-
edhelas
hello :)
-
edhelas
do you know where I can find some servers to test Direct TLS, I'd like to have cases where the DNS returns the "." SRV
-
Ge0rG
maybe somebody has a test instance, I wouldn't expect anybody using that setup in prod
-
lovetox
i guess you need a server that has setup that special dns entry
-
lovetox
because almost all servers support direct tls
-
lovetox
or lets say, many
-
Guus
edhelas: IgniteRealtime.org has, but I suspect that the s2s direct TLS implementation is broken
-
lovetox
oh you mean s2s
-
Guus
C2S is also enabled there
-
Guus
(with direct TLS on port 5223)
-
Guus
(should have the DNS srv records?✎ -
Guus
(should have the DNS srv records) ✏
-
pep.
lovetox, many implementations support it, that doesn't say anything about deployments
-
pep.
Well, whatever default there is would probably be a majority
-
pep.
I don't remember prosody nor ejabberd enabling that by default
-
Guus
They don't? Curious, what's the downside?
-
Martin
What are you talking about? Xmpps srv records for direct tls?
-
pep.
Martin, yes
-
pep.
Guus, maybe it's just a matter of not doing it "yet", maybe it isn't. Personally I don't have that setup on my own server and I'm still alive and well
-
Guus
Ah, for just s2s that makes sense, yes
-
pep.
I'm talking about c2s mostly
-
Guus
Doesn't direct TLS outdate StartTLS?
-
lovetox
pep., alsmost all servers that i see offer direct tls
-
lovetox
conversations.im, jabber.fr are the most obvious
-
Zash
Outdate? Where'd you get that from?
-
Guus
I mean outdate as in "is older than". I based that on nothing but the order in which both were implemented in Openfire (where direct TLS was referenced to as the legacy way of doing things)
-
lovetox
yes funny in old gajim code direct tls was also named legacy
-
lovetox
would it be sensible for a server to remove all pending sub requests when i block a user
-
Zash
Yes
-
lovetox
i think ejabberd doesnt do this
-
Zash
Oh right it doesn't say this in https://xmpp.org/extensions/xep-0191.html#impl
-
Zash
Just that it MAY cancel existing subscriptions, which I don't think is a good idea
-
lovetox
im not even talking about subscriptions
-
lovetox
im talking about requests
-
Zash
I know
-
lovetox
ejabberd just sends me peridocally the requests again and again
-
Zash
Can you deny it after blocking?
-
lovetox
no
-
lovetox
actually i do deny it before blocking
-
lovetox
why the hell is ejabberd still sending me this
-
Zash
In prosody the denying would get blocked, which is why we delete pending subscription requests. Something of an implementation detail tho.
-
Zash
Letting you deny it yourself would also have worked.
-
Zash
As someone mentioned yesterday however, it might be a good idea to tell the user/client that the sub request was retracted
-
Zash
Prosody doesn't currently, it just silently deletes
-
Zash
lovetox: This kind of stuff ought to go into that Implementation Notes section
-
lovetox
yeah
-
Zash
You probably don't want to reject the sub request before blocking, IIRC this notifies the sender that your account exists which is probably not desirable.
-
pep.
If a user provides a custom host I don't do SRV right? Just A/AAAA if the thing is resolvable even (might be an IP?)
-
Zash
Yes
-
lovetox
yes pep.
-
pep.
I'm tried really hard coming up with examples of when sombody would need SRV with a custom host, and I got one, probably not worth handling just yet (until somebody comes grumping, then, maybe.)
-
pep.
An admin could server a domain foo.bar that doesn't point to their server baz.qxx, which server has a specific DNS setup that needs SRV resolution :x✎ -
pep.
An admin could serve a domain foo.bar that doesn't point to their server baz.qxx, which server has a specific DNS setup that needs SRV resolution :x ✏
-
pep.
At this point I'd probably just tell them "use a different custom domain", or PRs welcome
-
lovetox
custom host means, connect to that host, not do srv and connect to another host
-
lovetox
because then you could just put that host in there
-
pep.
in where
-
lovetox
in the custom host field
-
pep.
yeah so what I said
-
lovetox
custom host is probably only used if you are to lazy or in a situation where you dont want to setup the dns
-
Zash
Or some cases where you can't access DNS properly, like with Tor
-
lovetox
if tor is activated, i just pass domain.org:5222 to TOR
-
lovetox
if that fails to connect, there is nothing you can do and need to abort
-
pep.
How do you know it's tor? Is that not handled by proxychains or similar?