-
Sam
Are there any operators of large public XMPP servers that would be willing to share some connection stats with me? I'd like to know how many s2s connections you have using dialback vs. SASL EXTERNAL. I've got some older stats for jabber.fr, so other servers would be appreciated (and I'd be curious if the jabber.fr stats have changed, but I'm more interested in other servers)
-
Sam
Alternatively if you're not willing to share that: are there any services that *only* support dialback (and why)?
- Maranda thinks he doesn't fall within the large category... but:
-
Maranda
https://lightwitch.org/xmpp/status
-
Sam
Convenient; thanks!
-
Sam
How many of those are dialback vs. external?
-
Maranda
90% are using SASL External
-
Sam
Thanks; that's similar to what jabber.fr was saying before. If anyone else has anything, I'd love to know
-
Maranda
Sam: with M-Link (jabber.org) SASL external always fails so it'll always have to fall back to dialback.
-
Sam
I was worried about something like that, but it's in theory moving to Prosody, no?
-
MattJ
Yes
-
MattJ
Also another data point: Snikket only does EXTERNAL
-
Sam
Good to know, thanks
-
Maranda
also Cisco Jabber, which often doesn't even do TLS on S2S streams, does only do dialback.
-
MattJ
I get reports of problems with some domains, but given that practically every implementation supports EXTERNAL for s2s, it's usually an issue of incorrect certificates
-
Maranda
jabberd too.
-
Maranda
Often some servers running OpenFire will mostly only do dialback.
-
Holger
Sam, > Alternatively if you're not willing to share that: are there any services that *only* support dialback (and why)? I'm not aware of Dialback-only configurations, but as MattJ said, of course you _do_ see certificate issues in the wild (failing Let's Encrypt updates; or those recent problems with the Let's Encrypt chain; whatever). So it's not like you could just disable Dialback without a realistic risk of breaking legitimate communication.
-
Sam
This is for something that doesn't yet implement dialback, so it was more to see if I need to implement it for any reason. It had been deprioritized as low-use, but now I'm thinking we might just not implement it at all. Naturally other servers may be misconfigured, I don't necessarily think I should drop a level of security to work around that
-
Sam
If it was already implemented and in use, that might change things, but you can't miss what you don't have :)
-
Holger
The security<->interop thing is the usual trade-off (if you'd only be interested in the security-side of the trade-off, you'd do super-strict TLS settings and loose interop with half the ecosystem). But I totally get how you'd want to avoid _implementing_ Dialback 🙂
-
Holger
I'd probably avoid it if possible.
-
Sam
I'm definitely interested in both, not just the security side,but multiple servers with only a tiny fraction of issues (<10% of connections in both cases) and at least one project that doesn't support it at all (and is still popular) seems like a tradeoff that's worth making.
-
jonas’
Sam, if you ping me later today or for instance during council meeting time, I can take a look at search.jabber.network stats.
-
Holger
Quick count of log entries from yesterday + today on c.im says: ~5% of incoming and ~20% of outgoing s2s connections were Dialback-authenticated. The relatively high latter number is due to the LE chain foo, I'd guess. (But counting log entries might be misleading anyway; I should at least count only one entry per remote domain I guess.)
-
Martin
> Sam, > I'm not aware of Dialback-only configurations, … jabber.org
-
Holger
Never heard of that server.
-
Martin
Must be new.
-
jonas’
strange name, too
-
Sam
jonas’: thanks, will do!
-
Sam
Thanks Holger!
-
moparisthebest
Sam: anything that interops with Tor would have to do dialback right? At least on the incoming direction?
-
Sam
Probably
-
moparisthebest
I have a crazy idea re: this but it's standards related so I'll take it to XSF
-
Licaon_Kter
Do tell though...
-
moparisthebest
just a way to validate tor s2s without doing dialback
-
moparisthebest
would need code written and at least an informational xep I guess, we've been needing one for "best practices re: .onion domains" anyway
-
jonas’
moparisthebest, do write one :)
-
ernst.on.tour
@ping xmpp.jp
-
Echo1
ernst.on.tour: Ping failed (remote-server-not-found): Server-to-server connection failed: DNS resolution failed