jdev - 2022-05-30

  1. jgart has joined
  2. Maranda[x] has left
  3. Kev has left
  4. FireFly has left
  5. antranigv has left
  6. antranigv has joined
  7. jgart has left
  8. antranigv has left
  9. antranigv has joined
  10. Ingolf has left
  11. Ingolf has joined
  12. antranigv has left
  13. lovetox has left
  14. Kev has joined
  15. antranigv has joined
  16. lovetox has joined
  17. antranigv has left
  18. antranigv has joined
  19. Kev has left
  20. antranigv has left
  21. antranigv has joined
  22. Kev has joined
  23. Kev has left
  24. Kev has joined
  25. antranigv has left
  26. Kev has left
  27. Maranda[x] has joined
  28. kfv has left
  29. kfv has joined
  30. Kev has joined
  31. Kev has left
  32. antranigv has joined
  33. Kev has joined
  34. antranigv has left
  35. spiral has left
  36. spiral has joined
  37. Kev has left
  38. antranigv has joined
  39. Maranda[x] has left
  40. atomicwatch has joined
  41. antranigv has left
  42. Yagizа has joined
  43. kikuchiyo has left
  44. dezant has left
  45. thomaslewis has left
  46. Millesimus has left
  47. Schimon has joined
  48. Millesimus has joined
  49. Kev has joined
  50. dezant has joined
  51. amee2k has joined
  52. thomaslewis has joined
  53. amee2k has left
  54. SouL has joined
  55. Maranda[x] has joined
  56. Kev has left
  57. antranigv has joined
  58. kikuchiyo has joined
  59. Kev has joined
  60. antranigv has left
  61. pasdesushi has joined
  62. nik has joined
  63. Stefan has joined
  64. Stefan has left
  65. Kev has left
  66. Schimon How can I cache them?
  67. Ingolf has left
  68. lovetox has left
  69. jubalh has left
  70. Kev has joined
  71. rubi has left
  72. rubi has joined
  73. antranigv has joined
  74. nik has left
  75. nik has joined
  76. lovetox has joined
  77. nik has left
  78. nik has joined
  79. SouL has left
  80. antranigv has left
  81. Kev has left
  82. adx has joined
  83. wurstsalat has joined
  84. Stefan has joined
  85. mh has left
  86. rubi has left
  87. rubi has joined
  88. Kev has joined
  89. xecks has left
  90. xecks has joined
  91. al has joined
  92. antranigv has joined
  93. mh has joined
  94. msavoritias has joined
  95. Kev has left
  96. antranigv has left
  97. antranigv has joined
  98. antranigv has left
  99. antranigv has joined
  100. antranigv has left
  101. antranigv has joined
  102. Ingolf has joined
  103. Kev has joined
  104. lovetox has left
  105. lovetox has joined
  106. Alex has joined
  107. mh has left
  108. antranigv has left
  109. antranigv has joined
  110. Kev has left
  111. al has left
  112. rom1dep has left
  113. Kev has joined
  114. rom1dep has joined
  115. mh has joined
  116. adx has left
  117. pulkomandy has left
  118. Kev has left
  119. xnamed has joined
  120. FireFly has joined
  121. antranigv has left
  122. Laura has left
  123. emus has joined
  124. Laura has joined
  125. larma has joined
  126. larma has left
  127. Kev has joined
  128. Laura has left
  129. Laura has joined
  130. SouL has joined
  131. Kev has left
  132. jubalh has joined
  133. Kev has joined
  134. pulkomandy has joined
  135. msavoritias has left
  136. pasdesushi has left
  137. pulkomandy has left
  138. Laura has left
  139. atomicwatch has left
  140. pasdesushi has joined
  141. Laura has joined
  142. pulkomandy has joined
  143. Laura has left
  144. Laura has joined
  145. goffi has joined
  146. abdullahi has left
  147. abdullahi has joined
  148. atomicwatch has joined
  149. debacle has joined
  150. antranigv has joined
  151. pulkomandy has left
  152. Laura has left
  153. Wojtek has joined
  154. larma has joined
  155. Laura has joined
  156. thomaslewis has left
  157. Millesimus has left
  158. Millesimus has joined
  159. antranigv has left
  160. adx has joined
  161. Wojtek has left
  162. Wojtek has joined
  163. Yagizа has left
  164. antranigv has joined
  165. Yagizа has joined
  166. antranigv has left
  167. antranigv has joined
  168. antranigv has left
  169. antranigv has joined
  170. antranigv has left
  171. adx has left
  172. msavoritias has joined
  173. msavoritias has left
  174. marmistrz has left
  175. marmistrz has joined
  176. adx has joined
  177. marmistrz has left
  178. marmistrz has joined
  179. kikuchiyo has left
  180. adx has left
  181. Matrix Traveler (bot) has left
  182. homebeach has left
  183. homebeach has joined
  184. Matrix Traveler (bot) has joined
  185. Laura has left
  186. antranigv has joined
  187. antranigv has left
  188. antranigv has joined
  189. antranigv has left
  190. kikuchiyo has joined
  191. Laura has joined
  192. atomicwatch has left
  193. antranigv has joined
  194. msavoritias has joined
  195. kikuchiyo has left
  196. antranigv has left
  197. selurvedu has left
  198. stuart.j.mackintosh has left
  199. stuart.j.mackintosh has joined
  200. atomicwatch has joined
  201. grishka@5222.de has joined
  202. antranigv has joined
  203. grishka@5222.de Hi. Are there any articles or other places where I can see example(s) of s2s streams? I'm trying to build a minimal XMPP server to understand the protocol, but so far the behavior I'm seeing in the real world from different servers doesn't always align with the specs.
  204. jonas’ report any divergence from the specifications to the relevant software projects to get them fixed :)
  205. kikuchiyo has joined
  206. Laura has left
  207. Zash https://xmpp.org/rfcs/rfc6120.html#examples-s2s
  208. grishka@5222.de Take starttls for example: - jabber.ru doesn't *require* TLS, but messages I send don't get through to my client either - 5222.de (the one I'm writing this from) does go through starttls fine, but then sends me a dialback request that has my server domain in "from", on my outbound connection, wtf? - matrix.org requires TLS, but after TLS negotiation is done, closes the stream saying "Your server's certificate is invalid, expired, or not trusted by matrix.org" — what does this mean even? I don't receive an inbound connection from it. Am I supposed to provide a client certificate? Am I supposed to use my TLS server certificate for that?
  209. Laura has joined
  210. jonas’ you seem to be mostly confused about the abomination which is dialback
  211. Zash Yeah, dialback causes instant confusion. All the terms are backwards.
  212. pasdesushi has left
  213. grishka@5222.de hm, okay, so does this actually mean that 5222.de wants me to verify its dialback key?
  214. Zash grishka@5222.de, in summary, your servers cert is probably wrong
  215. Zash Dialback is generally only used today when the cert is wrong somehow, e.g. expired or so
  216. grishka@5222.de and for my toy server it would be fine to swap to and from around and add result="valid" and send that back?
  217. Zash That's also what the message from matrix.org points at
  218. grishka@5222.de yeah well how *does* the other server get my server certificate?
  219. jonas’ grishka@5222.de, you need to send it as client certificate
  220. grishka@5222.de the kind of TLS I'm used to only involves a single certificate, the one the server sends to the client
  221. jonas’ ah
  222. grishka@5222.de ah okay
  223. jonas’ xmpp s2s may use mutual TLS, so you'll have to send the cert along
  224. jonas’ and then you may have to do SASL EXTERNAL to lock that in as authentication method
  225. msavoritias has left
  226. grishka@5222.de thanks, I'll try that (I'll have to go through the misery of dealing with Java's cryptography APIs either way, this just means I'll have to do it sooner than planned, lol)
  227. Zash https://xmpp.org/extensions/xep-0178.html#s2s might be handy
  228. Zash https://xmpp.org/extensions/xep-0288.html makes things even nicer and faster
  229. msavoritias has joined
  230. Laura has left
  231. pasdesushi has joined
  232. antranigv has left
  233. dezant has left
  234. Laura has joined
  235. adx has joined
  236. Martin has left
  237. dezant has joined
  238. Martin has joined
  239. msavoritias has left
  240. paul has left
  241. msavoritias has joined
  242. adx has left
  243. norayr has left
  244. Wojtek has left
  245. norayr has joined
  246. PapaTutuWawa has joined
  247. Laura has left
  248. antranigv has joined
  249. Wojtek has joined
  250. Laura has joined
  251. antranigv has left
  252. nik has left
  253. dezant has left
  254. larma has left
  255. Mx2 has left
  256. Laura has left
  257. pasdesushi has left
  258. Laura has joined
  259. rom1dep has left
  260. pasdesushi has joined
  261. Laura has left
  262. Laura has joined
  263. Mx2 has joined
  264. adx has joined
  265. Laura has left
  266. dezant has joined
  267. nik has joined
  268. xnamed has left
  269. kikuchiyo has left
  270. PapaTutuWawa has left
  271. PapaTutuWawa has joined
  272. nik has left
  273. nik has joined
  274. Laura has joined
  275. msavoritias has left
  276. Laura has left
  277. rom1dep has joined
  278. Laura has joined
  279. jubalh has left
  280. Mx2 has left
  281. Laura has left
  282. Laura has joined
  283. xnamed has joined
  284. dezant has left
  285. Laura has left
  286. dezant has joined
  287. marmistrz has left
  288. marmistrz has joined
  289. Laura has joined
  290. Mx2 has joined
  291. marmistrz has left
  292. marmistrz has joined
  293. Laura has left
  294. pulkomandy has joined
  295. antranigv has joined
  296. Laura has joined
  297. raghavgururajan has joined
  298. Laura has left
  299. Laura has joined
  300. pasdesushi has left
  301. edhelas has left
  302. pasdesushi has joined
  303. antranigv has left
  304. PapaTutuWawa has left
  305. antranigv has joined
  306. xnamed has left
  307. Wojtek has left
  308. Laura has left
  309. grishka@5222.de After setting up a client certificate + private key (and cursing at Java cryptography APIs) I'm now getting a different error: <unsupported-feature xmlns="urn:ietf:params:xml:ns:xmpp-streams"/><text xmlns="urn:ietf:params:xml:ns:xmpp-streams">No viable authentication method offered</text> So the client certificate replaces dialback, right?
  310. xnamed has joined
  311. Zash Huh
  312. grishka@5222.de or probably I'm not doing the stream restart correctly, it's as if the receiving side doesn't expect me to send <stream:features> after restart
  313. grishka@5222.de gotta read the RFC again
  314. Maranda has left
  315. Mjolnir Archon has left
  316. Zash Unless you found a server other than Prosody producing that <text> message, it likely means _you_ did not offer TLS or SASL
  317. Zash Prosody says that for outgoing connections
  318. Laura has joined
  319. Zash Prosody → you. You're supposed to offer TLS or SASL
  320. Zash So, not about client certificates anymore
  321. antranigv has left
  322. grishka@5222.de I did offer TLS, I did negotiate TLS, and then I received that error over the encrypted connection after only offering dialback 🤔
  323. grishka@5222.de I'll try sending empty <stream:features/>
  324. Zash If the connection is secured it's expecting to be offered SASL probably
  325. Zash It's saying that if it gets a `<stream:features/>` without anything it knows how to handle, and the connection is not completed
  326. Zash I.e. it didn't do starttls, nor sasl, nor dialback
  327. Zash Due to the modular architecture, it has no idea why
  328. grishka@5222.de still I receive: <stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>EXTERNAL</mechanism></mechanisms><dialback xmlns="urn:xmpp:features:dialback"/></stream:features> I send: <stream:features><dialback xmlns="urn:xmpp:features:dialback"/></stream:features> then I receive the aforementioned error
  329. grishka@5222.de dialback _is_ a matching feature, so why is it not happy with that?
  330. xnamed has left
  331. Laura has left
  332. FireFly has left
  333. Zash Dialback is not advertised in `<stream:features>` for historical reasons
  334. Zash So if no SASL is offered, it's probably assumed to be there and attempted. Unless the module is not loaded, or some reason.
  335. moparisthebest grishka@5222.de, honestly if you implement TLS client auth (SASL EXTERNAL) you won't need to implement dialback today in 2022, but you need a trusted certificate from a CA
  336. nik has left
  337. grishka@5222.de I tried not sending <stream:features> and sending <db:request> instead, now it feels like I'm getting further — I'm receiving an incoming connection from 5222.de that gets stuck at starttls because I don't implement the receiving end of that yet, so that's the next thing to be taken care of I guess
  338. grishka@5222.de moparisthebest, it is a trusted certificate from a CA, it's a let's encrypt one I pulled out of my server
  339. moparisthebest and you are sending it as your client cert on outgoing connections ?
  340. grishka@5222.de yes
  341. moparisthebest then dialback shouldn't even come up
  342. Kev And you're constructing the chain correctly?
  343. edhelas has joined
  344. FireFly has joined
  345. Zash Also, you may be interested in https://badxmpp.eu/
  346. msavoritias has joined
  347. moparisthebest I guess what I'm saying is you should chase the bug in your TLS cert auth and forget about dialback, seeing a dialback attempt is just telling you your cert auth failed
  348. Zash Hm, wait
  349. Zash > I receive: <stream:features> > I send: <stream:features> on the same connection?
  350. Zash The party answering the connection sends stream features, not both
  351. Zash This all of course gets confusing when there are two connections involved
  352. Zash So it's a good idea to clarify which connections are involved
  353. antranigv has joined
  354. Laura has joined
  355. jubalh has joined
  356. Mx2 has left
  357. Mx2 has joined
  358. msavoritias has left
  359. antranigv has left
  360. antranigv has joined
  361. debacle has left
  362. grishka@5222.de Zash oh thanks for badxmpp.eu
  363. raghavgururajan has left
  364. Laura has left
  365. Laura has joined
  366. PapaTutuWawa has joined
  367. jubalh has left
  368. jubalh has joined
  369. Mjolnir Archon has joined
  370. Mjolnir Archon has left
  371. Maranda has joined
  372. Mjolnir Archon has joined
  373. Kev has left
  374. Beherit has joined
  375. atomicwatch has left
  376. atomicwatch has joined
  377. debacle has joined
  378. Laura has left
  379. Laura has joined
  380. atomicwatch has left
  381. Laura has left
  382. atomicwatch has joined
  383. abdullahi has left
  384. abdullahi has joined
  385. Stefan has left
  386. xnamed has joined
  387. larma has joined
  388. Maranda has left
  389. Mjolnir Archon has left
  390. Laura has joined
  391. Millesimus has left
  392. Schimon has left
  393. jgart has joined
  394. Millesimus has joined
  395. Mjolnir Archon has joined
  396. Maranda has joined
  397. FireFly has left
  398. antranigv has left
  399. msavoritias has joined
  400. antranigv has joined
  401. SouL has left
  402. Millesimus has left
  403. SouL has joined
  404. antranigv has left
  405. Kev has joined
  406. Kev has left
  407. Kev has joined
  408. Kev has left
  409. Beherit has left
  410. Millesimus has joined
  411. debacle has left
  412. Maranda has left
  413. Mjolnir Archon has left
  414. Matrix Traveler (bot) has left
  415. homebeach has left
  416. homebeach has joined
  417. Matrix Traveler (bot) has joined
  418. Mjolnir Archon has joined
  419. Maranda has joined
  420. Yagizа has left
  421. FireFly has joined
  422. FireFly has left
  423. FireFly has joined
  424. emus has left
  425. debacle has joined
  426. emus has joined
  427. Ingolf has left
  428. Ingolf has joined
  429. grishka@5222.de has left
  430. pasdesushi has left
  431. marc0s has left
  432. marc0s has joined
  433. thomaslewis has joined
  434. msavoritias has left
  435. adx has left
  436. adx has joined
  437. Maranda has left
  438. Mjolnir Archon has left
  439. Mjolnir Archon has joined
  440. Maranda has joined
  441. wurstsalat has left
  442. xnamed has left
  443. SouL has left
  444. marc0s has left
  445. marc0s has joined
  446. Ingolf has left
  447. goffi has left
  448. antranigv has joined
  449. amee2k has joined
  450. PapaTutuWawa has left
  451. larma has left
  452. emus has left
  453. amee2k has left
  454. adx has left
  455. amee2k has joined