-
singpolyma
moparisthebest: (moving from other room) mellium if there is no SRV probes for possible direct TLS ports first, and tried 443 as one of those. So if anything at the A listens on 443 but isn't the XMPP server it hangs and never gets to the starttls port
-
moparisthebest
singpolyma: hehe so xmpp-proxy tries 443 as the default port too but has actual correct srv fallback behavior which can handle connecting to https :( that sounds like a bug
-
moparisthebest
Srv fallback is terrible and tricky and a lot of things get it wrong imho
-
singpolyma
I feel like if there's no SRV the by the spec behaviour is to not use direct TLS, but yeah, failing when there is a webserver confused me a lot
-
moparisthebest
It's wrong, a mitm attacker on the route before that server can redirect you to https and the cert will match, maybe the next record's path isn't controlled by that mitm
-
moparisthebest
No user ever wants to not connect to their server if connection is possible, therefore all srv records should be tried always (unless you get past auth, like it responds bad password for example)
-
singpolyma
It this case there's no SRV records at all
-
moparisthebest
Right but same thing really
-
moparisthebest
No user ever wants the application to hang forever either
-
moparisthebest
I treat no srv records the same as 3 srv records, first being starttls at the default port, second directtls at 443, third quic at 443
-
moparisthebest
ie, increasing levels of desperation 😅
-
Menel
I would throw in direct tls on 5223 before quick
-
Menel
By observation of real implementation
-
Menel
O would even say it is more common then on port 443
-
moparisthebest
Interesting, probably makes sense
-
MattJ
Also worth including 5223 if only due to https://support.apple.com/en-gb/HT203609
-
moparisthebest
Ha didn't know that either
-
ralphm
Yup, XMPP is everywhere. They even use Idavoll inside MacOS Server: https://ralphm.net/blog/2010/01/14/apple_uses_idavoll
-
moparisthebest
I knew they used XMPP just not port 5223
-
moparisthebest
Was 5223 in some pre-ietf spec?
-
moparisthebest
I can imagine 1999 ietf going "starttls all the things!!!!"
-
Zash
SSL on an alternate port was a thing before Jabber went trough IETF afaik
-
Zash
which was 2002-2004 or so?
-
Zash
rfc3920 being published in 2004, so something like that
-
Zash
ah yeah, did this research once already: https://news.ycombinator.com/item?id=22207250
-
moparisthebest
Nice
-
wurstsalat
I invite you to add more software with xmpp context here https://xmpp.org/uses/ :)