stpetercompare to the jabber.org SRV:
$ dig +short -t SRV _xmpp-server._tcp.jabber.org
31 30 5269 hermes2v6.jabber.org.
30 30 5269 hermes2.jabber.org.
ThibGmy guess so far is that xmpp.net uses warp.sitedethib.com to check the certificate
ThibGwhich is obviously wrong
stpeterbbiaf, time for lunch here
ZashThibG: The SRV target is not used for certificate validation.
ThibGI have no idea what the issue is, then
ThibGsitedethib.com and warp.sitedethib.com happen to have the same A RRs
Zashhttps://q.zash.se/269bfe745c2f.txt there's no response
ThibGit resolves just fine here
ThibGI made a mistake when changing back the RRs
ThibGshould be better now
ZashIf the bare domain and the default port works then you don't strictly need SRV records at all
ThibGit was just in case I switch to having different machines for my services
ThibG(which was actually the case some time ago)
ThibGI could get rid of the SRV RRs, but still, I don't understand what's going on
stpeterThibG: I notice when typing `telnet warp.sitedethib.com 5269` that IPv6 was attempted first, but timed out. However, I'm pretty sure that the xmpp.net code has a fallback to IPv4 if IPv6 times out.
ThibGunfortunately, I only have my server with IPv6 connectivity, and it obviously connects just fine to itself
ThibGsitedethib.com has the same IPv6 address too
ThibGanyway, I guess it doesn't fail at TCP level, but at TLS level, as it successfuly displays my server's version
Link Mauvestpeter, from here it works.
Link MauveMaybe some pairing issue?
Link MauveFrom both my home server (in Paris) and my company’s servers (in the UK).
stpeterYeah it could be an ISP issue for me.
ThibGhuh, should have changed the RRs' TTL beforehand…
stpeterLet me check from the machine where xmpp.net is running. ;-)
stpeterconnected to IPv6 very quickly
stpeterboth with and without `warp.`
stpeterso that's not the issue
ThibGmy only bet is that it somehow checks the certificate against warp.sitedethib.com instead of sitedethib.com
stpeterNo, the XMPP specs have always been clear on the fact that you don't check against the SRV pointer.
ThibGyeah, that's what I understand too, but I have no idea why xmpp.net kept failing with my SRV pointing to warp.sitedethib.com, and works now that it is pointing to sitedethib.com
stpeterIn fact, Thijs and I (proprietors of xmpp.net) co-wrote the RFC on TLS checking in XMPP. ;-) https://datatracker.ietf.org/doc/rfc7590/
ThibG(should be pointing back to warp.sitedethib.com, now, but alas the TTL is huge)
stpeterlet me see if I can find any logs on the machine that will provide some more information
ZashThibG: I believe it fetches the server version through jabber.org, not by itself.
ZashSo, it being able to display that has no relation to its ability to connect to your server
stpeterZash: really? that doesn't sound familiar
ThibGZash, oh, ok, I think I did see an incoming s2s connection from jabber.org at that time
Zashstpeter: My memory says that it at least does a ping via a jabber.org account first
stpeterZash: OK I will check the code for that, too
stpeterhuh yeah firstname.lastname@example.org
stpeterI'd forgotten about that, I guess.
stpeterso now I log into the jabber.org machine and see what the logs there have to say in the matter :-)
stpeterI see things like this:
TLS conn IP=2001:910:1369:ffff::1 version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 secret-bits=256 processed-bits=256 compression="(None)" preliminary certificate verification failed
stpeterthe last one of those was 40 minutes ago
ThibGhm, last failed xmpp.net test should be much older
ThibGI can retry a test, but I guess my working SRV RRs will still be in cache
ThibGnope, it's ok, the test is running against warp.sitedethib.com now
stpeterThibG: this was on jabber.org, not xmpp.net
Zashstpeter: I don't see any explicit IPv6 support, so what exactly it connects with depends on the LuaSocket version.
stpeterZash: aha, interesting
ThibGhttps://xmpp.net/result.php?domain=sitedethib.com&type=server fails again
ZashThis thing where network libraries never do nice things like handle dualstack for you, such disappoint.
stpeterhttps://xmpp.net/result.php?domain=sitedethib.com&type=client is fine, though (other than that whole certificate thing).
ThibGstill uses the old SRV
ThibG(sitedethib.com instead of warp.sitedethib.com)
ThibGre-running it, it fails the same way
stpeterboth perseus (xmpp.net machine) and hermes2 (jabber.org machine) show warp in the SRV results
ThibGI guess I could regenerate a certificate with an additionnal warp.sitedethib.com subjectAltName to test my theory…
ZashThibG: How is the certificate going to affect it not being able to connect *at all*, or what problem is it you are trying to debug?
ThibGZash, I have no idea what the problem is
ZashThen how do you even know that there is a problem?
ThibGit should be able to connect regardless of whether the SRV is warp.sitedethib.com or sitedethib.com
ThibGwhen the SRV points to warp, it fails to connect, when it points to sitedethib.com, it doens't
ThibGbut those have the same A/AAAA
ZashBased on " Error: Connection failed. " happening with the IPv6 only jabber.org SRV target, and my knowledge that the XMPP library it uses does not support IPv6, I'm going to theorize that the problem is missing IPv6 support.
ThibGstill, both warp.sitedethib.com and sitedethib.com have the same AAAA RR
stpeternods to Zash
stpeterI need to go heads-down on a task, bbiab.
ThibGlet me try something else
ZashI'm guessing it ends up relying on the OS-es DNS lookup, which I've noticed sometimes returns an error code that becomes a fatal error
ThibGI'll add yet another sub-domain with only A RRs and make the SRV point to it, then
ThibGah, I did not see the jabber.org test eventually succeeding
stpeterThibG: yeah the tests can take quite a while - there is a lot to check and the script needs to back off sometimes so that it doesn't get disconnected for too many attempts (etc.)
stpeteranyway bbiab :-)
ThibGsee you, and thanks for your help _o/
ThibGI wonder if I should split the SRVs into two sub-domains, one with only A RRs, then
ZashShouldn't be required
ThibGor just accept that xmpp.net may not be able to connect to my server :/
ZashW: connect() to warp2.sitedethib.com.:5222 failed: Operation already in progress
ThibGIt's the subdomain I just added to try with only A RRs
ZashI mean, that's likely the real error it gets when it says "Error: Connection failed"
ZashI don't really know why, but it seems to happen sometimes when there's more than one IP address associated with a name.
ThibGhm… I've tried a bunch of times, though, and it *always* failed
The socket is nonblocking and a previous connection attempt
has not yet been completed.
ZashI don't know.
ThibGok, well, thanks anyway
ThibGat least I now know it's TCP-IP related and not cert-related as I initially thought
ZashLow-level socket fiddlery isn't my area of expertise.