XMPP Service Operators - 2021-04-25

  1. Licaon_Kter

    rob: > I'm getting the urge to write a bot that monitors various system things on your server and reports issues, but also responds to queries. As though I have time for more projects Like https://observe.jabber.network/ ?

  2. tom

    Has anyone removed ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA AES256-SHA CAMELLIA256-SHA AES128-SHA CAMELLIA128-SHA from their cipher lists?

  3. tom


  4. tom

    Removed tls1.0 and 1.1

  5. tom

    I would like to disable old insecure ciphers from my server

  6. tom

    But i'm am curious if anyone out there is still running and requires these old inscure ciphersuites

  7. Licaon_Kter

    Remove them all, grep your logs :)

  8. tom

    jabber.calyxinstitute.org please update your crypto

  9. tom

    Your the only one in my logs using TLSv1.2 with ECDHE-RSA-AES256-SHA

  10. jonas’

    concerned about SHA vs. SHA2?

  11. tom

    I"m concerned about BEAST (CVE-2011-3389)

  12. tom

    Also LUCKY13 (CVE-2013-0169)

  13. tom

    Apparently nobody at all is connecting over tls1.1 and lower

  14. tom

    So i'm going to disable that

  15. ernst.on.tour

    If your users use Android 4 they could left connectivity.

  16. tom

    Thanks for the heads up

  17. jonas’

    maybe use testssl.sh with its client simulation stuff to figure out whom you lock out

  18. tom

    Nobody except calyx institute

  19. mike

    Android 4.1 is the min for TLS 1.2, iirc. I dropped 1.1 and down recently and found one single user who had an Android 2.3 device still in use up to that point. The impact was extremely minimal.

  20. tom

    What was the story with that one mike?

  21. tom

    And which is your server?

  22. mike

    No particular story, just that one person mentioned it after the change. I've seen no noticeable change in user numbers overall.

  23. tom


  24. mike

    This is for chinwag.im

  25. tom

    I'm curious the know about android 2 devices still in use

  26. mike

    They just mentioned they still had one among several devices and noticed it stopped connecting after I upgraded the server.

  27. ernst.on.tour

    Debian dropped TLS1.0/1.1 by default and "all" users with an Android4 lost connectivity. Applications using okhttp up to version xy will fail. Normaly Androud4 is able todo 1.2, but okhttp looks only about enabled not about possible and wouldn't use it.

  28. menel

    tom: i removed everything not beeing AESGCM and only allowed TLS1.2+ no issues with federation. The server all do tls1.3 or tls.1.2 with curves and clients connecting to my small server are not ancient.

  29. jonas’

    no issues that you know of ;)

  30. menel

    Meaning, I can join every muc I like :-)

  31. rob

    > rob: > Like https://observe.jabber.network/ ? No more like disk, memory, CPU, package updates etc

  32. christian

    Do you use composer?

  33. rob

    I don't think so? Like for docker?

  34. jayteeuk

    That's docker-compose. I only know of composer the package manager for PHP, off the top of my head.

  35. rob

    Ah, then no. Not that I am aware. I run everything in docker

  36. jayteeuk

    Sorry, didn't mean to speak on christian's behalf. I may have misunderstood. But regarding monitoring, maybe something like fluentd (or fluent-bit) would be useful?

  37. christian

    Composer is hart to tell what it is ... something between ftp and git

  38. christian

    I don't know much about it but it seems it can handle any kind of files

  39. jayteeuk

    So it's a sort of file transfer program? Do you have a link?

  40. tom

    Yax.im, your conference server is completely down for me

  41. Licaon_Kter

    tom: yeah, https://monal.im/blog/vaxbot-continues-to-grow/

  42. jonas’

    tom, yax.im uses o.j.n, they’re aware. very.

  43. tom

    Orange juice nancys?

  44. tom


  45. tom

    Your monitor

  46. tom

    jonas’: have you thought about making the monitor data public?

  47. Licaon_Kter

    MattJ: regarding the yax&vaccines situation, was prosody tweaked or the push server or?

  48. tom

    I think it would be a pretty valuable resource

  49. Ge0rG

    Sorry, there was a yax.im downtime that seems unrelated to VaxBot

  50. tom

    jonas’: your bot seems to think my tls certificates are about to expire

  51. tom

    Which does not seem to be true