compare to the jabber.org SRV:
$ dig +short -t SRV _xmpp-server._tcp.jabber.org
31 30 5269 hermes2v6.jabber.org.
30 30 5269 hermes2.jabber.org.
ThibG
my guess so far is that xmpp.net uses warp.sitedethib.com to check the certificate
ThibG
which is obviously wrong
stpeter
bbiaf, time for lunch here
Zash
ThibG: The SRV target is not used for certificate validation.
ThibG
I have no idea what the issue is, then
ThibG
sitedethib.com and warp.sitedethib.com happen to have the same A RRs
Zash
Except
Zash
https://q.zash.se/269bfe745c2f.txt there's no response
ThibG
wait. what
ThibG
it resolves just fine here
ThibG
oh sorry
ThibG
I made a mistake when changing back the RRs
ThibG
should be better now
Zash
If the bare domain and the default port works then you don't strictly need SRV records at all
ThibG
sure
ThibG
it was just in case I switch to having different machines for my services
ThibG
(which was actually the case some time ago)
ThibG
I could get rid of the SRV RRs, but still, I don't understand what's going on
info-screenhas joined
stpeter
ThibG: I notice when typing `telnet warp.sitedethib.com 5269` that IPv6 was attempted first, but timed out. However, I'm pretty sure that the xmpp.net code has a fallback to IPv4 if IPv6 times out.
ThibG
hm
info-screenhas left
ThibG
unfortunately, I only have my server with IPv6 connectivity, and it obviously connects just fine to itself
ThibG
sitedethib.com has the same IPv6 address too
ilehhas left
ThibG
anyway, I guess it doesn't fail at TCP level, but at TLS level, as it successfuly displays my server's version
Link Mauve
stpeter, from here it works.
Link Mauve
Maybe some pairing issue?
Link Mauve
From both my home server (in Paris) and my company’s servers (in the UK).
stpeter
Yeah it could be an ISP issue for me.
ivucicahas joined
ThibG
huh, should have changed the RRs' TTL beforehand…
stpeter
Let me check from the machine where xmpp.net is running. ;-)
ThibG
stpeter, thanks!
stpeter
connected to IPv6 very quickly
stpeter
both with and without `warp.`
stpeter
so that's not the issue
ThibG
my only bet is that it somehow checks the certificate against warp.sitedethib.com instead of sitedethib.com
stpeter
No, the XMPP specs have always been clear on the fact that you don't check against the SRV pointer.
ThibG
yeah, that's what I understand too, but I have no idea why xmpp.net kept failing with my SRV pointing to warp.sitedethib.com, and works now that it is pointing to sitedethib.com
stpeter
In fact, Thijs and I (proprietors of xmpp.net) co-wrote the RFC on TLS checking in XMPP. ;-) https://datatracker.ietf.org/doc/rfc7590/
ThibG
(should be pointing back to warp.sitedethib.com, now, but alas the TTL is huge)
stpeter
let me see if I can find any logs on the machine that will provide some more information
Zash
ThibG: I believe it fetches the server version through jabber.org, not by itself.
Zash
So, it being able to display that has no relation to its ability to connect to your server
stpeter
Zash: really? that doesn't sound familiar
ThibG
Zash, oh, ok, I think I did see an incoming s2s connection from jabber.org at that time
Zash
stpeter: My memory says that it at least does a ping via a jabber.org account first
stpeter
Zash: OK I will check the code for that, too
stpeter
huh yeah imobservatory@jabber.org
stpeter
I'd forgotten about that, I guess.
stpeter
so now I log into the jabber.org machine and see what the logs there have to say in the matter :-)
ThibG
thanks!
stpeter
I see things like this:
TLS conn IP=2001:910:1369:ffff::1 version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 secret-bits=256 processed-bits=256 compression="(None)" preliminary certificate verification failed
stpeter
the last one of those was 40 minutes ago
ThibG
hm, last failed xmpp.net test should be much older
ThibG
I can retry a test, but I guess my working SRV RRs will still be in cache
ThibG
nope, it's ok, the test is running against warp.sitedethib.com now
ivucicahas joined
stpeter
ThibG: this was on jabber.org, not xmpp.net
Zash
stpeter: I don't see any explicit IPv6 support, so what exactly it connects with depends on the LuaSocket version.
stpeter
Zash: aha, interesting
ThibG
https://xmpp.net/result.php?domain=sitedethib.com&type=server fails again
stpeter
sigh
Zash
This thing where network libraries never do nice things like handle dualstack for you, such disappoint.
https://xmpp.net/result.php?domain=sitedethib.com&type=client is fine, though (other than that whole certificate thing).
ThibG
still uses the old SRV
ThibG
(sitedethib.com instead of warp.sitedethib.com)
ThibG
re-running it, it fails the same way
stpeter
TTLs?
stpeter
ah
stpeter
right
stpeter
ok
stpeter
both perseus (xmpp.net machine) and hermes2 (jabber.org machine) show warp in the SRV results
ThibG
I guess I could regenerate a certificate with an additionnal warp.sitedethib.com subjectAltName to test my theory…
Zash
ThibG: How is the certificate going to affect it not being able to connect *at all*, or what problem is it you are trying to debug?
ThibG
Zash, I have no idea what the problem is
Zash
Then how do you even know that there is a problem?
ThibG
it should be able to connect regardless of whether the SRV is warp.sitedethib.com or sitedethib.com
ThibG
when the SRV points to warp, it fails to connect, when it points to sitedethib.com, it doens't
ThibG
but those have the same A/AAAA
Zash
Based on " Error: Connection failed. " happening with the IPv6 only jabber.org SRV target, and my knowledge that the XMPP library it uses does not support IPv6, I'm going to theorize that the problem is missing IPv6 support.
ThibG
still, both warp.sitedethib.com and sitedethib.com have the same AAAA RR
jwwhas joined
stpeternods to Zash
stpeter
I need to go heads-down on a task, bbiab.
ThibG
let me try something else
Zash
I'm guessing it ends up relying on the OS-es DNS lookup, which I've noticed sometimes returns an error code that becomes a fatal error
ThibG
ok
ThibG
I'll add yet another sub-domain with only A RRs and make the SRV point to it, then
ThibG
ah, I did not see the jabber.org test eventually succeeding
stpeter
ThibG: yeah the tests can take quite a while - there is a lot to check and the script needs to back off sometimes so that it doesn't get disconnected for too many attempts (etc.)
stpeter
anyway bbiab :-)
ThibG
see you, and thanks for your help _o/
ThibG
I wonder if I should split the SRVs into two sub-domains, one with only A RRs, then
Zash
Shouldn't be required
ThibG
or just accept that xmpp.net may not be able to connect to my server :/
Zash
W: connect() to warp2.sitedethib.com.:5222 failed: Operation already in progress
Zash
That error
ThibG
It's the subdomain I just added to try with only A RRs
Zash
I mean, that's likely the real error it gets when it says "Error: Connection failed"
Zash
I don't really know why, but it seems to happen sometimes when there's more than one IP address associated with a name.
ThibG
hm… I've tried a bunch of times, though, and it *always* failed
ThibG
oh ok
Zash
EALREADY
The socket is nonblocking and a previous connection attempt
has not yet been completed.
ThibG
luasocket bug?
Zash
I don't know.
ThibG
ok, well, thanks anyway
ThibG
at least I now know it's TCP-IP related and not cert-related as I initially thought
Zash
Low-level socket fiddlery isn't my area of expertise.
Zash
https://github.com/diegonehab/luasocket/issues/99
edhelashas left
ThibG
ok, that's it, thanks!
ThibG
I'll just drop the DNS round-robin thing, it's a hack with little value