com' from='puncture.dave.cridland.net' version='1.0'> (14:32:34) Recv (222) <stream:features><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/><switch xmlns='http://switch.psyced.org'><scheme>psyc</scheme></switch><dialback xmlns='urn:xmpp:features:dialback'><errors/></dialback></stream:features> (14:32:34) Send (102) <stream:error><bad-format xmlns='urn:ietf:params:xml:ns:xmpp-streams'/></stream:error></stream:stream>
-
fippo
dave: fixed already
-
Dave Cridland
fippo, No, still like that.
-
MattJ
+1
-
fippo
ah... restarted the wrong server
-
MattJ
Heh
-
MattJ
I'm terrified I'm going to bounce prosody.im by mistake before the day is out
-
Dave Cridland
MattJ, Yeah, I'm glad I'm far, far away from isode.com.
-
MattJ
Bouncing prosody8, this time with mod_dialback unloaded just to make sure :)
-
MattJ
Dave Cridland, M-Link does dialback even with EXTERNAL?
-
Dave Cridland
MattJ, I just noticed that. :-)
-
Dave Cridland
MattJ, But the answer si that M-Link doesn't really overly care about how it authenticates to you, or indeed how you want to authenticate to it - it'll just care that it can authenticate you.
-
MattJ
You mean as long as I have a valid cert I could say <message><body>Hey, I'm prosody.im</body></message>? :)
-
MattJ
if I remove dialback from the stream header will it use EXTERNAL?
-
Dave Cridland
It will. But I've swapped around the processing order for features, so I'll update it shortly to use EXTERNAL.
-
MattJ
ok
-
MattJ
There's something up
-
MattJ
I'm not getting any pongs for my pings to mlinktrunk
-
MattJ
but Prosody reckons both s2s streams are up and running
-
Dave Cridland
I just bounced it, actually.
-
Dave Cridland
Now supporting a (very weakly tested) XEP-0288 Bidi.
-
Dave Cridland
As well as (I think) preferring to do EXTERNAL over dialback. Although that's obviously slower, so perhaps I should switch back.
-
MattJ
Eh? :)
-
Dave Cridland
EXTERNAL has more round-trips.
-
MattJ
Are you sure?
-
Dave Cridland
MattJ, With d-w-d, then yes.
-
MattJ
Cheat
-
Dave Cridland
MattJ, You say "cheat", I say "optimized".
-
MattJ
I'm still getting no pong
-
MattJ
Maybe it's my fault, same with ejabberd
-
fippo
I still get pongs from trunk
-
Dave Cridland
Just bouncing it to clear everything, then I'll try.
-
Dave Cridland
OK, something really odd going on... I've got to do the school run again, but we'll figure it out when I get back.
-
MattJ
k
-
MattJ
The world falls apart without dialback :)
-
fippo
it doesn't without EXTERNAL :-)
-
MattJ
Quite :)
-
fippo
so the path is clear
-
MattJ
Plus d-w-d should be trivial to implement
-
fippo
btw: if you're bored you could implement bidi
-
MattJ
I'd like to get 198 working first
-
MattJ
then I shall
-
Dave Cridland
MattJ, Most of my bidi implementation time was thinking "But that can't be all it is..."
-
MattJ
Dave Cridland, I do think it should be really easy to implement, especially in Prosody
-
MattJ
all our code sends stanzas to the the incoming s2s stream
-
MattJ
just Prosody redirects it at the last minute
-
MattJ
bidi would just turn off the redirection
-
fippo
dave: same for me
-
fippo
there is a tricky thing about not sending db:verify on the same connection where I am not sure if this works as expected - but you should not have that problem
-
fippo
since you're doing dialback-3
-
Dave Cridland
OK, I think I've fixed that issue.
-
Dave Cridland
MattJ, You should be able to ping me now. Turns out that once it'd done the stream restart, it basically sat waiting, instead of deciding the stream was setup.
-
MattJ
Dialback is enabled again so I can test 198
-
MattJ
it should be enabling on outgoing streams now
-
Dave Cridland
MattJ, I'm doing EXTERNAL again, or should be.
-
Dave Cridland
Just bouncing that server yet again - I've been meaning to apply a patch that should stop an irritating crash.
-
Dave Cridland
Oh, gosh, that's odd. :-)
-
Dave Cridland
So, I'm now doing EXTERNAL again, and actually carrying on, only I'm *also* doing dialback. Whoops. :-)
-
MattJ
:)
-
Dave Cridland
*sigh* I'm still doing that. Which is very annoying. But on the plus side, you're still not enabling 198, so I don't feel quite so bad.
-
stpeter
heh
-
fippo
dave: the solution is to remove any EXTERNAL related code :-)
-
Dave Cridland
fippo, I know, I know. I'll make it an option, soon enough.
-
Dave Cridland
fippo, But the standard says we must, so we must.
- stpeter prepares to submit revised versions of 3920bis and xmpp-address
-
steve.kille
Dave Cridland/fippo - sounds like the standards need fixing
-
steve.kille
We have way too many handshakes as it, and getting rid of the SASL handshakes for single connection secure S2S sounds like a senisilbe standardization objective
-
steve.kille
stpeter: what do you think?
-
Dave Cridland
steve.kille, Not so much fixing, as we need to document d-w-d properly, and ensure that it's perceived as acceptable.
-
stpeter
I think I don't want to make more changes to 3920bis at this moment for feature of introducing too many perturbations late in the process :)
-
steve.kille
Althought helpful now, I am not sure the d-w-d name will be helpful long term
-
Dave Cridland
Ah, success. Now only authenticating once.
-
stpeter
but I suggest that we complete more interop testing over the next 12 months, submit an implementation report based on the feature set in 3920bis, then rev the document again (hopefully after we have the address format fixed)
-
Dave Cridland
MattJ, So, I'm now fixed. Are you waiting until you've got a resource bound before enabling 198? That might be problematic on S2S.
-
steve.kille
stpeter: sounds like a reasonable plan to me
-
MattJ
Dave Cridland, hmm, I don't think so - hold
-
stpeter
there are enough changes between 3920 and 3920bis that I think continued interop testing and deployment feedback will be productive
-
stpeter
while we work in parallel on those thorny internationalization issues
-
MattJ
stpeter, I suspect future versions might (reference a) document about dialback-without-dialback :)
-
steve.kille
can we have a new name for it?
-
MattJ
dwd is good, isn't it Dave? :)
-
stpeter
MattJ: that would be good, I think -- based on what little I've read about it, which is only Dave's blog post
-
MattJ
I don't think anyone else has had a XEP named after them before
-
fippo
dave: actually, what would happen if I tried to do EXTERNAL twice on a single stream (i.e. multiple authentications)?
-
MattJ
I need to figure out what protocol mattj is an acronym for
- stpeter has been tempted to define an extension whose acronym is "PSA" :)
-
MattJ
!xep 198
-
Kanchil
MattJ: XEP-0198: Stream Management is Standards Track (Draft, 2010-03-05) See: http://xmpp.org/extensions/xep-0198.html
-
MattJ
Dave Cridland, missing xmlns declaration - looks a lot healthier now
-
Dave Cridland
fippo, We'd drop the stream.
-
Dave Cridland
MattJ, Ew.... I've just noticed I'm requesting acks even when I'm only writing to the stream to ack... That's nasty. I'll fix that.
-
fippo
Dave: damn - but that would only allow to negotiate multiple source domains anyway
-
MattJ
Hmm
-
MattJ
Someone doing piggybacking asking for another remote domain - I'm not sure I'd considered that
-
fippo
mattj: "target piggybacking"? haven't seen that outside my lab
-
Dave Cridland
Oops. My experiment with source piggybacking is not going all that well.
-
Dave Cridland
I seem to be piggybacking my MUC domain around 6 times a second.
-
Dave Cridland
Does that make it the authentication stronger?
-
MattJ
:)
-
MattJ
Did you get my responses to your 198 message(s)?
-
Dave Cridland
MattJ, Yes, but they came through to my Gajim, of course.
-
MattJ
Dave Cridland, so all is well?
- badlop is halfway implementing cert verification in ejabberd, and hopes the (notls|expiredcert|mismatchcert|revokedcert|selfcert).xmpptest.com servers will be up a pair of days more
-
fippo
badlop: selfsigned should be easy to find on public servers - CN=ejabberd is the most common certificate :-)
-
MattJ
:)
-
MattJ
Feel free to shoot on sight the admin of any server with CN="Prosody Example Certificate", that's expired, and self-signed
-
MattJ
except for me
-
Zash
Hah
-
MattJ
Wait... ejabberd doesn't do EXTERNAL already?
-
MattJ
I was sure it did
-
fippo
no, it gets offered external but does not do use it yet
-
Dave Cridland
MattJ, I thought it did too - I'm sure I remember testing mine against jabber.org when it was ejabberd.
-
MattJ
There was someone in jabber@ once
-
MattJ
They ran a public server using ejabberd
-
Dave Cridland
Your poetry is useless. Doesn't even rhyme.
-
MattJ
They were doing some testing on their laptop, and span up a test instance with their user db
-
MattJ
behind a firewalled NAT, they claimed their ejabberd instance had sent out unsubscribes on behalf of their domain
-
MattJ
they had the certs configured on their laptop, we put it down to EXTERNAL
-
fippo
mattj: you still want to update the wiki
-
MattJ
Mmm, yes
-
MattJ
I didn't conclude my testing because of the number of issues I had when I stopped advertising dialback :)
-
MattJ
Maybe I just shouldn't do that
-
MattJ
Heh
-
fippo
yeah... I wonder if I should have failed ejabberd actually...
-
fippo
but it was worthy enough to get offered external
-
fippo
I guess that is one of the points we should specify more cleary next time
- fippo wonders if we will have to test xep-0238
-
MattJ
Any 1.0 server capable of TLS can be offered external
-
MattJ
and TLS was tested yesterday, no? :)
-
fippo
well... xep 0178 has this "only offer it if it will succeed" rule
-
MattJ
Sure, but that's not a function of the implementation, but of the cert it uses
-
fippo
which is good because if the peer attempts external and this fails this will increase roundtrips
-
Dave Cridland
fippo, Right, I have a slightly better variant on my source-piggybacking attempt - can I point it at (one of the) psyced-* servers to test?