XMPP Service Operators - 2021-04-25

rob: > I'm getting the urge to write a bot that monitors various system things on your server and reports issues, but also responds to queries. As though I have time for more projects Like https://observe.jabber.network/ ?

Has anyone removed ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA AES256-SHA CAMELLIA256-SHA AES128-SHA CAMELLIA128-SHA from their cipher lists?

Also

Removed tls1.0 and 1.1

I would like to disable old insecure ciphers from my server

But i'm am curious if anyone out there is still running and requires these old inscure ciphersuites

Remove them all, grep your logs :)

jabber.calyxinstitute.org please update your crypto

Your the only one in my logs using TLSv1.2 with ECDHE-RSA-AES256-SHA

concerned about SHA vs. SHA2?

I"m concerned about BEAST (CVE-2011-3389)

Also LUCKY13 (CVE-2013-0169)

Apparently nobody at all is connecting over tls1.1 and lower

So i'm going to disable that

If your users use Android 4 they could left connectivity.

Thanks for the heads up

maybe use testssl.sh with its client simulation stuff to figure out whom you lock out

Nobody except calyx institute

Android 4.1 is the min for TLS 1.2, iirc. I dropped 1.1 and down recently and found one single user who had an Android 2.3 device still in use up to that point. The impact was extremely minimal.

What was the story with that one mike?

And which is your server?

No particular story, just that one person mentioned it after the change. I've seen no noticeable change in user numbers overall.

Oh

This is for chinwag.im

I'm curious the know about android 2 devices still in use

They just mentioned they still had one among several devices and noticed it stopped connecting after I upgraded the server.

Debian dropped TLS1.0/1.1 by default and "all" users with an Android4 lost connectivity. Applications using okhttp up to version xy will fail. Normaly Androud4 is able todo 1.2, but okhttp looks only about enabled not about possible and wouldn't use it.

tom: i removed everything not beeing AESGCM and only allowed TLS1.2+ no issues with federation. The server all do tls1.3 or tls.1.2 with curves and clients connecting to my small server are not ancient.

no issues that you know of ;)

Meaning, I can join every muc I like :-)

> rob: > Like https://observe.jabber.network/ ? No more like disk, memory, CPU, package updates etc

Do you use composer?

I don't think so? Like for docker?

That's docker-compose. I only know of composer the package manager for PHP, off the top of my head.

Ah, then no. Not that I am aware. I run everything in docker

Sorry, didn't mean to speak on christian's behalf. I may have misunderstood. But regarding monitoring, maybe something like fluentd (or fluent-bit) would be useful?

Composer is hart to tell what it is ... something between ftp and git

I don't know much about it but it seems it can handle any kind of files

So it's a sort of file transfer program? Do you have a link?

Yax.im, your conference server is completely down for me

tom: yeah, https://monal.im/blog/vaxbot-continues-to-grow/

tom, yax.im uses o.j.n, they’re aware. very.

Orange juice nancys?

Oh

Your monitor

jonas’: have you thought about making the monitor data public?

MattJ: regarding the yax&vaccines situation, was prosody tweaked or the push server or?

I think it would be a pretty valuable resource

Sorry, there was a yax.im downtime that seems unrelated to VaxBot

jonas’: your bot seems to think my tls certificates are about to expire

Which does not seem to be true