interop - 2010-12-10

  1. steve.kille has left

  2. steve.kille has joined

  3. steve.kille has left

  4. steve.kille has joined

  5. Florob has joined

  6. Florob has left

  7. MattJ

    Bouncing prosody8

  8. MattJ

    fippo, awake?

  9. MattJ

    psyced-sasl doesn't like me

  10. MattJ

    Everything else seems to work

  11. MattJ

    Dec 10 01:44:05 s2souta052b68 debug Received[s2sout_unauthed]: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> Dec 10 01:44:05 debug SASL EXTERNAL with succeeded

  12. MattJ

    but I don't receive a pong

  13. MattJ


  14. MattJ

    It would help if I trusted the interop CA cert, wouldn't it? :)

  15. Zash

    This host does not serve

  16. Zash 3600 IN A

  17. Zash


  18. Zash

    no srv

  19. MattJ

    Ah yes, thanks for reminding me

  20. MattJ


  21. MattJ

    !slap Kanchil

  22. Kanchil slaps Kanchil with large trout

  23. MattJ

    Actually I don't need to restart

  24. Zash


  25. Kanchil

    Zash: Kanchil is running Riddim version alpha on an unknown platform

  26. Zash

    MattJ: btw, that reminds me, Riddim has no !uptime plugin yet

  27. Zash

    !slap MattJ

  28. Kanchil slaps MattJ with large trout

  29. Zash

    And can do that ;)

  30. MattJ

    I'll have more time for even Riddim soon :)

  31. Zash

    Bot interop event! \o/ ... ;P

  32. Zash has left

  33. Zash has joined

  34. Zash has left

  35. Zash has joined

  36. Zash has left

  37. Zash has joined

  38. Zash has left

  39. MattJ has left

  40. steve.kille has left

  41. steve.kille has joined

  42. steve.kille has left

  43. remko has joined

  44. remko has left

  45. tuomas has joined

  46. remko has joined

  47. Kev

    Right then, Friday.

  48. remko

    and still need to set up the servers of thursday :)

  49. Kev

    So, today's plan. Make servers require TLS, and require trusted and valid certs.

  50. Kev

    And if MattJ hasn't done notls yet, that still needs doing.

  51. Kev

    remko: Just notls?

  52. remko

    yes, and i still need an account on tigase (Florian?)

  53. Kev

    So the failures machines are all in place apart from expiredcert, which is presenting the wrong cert (although it's also expired), and notls.

  54. steve.kille has joined

  55. steve.kille

    Kev: I would have thought that expiredcert should be valid in every way, except that it has expired??

  56. Kev


  57. Kev

    That's why I said expiredcert isn't in place yet.

  58. Tobias has joined

  59. steve.kille

    ah yes - can parse your sentence now!

  60. Flo has joined

  61. badlop has joined

  62. Kev has left

  63. Kev has joined

  64. Kev

    expiredcert is in place now too.

  65. badlop

    yes, and ejabberd connects using tls to all of them :S

  66. Kev

    Well, that's one up from connecting without TLS to them :)

  67. Dave Cridland

    Right, I'll give it a run though.

  68. Kev

    We still don't have notls, but that's largely just interesting for the clients^h testing.

  69. Kev

    Given that we have Tigase.

  70. Kev

    tigasetrunk, rather

  71. steve.kille

    why do we need notls in addition to Tigase?

  72. Kev

    steve.kille: It would be good to test it against an XMPP server not offering TLS, as well as the legacy protocol.

  73. Kev

    But largely, it's so that the clients can test correct handling of not having TLS when PLAIN is the only available mech.

  74. Dave Cridland

    Okay, that's odd. I seem to be able to connect to everything except Tigase, and NoTls. So I suspect my settings are out, but I thought I'd checked them...

  75. Kev

    I haven't verified that the expired cert is actually expired, or that the revoked cert is actually revoked, mind.

  76. Dave Cridland

    It was yesterday.

  77. Dave Cridland

    And the expiredcert being expired forced us into using SodiumCA instead of OpenSSL to build the PKCS#12, if you recall.

  78. Kev


  79. Dave Cridland

    12/10 10:44:39 xmppd 21382 (root ) I-MBOX-Info Verifying certificate 12/10 10:44:39 xmppd 21382 (root ) I-MBOX-Info certificate (subject emailA,OU=XMPP Department,O=Your Organisation,L=Th e Internet,C=GB,, detail (email=xmpp\\40revokedcert.,ou=XMPP Department,o=Your Organisation,l=The Internet,c=GB,cn=revok error certificate has been revoked (unspecified reason) 12/10 10:44:39 xmppd 21382 (root ) N-MBOX-Notice TLS certificate verificat ion failed 12/10 10:44:39 xmppd 21382 (root ) I-MBOX-Info successful setup of a recei ving db connection from to

  80. Dave Cridland

    Right, so this is acting as if strong auth isn't required, which isn't right.

  81. Dave Cridland

    Re-running gives me the (internal) errors I'd expect. So we may have a bug with reloading, since I suspect the option simply didn't take.

  82. Dave Cridland

    SO I'm not getting a connection (TCP level) to fippo's psyced-db or psyced-dwd at the moment. I'll give those another go later.

  83. Dave Cridland

    Otherwise, prosody8, ejabberd21, mlinkrelease, psyced-sasl all work, the rest fail.

  84. Dave Cridland

    Okay, psyced-db now works, but -dwd still gives me a connection refused.

  85. fippo

    psyced-db works? it should not currently

  86. fippo

    as both -db and -dwd are down

  87. Dave Cridland

    12/10 11:15:37 xmppd 21687 (root ) I-MBOX-Info Verifying certificate 12/10 11:15:37 xmppd 21687 (root ) I-MBOX-Info certificate (subject emailA,OU=hangtime department,O=hangtime,L=The Internet,C =DE, verified ok

  88. Dave Cridland

    Pretty sure it's the right server I'm talking to.

  89. fippo

    oh wait... my bad

  90. fippo

    it's supposed to be down

  91. Dave Cridland

    Okay. COnnecting securely to servers that aren't actually online would be quite a trick.

  92. fippo

    badlop: would you mind sending a from in the stream header?

  93. badlop

    yes, show me an example of problematic stream header

  94. Florob has joined

  95. badlop

    ok, patch applied and verified

  96. fippo


  97. badlop

    yet another patch from interop to next release :)

  98. fippo

    that might even increase the chance of using sasl on the public network from 5% to 15%

  99. Tobias


  100. Dave Cridland

    badlop, I've a bunch of those too, now.

  101. Dave Cridland has left

  102. Dave Cridland has joined

  103. fippo too

  104. Dave Cridland

    fippo, Reminds me - you should be seeing tls as <required/> by mlinktrunk now?

  105. Kev

    I'd say that would justify claiming the interop week has been a success, then.

  106. Dave Cridland

    In as much as we've got most things to work and fixed a bunch of bugs.

  107. fippo

    and we have a better plan how to organize the next interop event

  108. steve.kille

    What might be test targets in the next event?

  109. Dave Cridland

    steve.kille, Well, we still have a day on this one. I'm aiming to spend this afternoon seeing if I can get XEP-0288 to work with fippo's servers.

  110. fippo

    dave: whoop!

  111. steve.kille


  112. Dave Cridland

    fippo, DO you have a XEP-0288 that'll accept non-TLS connections from anywhere? It'll speed up my testing.

  113. steve.kille

    Are these extras getting recorded in the Wiki?

  114. fippo

    dave: i'll change the config of -dwd so it doesn't require tls

  115. fippo

    dialback without dial-back worked quite well, too. So we just need someone to write it up :-)

  116. Dave Cridland

    steve.kille, The extras are getting recorded, but I've not written up the '198 testing that Matt and I did yesterday, mostly because I didn't stay to see it complete. But we certainly got close.

  117. Dave Cridland

    fippo, Yes. Don't you have a draft XEP?

  118. Dave Cridland

    fippo, I should have probably mentioned that mlinktrunk does dialback without dialback as well. I don't know if anyone actually used it, though.

  119. Zash has joined

  120. fippo

    dave: i think psyced-db should have been using it the last two days

  121. Dave Cridland

    fippo, Ah, good.

  122. Flo has left

  123. Bob (BJ) has joined

  124. Dave Cridland

    Right. So it must be time to implement XEP-0288, then.

  125. will.thompson has joined

  126. Florian has left

  127. will.thompson has left

  128. Zash

    !xep 288

  129. Kanchil

    Zash: XEP-0288: Bidirectional Server-to-Server Connections is Standards Track (Experimental, 2010-10-04) See:

  130. Zash

    Yes, it's already a week old, clearly it's time to implement it!! :D

  131. MattJ has joined

  132. will.thompson has joined

  133. will.thompson

    Dave Cridland: your implementation of google:queue works perfectly. It did highlight that our keepalive pings are *way* too frequent though :p

  134. Tobias


  135. Dave Cridland

    Tobias, Evil closed standard thing. But a good idea, so I've implemented it and started to draft a XEP.

  136. Bob (BJ)

    Anyone care to give me an account on their server so I can test my client?

  137. MattJ

    Does google:queue have client-facing controls?

  138. Tobias

    Dave Cridland: is that draft already published as a XEP?

  139. Dave Cridland

    MattJ, Yes,

  140. Dave Cridland

    Tobias, No.

  141. Tobias


  142. will.thompson

  143. Dave Cridland

    Tobias, I need to write up both Google's implementation and a more standardsish one.

  144. MattJ

    Oh well, I have an implementation minus any controls

  145. will.thompson

    we hacked it into Gabble for the N900. It's particularly important on GTalk because, unless you engage it, they whitespace-ping you every 30 seconds, so even if you have a sensible interval between pings... you still wake up all the time

  146. MattJ


  147. Tobias

    ahh, this thing, i remember it now :)

  148. MattJ

    Bob (BJ),, password xmpptest

  149. MattJ

    Kev, notls should be working since last night

  150. Kev

    Ah, gerat.

  151. Kev

    remko: ^

  152. Bob (BJ)

    You got an IP address for that. I don't seem to be able to resolve via DNS.

  153. MattJ

    Bob (BJ), does your client support SRV records?

  154. MattJ

    If not, interop failure #1 :)

  155. will.thompson

    Dave Cridland: ah, one catch. the version of Gabble on the N900 only looks for google:roster to trigger queue, not google:queue. (Google doesn't actually advertise the latter; I guess we only added that speculative check in a later version.) Annoying.

  156. MattJ

    Dave Cridland, fippo, anyone: any familiarity with "unhandled critical CRL extension"?

  157. Dave Cridland

    MattJ, I can ask the X.509 people. Any idea what the extension in question *is*?

  158. MattJ

    Looking at the certs, my suspicion is CRLissuer

  159. MattJ

    which is present in all the certs

  160. MattJ

    and OpenSSL prints <unknown> as its value when it prints the cert

  161. Dave Cridland

    I'll look into it - I suspect this is an issue with what Sodium's putting into the certs.

  162. MattJ


  163. MattJ

    How does it work for you? :)

  164. MattJ

    OpenSSL source comment:

  165. MattJ

    /* See if we have any critical CRL extensions: since we * currently don't handle any CRL extensions the CRL must be * rejected.

  166. Bob (BJ) has left

  167. Dave Cridland

    MattJ, We don't use OpenSSL for CRL checking, so we'd be affected in entirely different ways (if at all).

  168. MattJ

    Ah, ok

  169. Dave Cridland

    So if it's complaining about the CRL itself, then it has to be the CRL, not the certs.

  170. fippo

    mattj: I can look into that when I found out who _removed_ my crl code

  171. remko

    Kev, MattJ: thanks, i'll see if i can't connect to notls tonight

  172. MattJ

    Dave Cridland, no, I think it's the certs

  173. MattJ

    let me check

  174. Bob (BJ) has joined

  175. MattJ

    Ah no, you may be right

  176. Kev

    remko: Well, you shouldn't be able to connect to it :)

  177. remko


  178. Bob (BJ) has left

  179. Bob (BJ) has joined

  180. Dave Cridland

    MattJ, Okay, so Sodium CA is inserting an extension into the CRL incorrectly.

  181. MattJ


  182. Dave Cridland

    MattJ, If I understand correctly, the extension "MUST NOT" be there because the CRL is being issued directly by the CA, but as far as I can tell it's mandatory in every other case, so OpenSSL could run into issues potentially with other CAs.

  183. MattJ

    So it seems

  184. MattJ

    You can disable the check (which is what I've done for now), but that's clearly not ideal :)

  185. Bob (BJ) has left

  186. fippo

    mattj: verify error code 36?

  187. MattJ


  188. Bob (BJ) has joined

  189. MattJ

    Yes, 36

  190. fippo

    I get that too (but at least revokedcert. fails properly

  191. MattJ

    but so do all the other certs, no?

  192. fippo

    yes, but revokedcert fails with X509_V_ERR_CERT_REVOKED at least

  193. Bob (BJ) has left

  194. MattJ

    fippo, what version of OpenSSL are you using?

  195. Bob (BJ) has joined

  196. fippo

    mattj: it claims to be 0.9.8g but is probably debian pimped

  197. Dave Cridland

    MattJ, The only extension in the CRL itself that's critical is the Issuing DP - but that's optionally generated by Sodium CA. Just uncheck the box on the "Generate CRL..." dialog.

  198. MattJ

    Ok, thanks

  199. MattJ

    fippo, they changed the code in OpenSSL 1.x

  200. MattJ

    that comment now reads:

  201. MattJ

    /* The rules changed for this... previously if a CRL contained * unhandled critical extensions it could still be used to indicate * a certificate was revoked. This has since been changed since * critical extension can change the meaning of CRL entries. */

  202. Kev

    So, is there anything people need of me today?

  203. Kev

    Is there anything else we should have on the test plan? I'm fairly comfortable with both the server and client tests.

  204. MattJ

    Looks fine

  205. Kev

    MattJ: Just checking - is notls set to only offer PLAIN?

  206. MattJ

    Aha, good point - Prosody won't offer PLAIN on unencrypted connections either

  207. MattJ

    I'll set it to offer just PLAIN

  208. fippo

    Kev: for the next time I have some dialback failures - but I need to write them up and think about how to test them

  209. Kev

    fippo: That'd be great, thanks.

  210. Kev

    We can start planning the tests for next time as soon as we're done here, if you want.

  211. MattJ

    We should set up more tricky DNS situations next time

  212. Zash

    mixed A and SRV?

  213. MattJ

    Like testing correct SRV target selection

  214. Kev

    That's hard, but sure.

  215. MattJ

    and IDNA

  216. Zash

    and make a SRV query return a CNAME ?

  217. MattJ

    Kev, it's not really hard, is it?

  218. Kev

    Zash: That's not an interesting test, I think.

  219. Kev

    Something working against invalid input isn't as interesting as it failing against valid :)

  220. fippo

    zash: I wanted to test that, but bind won't do it anymore

  221. Kev

    Or am I missing a security consideration why that's worth testing?

  222. Zash

    Iduno, but I have a CNAME catch-all thingy :)

  223. Zash

    But IDN and IPv6

  224. Kev

    Both worth testing.

  225. Dave Cridland

    Zash, IDN with X.509 is particularly interesting. I know we fail that one right now.

  226. fippo

    IDN + x509 sounds like fun!

  227. Zash

    !ping nödåtgä

  228. MattJ


  229. Zash


  230. Kanchil

    Zash: Pong from nödåtgä in 7.021 seconds

  231. MattJ


  232. MattJ

    UTF8 processing overhead? :)

  233. Kev

    BTW Zash / MattJ, I upgraded Kanchil

  234. Zash


  235. Kanchil

    Zash: Kanchil is running Riddim version alpha on an unknown platform

  236. Zash

    Kev: You say?

  237. MattJ

    I guess I should go and fix verse, riddim and clix to squish with the latest Prosody repo

  238. Zash


  239. Zash

    Also, latest says "I am running .."

  240. Kev

    Zash: Well, I should have updated.

  241. Kev

    I certainly tried to.

  242. MattJ

    did you hg pull -u? :)

  243. MattJ

    I think git updates the working copy by default when you pull

  244. MattJ

    hg doesn't

  245. Kev


  246. Zash

    MattJ: git, true

  247. MattJ

    hg up

  248. Zash

    hg pull says you should do hg up iirc

  249. MattJ

    Bouncing prosody8

  250. Bob (BJ) has left

  251. MattJ

    fippo, have you broken -db and -dwd? :)

  252. MattJ

    I can't see the stream header you send, but Prosody is rejecting your stream:features, with "unbound prefix"

  253. fippo

    mattj: -db is down and I just changed sth in -dwd (which is mostly for dave)

  254. MattJ


  255. Zash wants a SRV aware netcat :/

  256. MattJ

    Zash, "clix raw"

  257. MattJ

    kind of

  258. fippo

    mattj: -dwd should work again

  259. fippo

    (not sure how it behaves in that test though :-)

  260. Zash

    MattJ: ohrly

  261. MattJ

    Zash, it does XMPP auth for you, then acts as telnet

  262. Zash

    MattJ: But, for testing non-xmpp things :)

  263. MattJ

    How would SRV help then? :)

  264. Dave Cridland

    (14:32:34) Send (217) <?xml version='1.0'?><stream:stream xmlns='jabber:server' xmlns:db='jabber:server:dialback' xmlns:stream='' to='' from='' version='1.0'> (14:32:34) Recv (222) <stream:features><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/><switch xmlns=''><scheme>psyc</scheme></switch><dialback xmlns='urn:xmpp:features:dialback'><errors/></dialback></stream:features> (14:32:34) Send (102) <stream:error><bad-format xmlns='urn:ietf:params:xml:ns:xmpp-streams'/></stream:error></stream:stream>

  265. fippo

    dave: fixed already

  266. Dave Cridland

    fippo, No, still like that.

  267. MattJ


  268. fippo

    ah... restarted the wrong server

  269. MattJ


  270. MattJ

    I'm terrified I'm going to bounce by mistake before the day is out

  271. Dave Cridland

    MattJ, Yeah, I'm glad I'm far, far away from

  272. MattJ

    Bouncing prosody8, this time with mod_dialback unloaded just to make sure :)

  273. MattJ

    Dave Cridland, M-Link does dialback even with EXTERNAL?

  274. Dave Cridland

    MattJ, I just noticed that. :-)

  275. Dave Cridland

    MattJ, But the answer si that M-Link doesn't really overly care about how it authenticates to you, or indeed how you want to authenticate to it - it'll just care that it can authenticate you.

  276. MattJ

    You mean as long as I have a valid cert I could say <message><body>Hey, I'm</body></message>? :)

  277. MattJ

    if I remove dialback from the stream header will it use EXTERNAL?

  278. Dave Cridland

    It will. But I've swapped around the processing order for features, so I'll update it shortly to use EXTERNAL.

  279. MattJ


  280. MattJ

    There's something up

  281. MattJ

    I'm not getting any pongs for my pings to mlinktrunk

  282. MattJ

    but Prosody reckons both s2s streams are up and running

  283. Dave Cridland

    I just bounced it, actually.

  284. Dave Cridland

    Now supporting a (very weakly tested) XEP-0288 Bidi.

  285. Dave Cridland

    As well as (I think) preferring to do EXTERNAL over dialback. Although that's obviously slower, so perhaps I should switch back.

  286. MattJ

    Eh? :)

  287. Dave Cridland

    EXTERNAL has more round-trips.

  288. MattJ

    Are you sure?

  289. Dave Cridland

    MattJ, With d-w-d, then yes.

  290. MattJ


  291. Dave Cridland

    MattJ, You say "cheat", I say "optimized".

  292. MattJ

    I'm still getting no pong

  293. MattJ

    Maybe it's my fault, same with ejabberd

  294. fippo

    I still get pongs from trunk

  295. Dave Cridland

    Just bouncing it to clear everything, then I'll try.

  296. Dave Cridland

    OK, something really odd going on... I've got to do the school run again, but we'll figure it out when I get back.

  297. MattJ


  298. MattJ

    The world falls apart without dialback :)

  299. fippo

    it doesn't without EXTERNAL :-)

  300. MattJ

    Quite :)

  301. fippo

    so the path is clear

  302. MattJ

    Plus d-w-d should be trivial to implement

  303. fippo

    btw: if you're bored you could implement bidi

  304. MattJ

    I'd like to get 198 working first

  305. MattJ

    then I shall

  306. Dave Cridland

    MattJ, Most of my bidi implementation time was thinking "But that can't be all it is..."

  307. MattJ

    Dave Cridland, I do think it should be really easy to implement, especially in Prosody

  308. MattJ

    all our code sends stanzas to the the incoming s2s stream

  309. MattJ

    just Prosody redirects it at the last minute

  310. MattJ

    bidi would just turn off the redirection

  311. fippo

    dave: same for me

  312. fippo

    there is a tricky thing about not sending db:verify on the same connection where I am not sure if this works as expected - but you should not have that problem

  313. fippo

    since you're doing dialback-3

  314. Dave Cridland

    OK, I think I've fixed that issue.

  315. Dave Cridland

    MattJ, You should be able to ping me now. Turns out that once it'd done the stream restart, it basically sat waiting, instead of deciding the stream was setup.

  316. MattJ

    Dialback is enabled again so I can test 198

  317. MattJ

    it should be enabling on outgoing streams now

  318. Dave Cridland

    MattJ, I'm doing EXTERNAL again, or should be.

  319. Dave Cridland

    Just bouncing that server yet again - I've been meaning to apply a patch that should stop an irritating crash.

  320. stpeter has joined

  321. Dave Cridland

    Oh, gosh, that's odd. :-)

  322. Dave Cridland

    So, I'm now doing EXTERNAL again, and actually carrying on, only I'm *also* doing dialback. Whoops. :-)

  323. MattJ


  324. Dave Cridland

    *sigh* I'm still doing that. Which is very annoying. But on the plus side, you're still not enabling 198, so I don't feel quite so bad.

  325. stpeter


  326. fippo

    dave: the solution is to remove any EXTERNAL related code :-)

  327. Dave Cridland

    fippo, I know, I know. I'll make it an option, soon enough.

  328. Dave Cridland

    fippo, But the standard says we must, so we must.

  329. remko has left

  330. remko has joined

  331. remko has left

  332. stpeter prepares to submit revised versions of 3920bis and xmpp-address

  333. steve.kille

    Dave Cridland/fippo - sounds like the standards need fixing

  334. steve.kille

    We have way too many handshakes as it, and getting rid of the SASL handshakes for single connection secure S2S sounds like a senisilbe standardization objective

  335. remko has joined

  336. steve.kille

    stpeter: what do you think?

  337. Dave Cridland

    steve.kille, Not so much fixing, as we need to document d-w-d properly, and ensure that it's perceived as acceptable.

  338. stpeter

    I think I don't want to make more changes to 3920bis at this moment for feature of introducing too many perturbations late in the process :)

  339. steve.kille

    Althought helpful now, I am not sure the d-w-d name will be helpful long term

  340. remko has left

  341. Dave Cridland

    Ah, success. Now only authenticating once.

  342. stpeter

    but I suggest that we complete more interop testing over the next 12 months, submit an implementation report based on the feature set in 3920bis, then rev the document again (hopefully after we have the address format fixed)

  343. Dave Cridland

    MattJ, So, I'm now fixed. Are you waiting until you've got a resource bound before enabling 198? That might be problematic on S2S.

  344. remko has joined

  345. steve.kille

    stpeter: sounds like a reasonable plan to me

  346. MattJ

    Dave Cridland, hmm, I don't think so - hold

  347. stpeter

    there are enough changes between 3920 and 3920bis that I think continued interop testing and deployment feedback will be productive

  348. stpeter

    while we work in parallel on those thorny internationalization issues

  349. MattJ

    stpeter, I suspect future versions might (reference a) document about dialback-without-dialback :)

  350. steve.kille

    can we have a new name for it?

  351. MattJ

    dwd is good, isn't it Dave? :)

  352. stpeter

    MattJ: that would be good, I think -- based on what little I've read about it, which is only Dave's blog post

  353. MattJ

    I don't think anyone else has had a XEP named after them before

  354. fippo

    dave: actually, what would happen if I tried to do EXTERNAL twice on a single stream (i.e. multiple authentications)?

  355. MattJ

    I need to figure out what protocol mattj is an acronym for

  356. stpeter has been tempted to define an extension whose acronym is "PSA" :)

  357. MattJ

    !xep 198

  358. Kanchil

    MattJ: XEP-0198: Stream Management is Standards Track (Draft, 2010-03-05) See:

  359. MattJ

    Dave Cridland, missing xmlns declaration - looks a lot healthier now

  360. remko has left

  361. Dave Cridland

    fippo, We'd drop the stream.

  362. Dave Cridland

    MattJ, Ew.... I've just noticed I'm requesting acks even when I'm only writing to the stream to ack... That's nasty. I'll fix that.

  363. Florob has left

  364. Florob has joined

  365. fippo

    Dave: damn - but that would only allow to negotiate multiple source domains anyway

  366. tuomas has left

  367. MattJ


  368. MattJ

    Someone doing piggybacking asking for another remote domain - I'm not sure I'd considered that

  369. fippo

    mattj: "target piggybacking"? haven't seen that outside my lab

  370. steve.kille has left

  371. steve.kille has joined

  372. Dave Cridland

    Oops. My experiment with source piggybacking is not going all that well.

  373. Dave Cridland

    I seem to be piggybacking my MUC domain around 6 times a second.

  374. Dave Cridland

    Does that make it the authentication stronger?

  375. MattJ


  376. MattJ

    Did you get my responses to your 198 message(s)?

  377. Dave Cridland

    MattJ, Yes, but they came through to my Gajim, of course.

  378. MattJ

    Dave Cridland, so all is well?

  379. fippo has left

  380. fippo has joined

  381. will.thompson has left

  382. badlop is halfway implementing cert verification in ejabberd, and hopes the (notls|expiredcert|mismatchcert|revokedcert|selfcert) servers will be up a pair of days more

  383. Tobias has left

  384. fippo

    badlop: selfsigned should be easy to find on public servers - CN=ejabberd is the most common certificate :-)

  385. MattJ


  386. MattJ

    Feel free to shoot on sight the admin of any server with CN="Prosody Example Certificate", that's expired, and self-signed

  387. MattJ

    except for me

  388. Zash


  389. Tobias has joined

  390. MattJ

    Wait... ejabberd doesn't do EXTERNAL already?

  391. MattJ

    I was sure it did

  392. fippo

    no, it gets offered external but does not do use it yet

  393. Dave Cridland

    MattJ, I thought it did too - I'm sure I remember testing mine against when it was ejabberd.

  394. MattJ

    There was someone in jabber@ once

  395. MattJ

    They ran a public server using ejabberd

  396. Dave Cridland

    Your poetry is useless. Doesn't even rhyme.

  397. MattJ

    They were doing some testing on their laptop, and span up a test instance with their user db

  398. MattJ

    behind a firewalled NAT, they claimed their ejabberd instance had sent out unsubscribes on behalf of their domain

  399. MattJ

    they had the certs configured on their laptop, we put it down to EXTERNAL

  400. fippo

    mattj: you still want to update the wiki

  401. MattJ

    Mmm, yes

  402. MattJ

    I didn't conclude my testing because of the number of issues I had when I stopped advertising dialback :)

  403. MattJ

    Maybe I just shouldn't do that

  404. MattJ


  405. fippo

    yeah... I wonder if I should have failed ejabberd actually...

  406. fippo

    but it was worthy enough to get offered external

  407. fippo

    I guess that is one of the points we should specify more cleary next time

  408. fippo wonders if we will have to test xep-0238

  409. MattJ

    Any 1.0 server capable of TLS can be offered external

  410. MattJ

    and TLS was tested yesterday, no? :)

  411. fippo

    well... xep 0178 has this "only offer it if it will succeed" rule

  412. MattJ

    Sure, but that's not a function of the implementation, but of the cert it uses

  413. fippo

    which is good because if the peer attempts external and this fails this will increase roundtrips

  414. Dave Cridland

    fippo, Right, I have a slightly better variant on my source-piggybacking attempt - can I point it at (one of the) psyced-* servers to test?

  415. stpeter has left