XMPP Service Operators - 2021-01-11

So I think I'll make the jump over to prosody from ejabberd for the pi. Thanks for all the advice everyone.

argon3771: because?

Because it's better!

What a silly question :P

MattJ: right, my bad :)

MattJ: Does Prosody first cache uploaded files in memory?

Yes, in the current release

That's why we have default limits that everyone just overrides

Next version will dump straight to file, and obviously there is upload_external for all versions which bypasses the issue entirely

Nice

Back in 2018 ejabberd was doing the same, but a quick zinid fix and my 256Mb Pi1 suddendly become usable.

Idk

I just don't think mod_upload was a good idea

Like

If your going to do it, do it right or don't do it at all

Use mod_upload_external

Drop mod_upload

+1

Yeah, it's annoying that we are working to develop a good XMPP server, and suddenly the scope creeps to include developing a good HTTP server as well

I mean, there are whole other projects dedicated to doing that

Erlang may have an advantage in that regard, I imagine ejabberd is using a ready-made HTTP server implementation

will this change with prosody 12 maybe?

https://blog.prosody.im/2020-retrospective/ - see the section about the HTTP server :)

The spike in popularity is suspect

I wonder why

As written just below the graph, I suspect Jitsi Meet installations - at the time there was a lot of hype about the project, lockdowns and Zoom privacy issues every week

A bunch of places wrote "how to set up your own Jitsi Meet" guides and such

MattJ: > Yeah, it's annoying that we are working to develop a good XMPP server, and suddenly the scope creeps to include developing a good HTTP server as well Spoke as zinid did :)) tom: But there's some elegance in having one daemon do to them all, ejabberd still is OOTB ready to serve, no DB, no webserver, no stun/turn needed besides.

Jack of all master of none

Plus

There is a finite resource, developer attention

Licaon_Kter, apart from STUN/TURN, Prosody is the same

I'm not sure the world needs another TURN server implementation, especially in Lua just because :)

Because you know, we'd have to find a name for it

tom: > Jack of all master of none I'd beg to differ, did you test? > There is a finite resource, developer attention True

Yes

Prosody makes a terrible webserver compared to nginx and a small perl cgi

By the way MattJ, since those jitsi servers are using prosody apparently, is there any interaction that can be had with my xmpp client and prosody server?

I tried running disco on meet.jit.si, nothing

MattJ: eturnal is taken, sorry `prosturner` ?

tom: the devs don't support it

tom: > Yes > Prosody makes a terrible webserver compared to nginx and a small perl cgi I meant ejabberd :)

tom, most are configured for anonymous authentication and support MUC

Most normal clients don't do anonymous auth though

Course they don't (╯ರ ~ ರ）╯︵ ┻━┻

They just take

When your setting up onion S2S connections with someone, and it works but your server rejects because of Server-to-server connection failed: Encrypted server-to-server communication is required but was not offered<

Shouldn't mod_onions or mod_darknet auto-consider .onion servers secure?

Or is there a way to mark all incoming s2s connections on the loopback interface secure?

creep.im: increase the XML stanza size limit, it's causing federation problems

» Jan 11 03:47:42 s2sout55bd8df13370 info Session closed by remote with error: policy-violation (XML stanza is too big) » Jan 11 03:47:42 s2sout55bd8df13370 info Outgoing s2s stream conference.nuegia.net->creep.im closed: policy-violation (XML stanza is too big)

creep.im: it's lower than https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L40 ?

what kind of monster stanza are you sending?

it's 131072 ✏

I've just increased limits both for S2C and S2S (used ejabberd example linked above) ✏

Ge0rG: i don't know which stanza triggered it. But sometimes users post news articles in my mucs

And use omemo

is room.pix-art.de down for me or for everyone?

Ge0rG: > Establishing a secure connection from mdosch.de to room.pix-art.de failed. Certificate hash: 4cd531a9524513d90ff042873b929fb4104c5dbb5d58d9c22a9d23b4639ad634. This certificate is invalid for room.pix-art.de.

Martin: thanks

also works here again; maybe a short network downtime.

Would there be any compat issues with my switching to a ECC certificate?

Rather than an RSA4096

tom: ask 404.city :)

We tested this by accident on c.im the other day. Answer is yes :-)

tom, There are no serious problems

Holger: Did s2s to all cert checking servers break or "only" to some?

tom, There may be problems connecting to spam-scrapyards and abandoned servers

404.city: were the issues between yours and yax.im fixed? ✏

Martin: Only some.

Ok, thanks.

404.city: There can also be problems connecting to maintained servers.

Cipher negotiation fails more easily.

>Licaon_Kter‎: 404.city: were the issues between yours and yax.im fixed? Yes

If people decide to use the latest-greatest-strictest TLS setup and are fine with the fact that this can break legitimate communication between users that's obviously fine with me. But please don't pretend that this *won't* break communication. Debugging the resulting breakage can be annoying.

I think in the future ECC will be adopted as the main encryption standard and RSA will be deprecated. Nowadays, this can already be considered an RSA outdated standard. The more servers with ECC there will be, the more problems RSA servers will have. Now RSA is just the majority, but in the future ECC will be the default.

If we're talking about some point of time in the future you may be right. I thought this was about the implications of switching to an ECC certificate today.

I thought RSA certs were already switching to ECC

considered deprecated

at least, the BIG CAs are moving their root certs to ECC

Holger: which servers broke when you switched to ecc cert?

Many people think that self-signed certificates should be used instead of RSA. They also require compatibility. Let's hold on to the past, we'll be behind those who go into the future

404.city: As I said I'm all happy with you going as far into the future as you like. But the question was whether or not this will introduce interop issues. Your answer was 'no', and the correct answer is 'yes'. That's all.

tom: You're asking me for domain names?

y

Why?

because i want to know which servers will break if i switch to ecc

Ah I'm of no help then. We only had that setup for 2-3 hours because until two of my contacts notified me of borked s2s, both of whom just run small personal servers.

s/because//

Holger, Okay, but I don't agree that there are interoperability issues. In this case, self-signed certificates and servers without encryption should also be considered communication problems.

Holger: how did that end up in the setup?

404.city: Are we now discussing the definition of "interop issues" or what? I'm not wasting my time on this nonsense.

404.city: And yes enforcing TLS obviously breaks interop with non-TLS servers. It's just that the fraction of servers not supporting TLS is tiny. So the trade-off is very different. Security-related questions are basically always decisions on trade-offs, not binary all-or-nothing decisions.

Licaon_Kter: We are a huge site with lots of employees plus lots of automation which all needs coordination and in this case things went wrong.

😂

Holger: humans? Pfft, they are the ~worst~wurst :) ✏

Licaon_Kter: Schtrudelwurst?

It's a spectrum

i have more problems with signed certificates than switching to ECC. It is worth noting that it was a long time ago, and now all these problematic servers (self-signet sertificat) have been adjusted now to the zeitgeist.

Holger, Do not worry. I am not discussing a technical issue, I am a philosophical one. Naturally there is a mistake, how loud they are is already a philosophical question. In your case, errors are is critical, not to accept ECC but to use RSA.

> more problems with signed certificates You mean you disabled dialback, so that you insist on a valid certificate, and you're annoyed by servers who still don't offer a CA-signed cert?

Holger, Well, how can I tell you ... My friend was hacked through a self-signed certificate when I was young and used xmpp.jp He also used xmpp.jp with self signed certificates. c2s trusted <+> s2s (dialback) <+> c2s (not trusted) = not trusted

tom, by the way, this is not the case when you have to ask. You can release two ECC + RSA at once by few minute. Certificates can be changed without rebooting. See what you like best)

Offtopic I think, but just wondering: can I use my 404.city account also on Matrix, 404.city ?

86ul, On 404.city there is no active Matrix server. Its launch is not planned due to excessive resource consumption within the Matrix network. This is chat not the right place for such conversations. We could get banned for this chatter.

Thanks anyways

86ul, I will write in private

Okay

Ge0rG: Is chat.yax.im down?

maybe they have a blackout like me an hour ago 😅

Martin: the yax.im chatroom is up for me.

I could leave and rejoin just now. 😃