XMPP Service Operators - 2019-01-13

  1. lash

    I tried setting up an openfire server using cacert.org certificate. I have trouble connecting to other servers, and suspect maybe the certificate is the issue, that it's not trusted. Do server implementations bundle their own trusted certificates, or do they use system's, or both?

  2. lash

    And if own or both, does anyone know if cacert.org is included?

  3. mightyBroccoli

    Cacert is not in any major trust store AFAIK. Some/ most / juet mine ( I don't have any statistics) do not allow s2s without a valid cert. Why not use letsencrypt.org ?

  4. lash

    mightyBroccoli: Yes, I am aware. So that's why I was curious whether XMPP servers also bundles some, and if cacert.org is part of them. I really like the philosophy of cacert, and I would like to support them.

  5. mightyBroccoli

    I would bet some have cacert in der store, thus it's possible, but for a federated service highly unpractical, if the cert is not trusted automatically or at least widely.

  6. lash

    mightyBroccoli: The question was really whether the server software bundles provides them. But I assume from your reply that the answer is no.

  7. Link Mauve

    lash, no distribution bundles certificates as part of specific applications that I know of.

  8. Maranda

    hmmm interesting increase in bidi s2s connections :O

  9. Maranda

    nm not so interesting after all

  10. Maranda has disco'ed some servers running Metronome 🤣

  11. pep.

    Maranda, yeah, prosody has declared their mod_bidi stable not so long ago so people decided to run it, even though it's been the same code for howmanyyears

  12. Maranda

    pep., but most of those 22 connections weren't prosody :P

  13. pep.


  14. Maranda

    I can recognize Metronome in webmin by just looking at the s2s flags :P

  15. oli

    i feel xmpp federation should not enforce "valid" certs.

  16. pep.

    Why not

  17. pep.

    https://github.com/matrix-org/matrix-doc/pull/1711/commits/f30e6851127874739659ffe2b2c211c4db6e50f0 Matrix tried that, promoting the use of self-signed certs, with "notary" servers to allow you to verify a fingerprint from different perspectives, but apparently they're failing and coming back to "You should trust CAs"

  18. oli

    because that everyone has to rely on letsrncrypt and this cert renewal automation shit is just a big stupid workaround.

  19. pep.

    How is that related to "federated servers should not enforce valid certs"?

  20. oli

    because the suggestion was to use letsencrypt.

  21. pep.

    Maybe we should advertize DANE a bit more :)

  22. pep.

    I agree with not trusting CAs, but alternative solutions are often a lot more involved

  23. oli

    whats wrong with dialback?

  24. oli

    how is that less trustworthy than letsencrypt?

  25. Link Mauve

    oli, hi, here is a SRV saying that muc.xmpp.org is now served by evil.com, trust me I’m a DNS server somewhere.

  26. pep.

    s/somewhere/at your ISP/

  27. pep.

    Or others.

  28. oli

    somewhere at your isp the letsencrypt verification is redirected

  29. pep.

    You contact them over https

  30. pep.

    So yeah if the CA trust is compromised, we're all doomed, but that will not go unnoticed

  31. oli

    i don't see much of a problem with s2s if there is encrypted dns and dnssec and maybe dane

  32. oli

    if i then receive a compromised ns record, letsencrypt has the same problem

  33. oli

    of course it's easier to just trust the letsencrypt cert

  34. oli

    and don't care about the other stuff

  35. pep.

    "letsencrypt has the same problem" how?

  36. Link Mauve

    oli, I’d say it’s harder to poison LE’s DNS servers than a random user’s ones.

  37. oli

    server admin, not user. s2s

  38. oli

    and it's about locking servers out that use self signed certs

  39. mightyBroccoli

    oli: it's about setting a Standart. See it from the perspective you would like a doctor that actually is a doctor not one who says to be one.

  40. oli

    good example of abuse of power and authority

  41. Licaon_Kter

    oli: the doctors part?

  42. oli


  43. mightyBroccoli

    Why is that abusive? Or to be more specific where do you feel violated by doctors?

  44. Maranda

    uh... lol with this poisoning paranoy drama.

  45. oli

    mightyBroccoli: 50% bad science, financial exploitation, unnecessary treatment including torture.

  46. oli

    50% saving leaves, providing proper care, ...

  47. oli

    lives not leaves

  48. mightyBroccoli

    I would call that filter bubble and misunderstanding of statistics. Projecting problems onto different other subjects works on the surface but does not match up when you dig deeper. Think for yourself don't be sheep.

  49. oli

    cheap arguments...

  50. oli

    i just want to point certified doctors is not a good analogy for certified servers. or maybe it is, certificate does not imply guaranteed trustworthiness

  51. Licaon_Kter

    oli: it doesn't, now how would these stats look without any certification?

  52. oli

    depends. in some areas much better...