-
ThibG
hm, it seems the failure from the other day is related to my _xmpp-server._tcp SRV entry, which points to a different sub-domain
-
ThibG
but this is the point of a SRV entry, and I fail to see how it could be a problem
-
stpeter
hm
-
stpeter
your SRV entry seems fine
-
ThibG
I changed it
-
stpeter
aha
-
ThibG
I'll change it back
-
stpeter
$ dig +short -t SRV _xmpp-server._tcp.sitedethib.com 10 0 5269 sitedethib.com.
-
ThibG
I'm testing things
-
stpeter
that's what I see
-
stpeter
yeah
-
ThibG
it was pointing to warp.sitedethib.com.
-
ThibG
which is the same machine
- stpeter nods
-
stpeter
compare to the jabber.org SRV: $ dig +short -t SRV _xmpp-server._tcp.jabber.org 31 30 5269 hermes2v6.jabber.org. 30 30 5269 hermes2.jabber.org.
-
ThibG
my guess so far is that xmpp.net uses warp.sitedethib.com to check the certificate
-
ThibG
which is obviously wrong
-
stpeter
bbiaf, time for lunch here
-
Zash
ThibG: The SRV target is not used for certificate validation.
-
ThibG
I have no idea what the issue is, then
-
ThibG
sitedethib.com and warp.sitedethib.com happen to have the same A RRs
-
Zash
Except
-
Zash
https://q.zash.se/269bfe745c2f.txt there's no response
-
ThibG
wait. what
-
ThibG
it resolves just fine here
-
ThibG
oh sorry
-
ThibG
I made a mistake when changing back the RRs
-
ThibG
should be better now
-
Zash
If the bare domain and the default port works then you don't strictly need SRV records at all
-
ThibG
sure
-
ThibG
it was just in case I switch to having different machines for my services
-
ThibG
(which was actually the case some time ago)
-
ThibG
I could get rid of the SRV RRs, but still, I don't understand what's going on
-
stpeter
ThibG: I notice when typing `telnet warp.sitedethib.com 5269` that IPv6 was attempted first, but timed out. However, I'm pretty sure that the xmpp.net code has a fallback to IPv4 if IPv6 times out.
-
ThibG
hm
-
ThibG
unfortunately, I only have my server with IPv6 connectivity, and it obviously connects just fine to itself
-
ThibG
sitedethib.com has the same IPv6 address too
-
ThibG
anyway, I guess it doesn't fail at TCP level, but at TLS level, as it successfuly displays my server's version
-
Link Mauve
stpeter, from here it works.
-
Link Mauve
Maybe some pairing issue?
-
Link Mauve
From both my home server (in Paris) and my company’s servers (in the UK).
-
stpeter
Yeah it could be an ISP issue for me.
-
ThibG
huh, should have changed the RRs' TTL beforehand…
-
stpeter
Let me check from the machine where xmpp.net is running. ;-)
-
ThibG
stpeter, thanks!
-
stpeter
connected to IPv6 very quickly
-
stpeter
both with and without `warp.`
-
stpeter
so that's not the issue
-
ThibG
my only bet is that it somehow checks the certificate against warp.sitedethib.com instead of sitedethib.com
-
stpeter
No, the XMPP specs have always been clear on the fact that you don't check against the SRV pointer.
-
ThibG
yeah, that's what I understand too, but I have no idea why xmpp.net kept failing with my SRV pointing to warp.sitedethib.com, and works now that it is pointing to sitedethib.com
-
stpeter
In fact, Thijs and I (proprietors of xmpp.net) co-wrote the RFC on TLS checking in XMPP. ;-) https://datatracker.ietf.org/doc/rfc7590/
-
ThibG
(should be pointing back to warp.sitedethib.com, now, but alas the TTL is huge)
-
stpeter
let me see if I can find any logs on the machine that will provide some more information
-
Zash
ThibG: I believe it fetches the server version through jabber.org, not by itself.
-
Zash
So, it being able to display that has no relation to its ability to connect to your server
-
stpeter
Zash: really? that doesn't sound familiar
-
ThibG
Zash, oh, ok, I think I did see an incoming s2s connection from jabber.org at that time
-
Zash
stpeter: My memory says that it at least does a ping via a jabber.org account first
-
stpeter
Zash: OK I will check the code for that, too
-
stpeter
huh yeah imobservatory@jabber.org
-
stpeter
I'd forgotten about that, I guess.
-
stpeter
so now I log into the jabber.org machine and see what the logs there have to say in the matter :-)
-
ThibG
thanks!
-
stpeter
I see things like this: TLS conn IP=2001:910:1369:ffff::1 version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 secret-bits=256 processed-bits=256 compression="(None)" preliminary certificate verification failed
-
stpeter
the last one of those was 40 minutes ago
-
ThibG
hm, last failed xmpp.net test should be much older
-
ThibG
I can retry a test, but I guess my working SRV RRs will still be in cache
-
ThibG
nope, it's ok, the test is running against warp.sitedethib.com now
-
stpeter
ThibG: this was on jabber.org, not xmpp.net
-
Zash
stpeter: I don't see any explicit IPv6 support, so what exactly it connects with depends on the LuaSocket version.
-
stpeter
Zash: aha, interesting
-
ThibG
https://xmpp.net/result.php?domain=sitedethib.com&type=server fails again
-
stpeter
sigh
-
Zash
This thing where network libraries never do nice things like handle dualstack for you, such disappoint.
-
ThibG
well
-
ThibG
https://xmpp.net/result.php?domain=jabber.org&type=server
-
stpeter
https://xmpp.net/result.php?domain=sitedethib.com&type=client is fine, though (other than that whole certificate thing).
-
ThibG
still uses the old SRV
-
ThibG
(sitedethib.com instead of warp.sitedethib.com)
-
ThibG
re-running it, it fails the same way
-
stpeter
TTLs?
-
stpeter
ah
-
stpeter
right
-
stpeter
ok
-
stpeter
both perseus (xmpp.net machine) and hermes2 (jabber.org machine) show warp in the SRV results
-
ThibG
I guess I could regenerate a certificate with an additionnal warp.sitedethib.com subjectAltName to test my theory…
-
Zash
ThibG: How is the certificate going to affect it not being able to connect *at all*, or what problem is it you are trying to debug?
-
ThibG
Zash, I have no idea what the problem is
-
Zash
Then how do you even know that there is a problem?
-
ThibG
it should be able to connect regardless of whether the SRV is warp.sitedethib.com or sitedethib.com
-
ThibG
when the SRV points to warp, it fails to connect, when it points to sitedethib.com, it doens't
-
ThibG
but those have the same A/AAAA
-
Zash
Based on " Error: Connection failed. " happening with the IPv6 only jabber.org SRV target, and my knowledge that the XMPP library it uses does not support IPv6, I'm going to theorize that the problem is missing IPv6 support.
-
ThibG
still, both warp.sitedethib.com and sitedethib.com have the same AAAA RR
- stpeter nods to Zash
-
stpeter
I need to go heads-down on a task, bbiab.
-
ThibG
let me try something else
-
Zash
I'm guessing it ends up relying on the OS-es DNS lookup, which I've noticed sometimes returns an error code that becomes a fatal error
-
ThibG
ok
-
ThibG
I'll add yet another sub-domain with only A RRs and make the SRV point to it, then
-
ThibG
ah, I did not see the jabber.org test eventually succeeding
-
stpeter
ThibG: yeah the tests can take quite a while - there is a lot to check and the script needs to back off sometimes so that it doesn't get disconnected for too many attempts (etc.)
-
stpeter
anyway bbiab :-)
-
ThibG
see you, and thanks for your help _o/
-
ThibG
I wonder if I should split the SRVs into two sub-domains, one with only A RRs, then
-
Zash
Shouldn't be required
-
ThibG
or just accept that xmpp.net may not be able to connect to my server :/
-
Zash
W: connect() to warp2.sitedethib.com.:5222 failed: Operation already in progress
-
Zash
That error
-
ThibG
It's the subdomain I just added to try with only A RRs
-
Zash
I mean, that's likely the real error it gets when it says "Error: Connection failed"
-
Zash
I don't really know why, but it seems to happen sometimes when there's more than one IP address associated with a name.
-
ThibG
hm… I've tried a bunch of times, though, and it *always* failed
-
ThibG
oh ok
-
Zash
EALREADY The socket is nonblocking and a previous connection attempt has not yet been completed.
-
ThibG
luasocket bug?
-
Zash
I don't know.
-
ThibG
ok, well, thanks anyway
-
ThibG
at least I now know it's TCP-IP related and not cert-related as I initially thought
-
Zash
Low-level socket fiddlery isn't my area of expertise.
-
Zash
https://github.com/diegonehab/luasocket/issues/99
-
ThibG
ok, that's it, thanks!
-
ThibG
I'll just drop the DNS round-robin thing, it's a hack with little value