jdev - 2025-02-15

  1. Zash

    Fellow server devs, in server-to-server certificate validation, do you (or your TLS library) check for the client auth extendedKeyUsage on incomming connections? Do you have the same trick as Prosody, where client certs are validated as server certs?

  2. Zash

    Sounds like the clientAuth purpose is going away, and it would be nice if that doesn't cause problems we had in the past to reappear: https://infosec.exchange/@mattm/114004472428368645 https://www.chromium.org/Home/chromium-security/root-ca-policy/#32-promote-use-of-dedicated-tls-server-authentication-pki-hierarchies

  3. moparisthebest

    > Do you have the same trick as Prosody, where client certs are validated as server certs? Yes, well, the opposite way, server certs are used for client auth but validated as server certs

  4. Zash

    You're saying the same thing as I did.

  5. Zash

    client cert as in the cert sent by the initiating party

  6. moparisthebest

    then yes :)

  7. moparisthebest

    Though at least for me the need for that hack wasn't obvious until it didn't work without it...

  8. marcl

    It seems like it's common for iOS XMPP users to have unreliable notifications for group chats

  9. marcl

    Apparently, when the app is in the background and goes offline for a day, the server maybe assume the user left the group chat

  10. marcl

    Monal recommends increasing the server's session timeout https://github.com/monal-im/Monal/wiki/Considerations-for-XMPP-server-admins/#session-timeout

  11. marcl

    Prosody: smacks_hibernation_time = 72 * 60 * 60 --72 hours

  12. marcl

    ejabberd: resume_timeout https://docs.ejabberd.im/admin/configuration/modules/#mod_stream_mgmt

  13. marcl

    I wonder how many iOS XMPP users have been lost due to frustration with notifications

  14. singpolyma

    I think when you enable push on a prosody session it extends smacks timeout to that

  15. singpolyma

    certainly mod_push2 does and for similar reasons

  16. marcl

    Is this a recent change?

  17. singpolyma

    I don't think so

  18. singpolyma

    https://modules.prosody.im/mod_cloud_notify.html

  19. marcl

    Good. Is this the same as what's discussed here about snikket? https://github.com/snikket-im/snikket-server/issues/240#issuecomment-2614430241

  20. singpolyma

    it is touched on there, but that ticket is about something unrelated

  21. Thilo Molitor

    singpolyma, marcl: yes, both, prosody and ejabberd extend the smacks timeout if no push was sent. the timeout only starts after the first push was sent...but if the device in question isn't connected to the internet (turned off, flight mode, no mobile coverage etc.), then that push will get lost on apple systems...that means the timeout started, but Monal won't know...

  22. Thilo Molitor

    if apple delivered pushes after the device came online again, that problem wouldn't exist at all...

  23. Thilo Molitor

    only starting the timeout after the first push isn't a recent change but at least ~4 years old (both, for ejabberd and prosody)