XMPP Service Operators - 2021-11-17

Establishing a secure connection from jotwewe.de to p2.siacs.eu failed. Certificate hash: 6bb89cc5fa534e6c5cf98416c2ffe73b9d67691c. Error with certificate 0: certificate has expired.

Holger?

Establishing a secure connection from lebihan.pl to p2.siacs.eu failed. Certificate hash: ae938b9fda5f1fd4c74303f94259fb7fb930f1434b50d72d745a5b3ecf15cce1. Error with certificate 0: certificate has expired.

ibikk, mimi89999: I'm not involved with p2.siacs.eu; anyway to me it looks like the actual certificate is fine, it's just that the LE chain that's cross-signed by the expired DST Root CA X3 is included.

But why would mimi89999 ibikk see this now and not on Sep 30?

He should probably change that, but I guess it's been that way all the time?

Yeah, weird.

I (a) hate hate hate LE for that stunt and (b) personally just enable Dialback for such reasons so I keep having a hard-time motivating myself with spending lots of time on this crap ;-P

But what breaks when that root is included? Only old/buggy software, right?

E.g. old OpenSSL

> Certificate hash: 6bb89cc5fa534e6c5cf98416c2ffe73b9d67691c > Certificate hash: ae938b9fda5f1fd4c74303f94259fb7fb930f1434b50d72d745a5b3ecf15cce1 Interesting.

MattJ: That's my understanding, yes.

mjk: What are those hashes?

Ah from above.

Curious why it's sha1 in one case and sha256(?) in the other

My servers are happy with p2.siacs.eu, FWIW.

Mine not.

MattJ, Holger: the machine in question (hopefully) is not running old/buggy software, at least not an old openssl. debian 10 with its openssl 1.1.1d. So what can I do about it?

> Nov 17 09:25:01 s2sout56138c1a9f80 info Outgoing s2s stream mdosch.de->p2.siacs.eu closed: Your server's certificate has expired

Just to double check, this means mdosch.de is saying p2's certificate is expired, not vice-versa, right?

> Your server's certificate has expired Aha. I suspected the difference in the hashes is because it's p2 that rejects the certs

FWIW I did this to check: $ openssl s_client -showcerts -starttls xmpp-server -connect ganymede.siacs.eu:5269 -xmpphost p2.siacs.eu > /tmp/p2-chain.pem < /dev/null && openssl x509 -text -in /tmp/p2-chain.pem | less ```

The logging could be more clear about whose cert it's about

> Just to double check, this means mdosch.de is saying p2's certificate is expired, not vice-versa, right? I think it's p2 complaining. Does it run on a very old android? 😲

p2 is also happy with my server's certs, so it's not that p2's clock is totally off or something.

Incoming s2s from p2 worked now.

Martin: > Does it run on a very old android? 😲 Very old androids _wouldn't_ complain, that was the point of leaving the old root in the certs! :))

Maybe it stumbles on the isrg one which old androids don't recognize afaik.

Martin: The problem is new? No such complaints in yesterday's logs?

"expired" doesn't sound like stumbling over the new root.

Hmm. Is something trying to mitm p2.siacs.eu? :)

Only today.

mjk: The attacker got everything right except using the wrong LE chain!!!

Hah

BTW, why is p2.siacs.eu IPv4 only?

To not add even more complexity/uncertainty to such issues? 😂

(No idea.)

Holger, and exclude users on v6-only services? :)

Those actually exist?

I anticipate hetzner offering IPv6-only servers soon-ish, given that they now increased prices for all cloud boxes because of IPv4 shortage

Holger, digital ocean smallest tier only comes with IPv6, too.

I guess once your support department is done responding to all your v4-only customers they should talk to the p2 operator :-)

Holger, I *think* that my friends&family server would do just fine without IPv4. ✏

… not once the people leave their home, but still.

Not offering IPv6 seems like a weird choice in 2021. :(

Martin, I guess the choice wasn't made in 2021 ;)

Not sure whether it was less weird in 2015 or so…

T-DSL is v4-only, for example. They have a few users in .de.

Holger, is it?

But sure for family & friends you might be lucky.

Yes it is (I'm a customer myself).

what is this, then? 2003:c2:7f19:8f00:74e0:7bda:f4cc:44/128

I don't understand v4 only arguments as nobody suggests you to drop v4. :D

Martin: I came up with an argument above.

(is this the difference between DSL and VDSL? :))

Holger: maybe your router is v4 only?

But sure once there are v6-only services supporting those certainly makes sense :-)

The literally only good thing one can say about DTAG is that they were fast to deploy IPv6

though, my f&f server doesn't care about p2., because they're all running snikket anyway (and that *does* have v6 on its push servers)

most Italy's soho/sb internet offers don't provide IPv6 by default.

That's entirely still optional

I had to fight my ISP hard to get IPv4

Oh… ✏

So, without fighting for v4 no Github for you. :P

Martin: well, I had DS-Lite by default.

But that's to say TIM owns Sparkle and Seabone so Italy has huge IPv4 address space allocations.

Also why would I want github? All they serve is a nuclear waste dump called npm.

Holger, I have quite a few IPv6-only instances, but then I don’t use Conversations.

Although now that I have installed Android on some device, I could actually start testing this client!

Ge0rG: Dosn't yaxim live there too?

jonas', Martin, Ge0rG, hah interesting, web search says you're totally right. I'll try to figure out why _I_ don't have v6 then :-)

Link Mauve: I'm just assuming that you'll easily stumble over v4-only users if your instance isn't small/private.

Holger: because you are using this?

https://upload.wikimedia.org/wikipedia/commons/thumb/a/a8/Acoustic_modem_and_phone_plugged.jpg/220px-Acoustic_modem_and_phone_plugged.jpg

State of the art in Berlin…

Yes Bavaria doesn't pay us good enough for modern tech.

These days I'm just using a boring FRITZ!Box like the rest of the country. Docs sound like I need to enable v6 explicitly? In that case I'd be back to my assumption that half .de will be v4-only :-P

But I'll try not to spam this room with my router config issues.

We can't pay you more. Two years without Oktoberfest. Where shall the money come from if we can't loot the wallets of American, Australian and Italian tourists?

I have a Fritzbox too. Don't remember whether v6 was enabled per default…

Martin: I thought we were more "looting" on the wallets of German tourists than the other way around 🤣

``` $ who am i holger pts/11 Nov 17 12:09 (2003:d3:171e:9b00:3fa3:22f2:a701:3b5f) ``` \o/

Glad we talked about this.

Holger: _you are not your IP_

Sure I am!

So can we disable v4 everywhere now?

Holger, yep, let's start with github.com

Maranda: If you look at the Oktoberfest there are more tourists from all over the world than germans.

Except the middle weekend, the so called "italian weekend" when most people are … italians. :)

*cough* topic *cough*

MattJ: Cought a cold?

It's ok we are gonna update/replace all networking equipment on the internet to free up a few more IPv4 addresses but still not to support IPv6 https://www.ietf.org/id/draft-schoen-intarea-unicast-127-00.html

> This document redefines the IPv4 local loopback network as consisting only of the 65,536 addresses 127.0.0.0 to 127.0.255.255 (127.0.0.0/16). It asks implementers to make addresses in the prior loopback range 127.1.0.0 to 127.255.255.255 fully usable for unicast use on the Internet. Wow.

guys... if we don't do this amazon might run out of IPs, won't someone think of the children !!!!

> IPv6, despite its vastly larger pool of available address space, allocates only a single local loopback address (::1) [RFC4291]. This appears to be an architectural vote of confidence in the idea that Internet protocols ultimately do not require millions of distinct loopback addresses.

Explicitly acknowledged in that RFC is that "many deployed systems" are going to need to have their handling of Martians changed.

moparisthebest: you might think "well if you're going to upgrade all of your equipment and networking code anyway, why not just start using IPv6?"..., but I guess it's significantly easier to get people to change an 8 to a 16 than to get them to finally learn about IPv6. I have to admit, it's been decades and I still don't understand IPv6.

So..., anyone here actually using localnet addresses other than 1 and 0? 🤷 The have been some interesting "local" XMPP applications I've seen, but not using *that* addressing scheme.

rozzin, ntpd does, for instance.

It defaults to 127.127.x.x, see https://gist.github.com/edro15/c3fbaaabfe31ecb799363ffab587f336

I’m sure other software or systems do as well.

rozzin, I mean it's identical to ipv4, just a different address space

moparisthebest: and there's no NAT, and it's not even obvious how to parse the addresses for someone who just knows IPv4.

moparisthebest: ?

there can be NAT

if you had thousands of IPv4 addresses you wouldn't use NAT either

moparisthebest: I sure would if it meant that I wouldn't have to learn or think about how packets get routed into my LAN nodes from outside, that I could just avoid being confronted by all of the weird new IPv6-specific flags in OpenWRT, etc.

if you don't want to think, that's what ISP-provided wifi routers are for :D

if you have your own IPv4 network set up though, setting up IPv6 is just like setting up another one

you can absolutely set it up exactly the same way, 1 public IPv6, NAT to all the rest, now ipv6 folks might scream at you but meh

otherwise it's 1 firewall rule to say "only allow connections initiated from my lan devices to the outside first, not vice versa" to get the same "security" effect as NAT with globally routable addresses instead

:FORWARD DROP [0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lan -j ACCEPT

oops 2 rules

https://http.xmpp.xyz:5281/upload/UcASGg_Rl7JJL_C7/QOkd1DrLQdiEDgw_TZN2WA.png

To _really_ close the drinking topic ↑

moparisthebest: > otherwise it's 1 firewall rule to say "only allow connections initiated from my lan devices to the outside first, not vice versa" to get the same "security" effect as NAT with globally routable addresses instead That was (happy-)eye-opening, TIL, thanks!

rozzin: > So..., anyone here actually using localnet addresses other than 1 and 0? Yup, I remember doing some strange things with ssh port forwarding. And/or openvpn

But yes, I hope the draft of the prolong-the-throes-of-the-IPv4-zombie standard won't get much farther