XMPP Service Operators

Arne 13:44:26
Hi can anyone tell me how I can test my xmpps and xmpp over 443 is working?
Licaon_Kter 13:51:07
Block port 5222....try to login?
Arne 13:55:51
yes I did now. But it doesn't work to connect over 443. I think I set something wrong in nginx
jonas’ 14:26:47
Arne, `curl -s -XPOST -H 'Content-Type: application/json' -d'{"target": "your.domain.example"}' https://observe.jabber.network/api/v1/check/xmpps-client | jq .success`
arne 14:33:26
Danke jonas' !
arne 14:35:39
~~Das checkt allerdings nicht obs über 443 geht.~~ ✎
arne 14:36:08
But this doesn't check 443 ✏
Ge0rG 14:37:22
arne: it checks whatever you have configured for xmpps-client
jonas’ 14:39:20
yes
arne 14:46:53
yes
arne 14:47:51
But it's ok, I already could test 443 by blocking 5222 and 5223 on a client
bastoon 17:29:23
> Hi can anyone tell me how I can test my xmpps and xmpp over 443 is working? If it can helps I'm using this: openssl s_client -connect <server_fqdn>:443 -name <jid_host> -alpn xmpp-client Because I mandate ALPN. I've a switch on this port based on proto criteria for xmpp-client / bosh.
Arne 18:04:44
Thanks bastoon . I thought about using alpn in nginx too, but it didn't work so far. I try it later again
Arne 23:15:56
~~btw. can anyone recommend using xep-0156? For now I don't see usage for me~~ ✎
Arne 23:16:10
btw. can anyone recommend using xep-0156? At moment I don't see usage for me ✏
Licaon_Kter 23:23:00
Arne: do you have a web client hosted? Do you expose BOSH or Websockets?
Arne 23:24:09
~~Bosh in a JavaScript webclient. But it's working~~ ✎
Arne 23:24:20
Bosh and a JavaScript webclient. But it's working ✏
Licaon_Kter 23:24:38
Arne: well, 156 is for 'better' working :))
Arne 23:24:50
:D
Arne 23:26:34
I wonder if there is any lowering of the security if using this?
Licaon_Kter 23:27:00
You already expose it in the Converse config...nothing new.
Arne 23:34:23
I don't use converse but yea I guess your right though it says: > 5. Security Considerations¶ > It is possible that advertisement of alternative connection methods can introduce security vulnerabilities, since a connecting entity (usually a client) might deliberately seek to connect using the method with the weakest security mechanisms (e.g., no channel encryption or relatively weak authentication). Care needs to be taken in determining which alternative connection methods are appropriate to advertise. > Entities that use these connection methods MUST conform to the security considerations of each method, for example by preferring to use 'https' or 'wss' URLs that are protected using Transport Layer Security (TLS). Actually I don't like to offer a webclient but some people does want to have it for "emergency" ✎
Arne 23:34:45
I don't use converse but I guess you're right though it says: > 5. Security Considerations¶ > It is possible that advertisement of alternative connection methods can introduce security vulnerabilities, since a connecting entity (usually a client) might deliberately seek to connect using the method with the weakest security mechanisms (e.g., no channel encryption or relatively weak authentication). Care needs to be taken in determining which alternative connection methods are appropriate to advertise. > Entities that use these connection methods MUST conform to the security considerations of each method, for example by preferring to use 'https' or 'wss' URLs that are protected using Transport Layer Security (TLS). Actually I don't like to offer a webclient but some people does want to have it for "emergency" ✏
Licaon_Kter 23:41:20
Sorry, which client then? Is it broken and it asks for lower security? Is your server configured to allow such a downgrade?
Arne 23:51:15
A slightly modified jsxc. But everythings working ok. I don't thing I would get any benefits of xep 0156 . I actually was wondering if it makes sense to use. Maybe I just try it out tomorrow
Licaon_Kter 23:55:06
Arne: it could help say for jsxc desktop or converse desktop, where the user just puts the JID and connection endpoint is pulled via 156