jdev - 2023-02-09

  1. singpolyma

    moparisthebest: (moving from other room) mellium if there is no SRV probes for possible direct TLS ports first, and tried 443 as one of those. So if anything at the A listens on 443 but isn't the XMPP server it hangs and never gets to the starttls port

  2. moparisthebest

    singpolyma: hehe so xmpp-proxy tries 443 as the default port too but has actual correct srv fallback behavior which can handle connecting to https :( that sounds like a bug

  3. moparisthebest

    Srv fallback is terrible and tricky and a lot of things get it wrong imho

  4. singpolyma

    I feel like if there's no SRV the by the spec behaviour is to not use direct TLS, but yeah, failing when there is a webserver confused me a lot

  5. moparisthebest

    It's wrong, a mitm attacker on the route before that server can redirect you to https and the cert will match, maybe the next record's path isn't controlled by that mitm

  6. moparisthebest

    No user ever wants to not connect to their server if connection is possible, therefore all srv records should be tried always (unless you get past auth, like it responds bad password for example)

  7. singpolyma

    It this case there's no SRV records at all

  8. moparisthebest

    Right but same thing really

  9. moparisthebest

    No user ever wants the application to hang forever either

  10. moparisthebest

    I treat no srv records the same as 3 srv records, first being starttls at the default port, second directtls at 443, third quic at 443

  11. moparisthebest

    ie, increasing levels of desperation 😅

  12. Menel

    I would throw in direct tls on 5223 before quick

  13. Menel

    By observation of real implementation

  14. Menel

    O would even say it is more common then on port 443

  15. moparisthebest

    Interesting, probably makes sense

  16. MattJ

    Also worth including 5223 if only due to https://support.apple.com/en-gb/HT203609

  17. moparisthebest

    Ha didn't know that either

  18. ralphm

    Yup, XMPP is everywhere. They even use Idavoll inside MacOS Server: https://ralphm.net/blog/2010/01/14/apple_uses_idavoll

  19. moparisthebest

    I knew they used XMPP just not port 5223

  20. moparisthebest

    Was 5223 in some pre-ietf spec?

  21. moparisthebest

    I can imagine 1999 ietf going "starttls all the things!!!!"

  22. Zash

    SSL on an alternate port was a thing before Jabber went trough IETF afaik

  23. Zash

    which was 2002-2004 or so?

  24. Zash

    rfc3920 being published in 2004, so something like that

  25. Zash

    ah yeah, did this research once already: https://news.ycombinator.com/item?id=22207250

  26. moparisthebest

    Nice

  27. wurstsalat

    I invite you to add more software with xmpp context here https://xmpp.org/uses/ :)