-
Arne
Hi can anyone tell me how I can test my xmpps and xmpp over 443 is working?
-
Licaon_Kter
Block port 5222....try to login?
-
Arne
yes I did now. But it doesn't work to connect over 443. I think I set something wrong in nginx
-
jonas’
Arne, `curl -s -XPOST -H 'Content-Type: application/json' -d'{"target": "your.domain.example"}' https://observe.jabber.network/api/v1/check/xmpps-client | jq .success`
-
arne
Danke jonas' !
-
arne
Das checkt allerdings nicht obs über 443 geht.✎ -
arne
But this doesn't check 443 ✏
-
Ge0rG
arne: it checks whatever you have configured for xmpps-client
-
jonas’
yes
-
arne
yes
-
arne
But it's ok, I already could test 443 by blocking 5222 and 5223 on a client
-
bastoon
> Hi can anyone tell me how I can test my xmpps and xmpp over 443 is working? If it can helps I'm using this: openssl s_client -connect <server_fqdn>:443 -name <jid_host> -alpn xmpp-client Because I mandate ALPN. I've a switch on this port based on proto criteria for xmpp-client / bosh.
-
Arne
Thanks bastoon . I thought about using alpn in nginx too, but it didn't work so far. I try it later again
-
Arne
btw. can anyone recommend using xep-0156? For now I don't see usage for me✎ -
Arne
btw. can anyone recommend using xep-0156? At moment I don't see usage for me ✏
-
Licaon_Kter
Arne: do you have a web client hosted? Do you expose BOSH or Websockets?
-
Arne
Bosh in a JavaScript webclient. But it's working✎ -
Arne
Bosh and a JavaScript webclient. But it's working ✏
-
Licaon_Kter
Arne: well, 156 is for 'better' working :))
-
Arne
:D
-
Arne
I wonder if there is any lowering of the security if using this?
-
Licaon_Kter
You already expose it in the Converse config...nothing new.
-
Arne
I don't use converse but yea I guess your right though it says: > 5. Security Considerations¶ > It is possible that advertisement of alternative connection methods can introduce security vulnerabilities, since a connecting entity (usually a client) might deliberately seek to connect using the method with the weakest security mechanisms (e.g., no channel encryption or relatively weak authentication). Care needs to be taken in determining which alternative connection methods are appropriate to advertise. > Entities that use these connection methods MUST conform to the security considerations of each method, for example by preferring to use 'https' or 'wss' URLs that are protected using Transport Layer Security (TLS). Actually I don't like to offer a webclient but some people does want to have it for "emergency"✎ -
Arne
I don't use converse but I guess you're right though it says: > 5. Security Considerations¶ > It is possible that advertisement of alternative connection methods can introduce security vulnerabilities, since a connecting entity (usually a client) might deliberately seek to connect using the method with the weakest security mechanisms (e.g., no channel encryption or relatively weak authentication). Care needs to be taken in determining which alternative connection methods are appropriate to advertise. > Entities that use these connection methods MUST conform to the security considerations of each method, for example by preferring to use 'https' or 'wss' URLs that are protected using Transport Layer Security (TLS). Actually I don't like to offer a webclient but some people does want to have it for "emergency" ✏
-
Licaon_Kter
Sorry, which client then? Is it broken and it asks for lower security? Is your server configured to allow such a downgrade?
-
Arne
A slightly modified jsxc. But everythings working ok. I don't thing I would get any benefits of xep 0156 . I actually was wondering if it makes sense to use. Maybe I just try it out tomorrow
-
Licaon_Kter
Arne: it could help say for jsxc desktop or converse desktop, where the user just puts the JID and connection endpoint is pulled via 156