-
ru_maniac
phew, I'd already forgotten what a toxic person Xabber main developer is
-
ru_maniac
and I thought I got used to kernel developers lingo on LKML
-
Licaon_Kter
ru_maniac: umm? Topic?
-
ru_maniac
I've dug out an old issue from Xabber's github, one re: OMEMO support
-
ru_maniac
the one where he basically said "screw audience if they cannot pay me" and asked to provide him with 1 BTC worth of bounty for him to even consider implementing it
-
ru_maniac
and there were a lot of, let's say, harsh words thrown out from his side well, Xabber went and died, all is well, and I've mentioned this openly on Twitter, listing as an example of toxic behavior around open-source communities
-
ru_maniac
little did I knew, dude decided to start a flame thread) over his own words from 2017-2019
-
ru_maniac
IIRC, btw, people offered some PR's for him back in the day, ready to go i've no hard quotes though, he cleaned up comments in the issue quite extensively
-
ru_maniac
I mean, he could've opted out to usual OSS policy: "if you want feature we don't want to code, code it yourself, and if your code is good enough, we'll merge it" -- or straight up said "thanks, i won't implement or merge this in my app" -- both are valid options, IMO
-
ru_maniac
instead, he opted out for #3 -- humiliate people based on their wealth, calling them "junkies" along the way (allegedly, some drug users in Russia used Xabber to access illegal marketplaces -- hence the name-calling)
-
Martin
Ah, the 'drug addicts and cryptowhores' issue. 😂
-
Martin
Wow, is this already over 4 years old.✎ -
Martin
Wow, is this already over 4 years old? ✏
-
ru_maniac
yep honestly, I'm baffled that he decided to start a screaming match with me over this -- I've avoided on purpose mentioning him by name or Twitter handle, instead only mentioning the app itself
-
ru_maniac
naturally, he replied from Xabber's account, and the rough translation would be: "What a little stupid fool. You should treat open-source software as a gift and be grateful. Mugs like you tend to think that if they've downloaded the app, I must lick their boots, or I won't have good business"
-
ru_maniac
which was followed by "The thing with OMEMO went like this: you learn to walk before you run. XMPP for a long time was unable to support sending messages reliably, still is -- and now some retards go and ask for OMEMO, stat"
-
ru_maniac
I mean, I can see how cheerful and not bitter at all he is
-
ru_maniac
(translations are a bit cleaned up, if it's required -- I can back them up with links to original posts, albeit in Russian)
-
croax
ru_maniac: this is not the place here for such a discussion
-
ru_maniac
my apologies I've mentioned some server-related questions to the person in question as well, hence the conference choice
-
croax
no problem, but mixing facts with personal judgments, so there's probably only a bad outcome for this discussion ;-)
-
ru_maniac
croax, appreciate it
-
Jonny
Hey, can anyone explain why I still have the outdated certificate from LE in my chain? https://xmpp.net/result.php?domain=rimkus.it&type=client is it xmpp.net, which has the old LE certificates installed or my hoster (my hoster uberspace.de) handles the generation of certificate's for my domains✎ -
Jonny
Hey, can anyone explain why I still have the outdated certificate from LE in my chain? https://xmpp.net/result.php?domain=rimkus.it&type=client is it xmpp.net, which has the old LE certificates installed or my hoster (my hoster uberspace.de handles the generation of certificate's for my domains) ✏
-
ru_maniac
it's done for compatibility sake
-
ru_maniac
older versions of Android do not check the whole cert chain, which allows to support devices which have only DST root embedded
-
ru_maniac
it does not affect the security, since up-to-date browsers and OSes will discard expired cert in chain, and proper ISRG root is included in the separate chain anyway
-
ru_maniac
but this little trick allows for devices running Android as old as 7.1.1 to still recognize newly issued certs as the valid ones, with no extra configuration
-
Jonny
Hmm so I have to live with the "T" result? sooner or later I'll wish to have my "A" result back🙃
-
Menel
Xmpp.net is in the wrong, not your server
-
Menel
Its old and outdated and *A+* doesn't mean much
-
Menel
Modern curves are not even supportet
-
Jonny
Anyone tried to host the docker image elsewhere?
-
Menel
Is it really just docker?
-
Jonny
Menel: thx I understand, but I like the concept behind it and helps to gain trust for new non tech user's. And I haven't discovered an alternative yet
-
Jonny
Menel: when you visit the GitHub repo there's a docker file for running your own instance
-
Menel
use testssl.sh -t xmpp your.server.tld:5269
-
Jonny
I'll haven't tried out yet
-
Jonny
Menel: thx will try out
-
Menel
There are also other online services. But I forgot the site..
-
ru_maniac
Jonny, is there an option for you to run certbot by yourself?
-
ru_maniac
you can force it to issue certs which are signed only by ISRG root
-
ru_maniac
with that said, you'll drop support for older OSes
-
Jonny
I could run certbot by myself have to check how to do it easily, in worst case I'll have to switch DNS entries temporary
-
ru_maniac
the command line argument you're looking for is this one
-
ru_maniac
--preferred-chain "ISRG Root X1"
-
Jonny
ru_maniac: great thx
-
ru_maniac
just make sure that your certbot is up to date
-
ru_maniac
i had to install it via snap, the one that Debian has in its repos is quite outdated
-
Jonny
ru_maniac: will do, but I'll also want to try the docker image of xmpp.net
-
Jonny
Hmm I don't like snaps, anyway the system of my hoster is centos
-
Jonny
So I won't use a package for it
-
ru_maniac
i'm pretty sure that you can install it via source or appimage, but can't be 100% sure
-
ru_maniac
as for the Docker version: eh, I would imagine it would be faster than public service, but probably will produce the same results
-
ru_maniac
in any event, I wouldn't pay much attention to XMPP.net results -- as Menel mentioned, it is quite old and out-of-date service, in terms of security checks and metrics
-
Jonny
My hope is that using it with a more recent base system image and installing the recent deb packages it leads to the new certificates in /etc/ssl
-
Jonny
Maybe I should then first try testssl.sh first
-
ru_maniac
won't produce results which are any different
-
ru_maniac
the knack here is that while old Android doesn't check the whole cert chain, modern Linux and Windows do
-
ru_maniac
as such, it will fail regardless, due to the xmpp.net's logic -- if one of the CAs gone bad, the whole trust chain gone bad
-
ru_maniac
i've forced my own server to use only ISRG chain, and xmpp.net reports valid results -- at least, in terms of cert configuration so this is not an issue of older or newer certs at /etc/ssl
-
ru_maniac
it's an issue because the cert your server is currently using has DST cross-sign in it
-
ru_maniac
once you'll upgrade to ISRG chain only, it'll work properly for XMPP.net -- and should work right now for pretty much any use, other than "security benchmarking"
-
ru_maniac
do check your logs and see whether there are any errors for s2s or c2s connections related to cert trust issues -- if there are none, you're probably good to go
-
Jonny
ru_maniac: thx, so the only way of getting rid of the outdated certificate in my chain is to re-create my certificate with the switch you mentioned above right?
-
ru_maniac
if you'd like to get that "A" in the bench results, whilst continue to use LE -- I would say, yes
-
ru_maniac
once again, I'd like to stress out that this is an issue limited only to how XMPP.net interprets certificate chain check results
-
ru_maniac
in terms of actually establishing connection to client or another server, the presence of an older expired root CA should matter none
-
ru_maniac
so in my opinion, you may do nothing unless you really have to, for some reason -- your security won't be affected
-
Jonny
ru_maniac: thank you 🫂✌️
-
ru_maniac
my pleasure