XMPP Service Operators - 2022-01-05

phew, I'd already forgotten what a toxic person Xabber main developer is

and I thought I got used to kernel developers lingo on LKML

ru_maniac: umm? Topic?

I've dug out an old issue from Xabber's github, one re: OMEMO support

the one where he basically said "screw audience if they cannot pay me" and asked to provide him with 1 BTC worth of bounty for him to even consider implementing it

and there were a lot of, let's say, harsh words thrown out from his side well, Xabber went and died, all is well, and I've mentioned this openly on Twitter, listing as an example of toxic behavior around open-source communities

little did I knew, dude decided to start a flame thread) over his own words from 2017-2019

IIRC, btw, people offered some PR's for him back in the day, ready to go i've no hard quotes though, he cleaned up comments in the issue quite extensively

I mean, he could've opted out to usual OSS policy: "if you want feature we don't want to code, code it yourself, and if your code is good enough, we'll merge it" -- or straight up said "thanks, i won't implement or merge this in my app" -- both are valid options, IMO

instead, he opted out for #3 -- humiliate people based on their wealth, calling them "junkies" along the way (allegedly, some drug users in Russia used Xabber to access illegal marketplaces -- hence the name-calling)

Ah, the 'drug addicts and cryptowhores' issue. 😂

Wow, is this already over 4 years old? ✏

yep honestly, I'm baffled that he decided to start a screaming match with me over this -- I've avoided on purpose mentioning him by name or Twitter handle, instead only mentioning the app itself

naturally, he replied from Xabber's account, and the rough translation would be: "What a little stupid fool. You should treat open-source software as a gift and be grateful. Mugs like you tend to think that if they've downloaded the app, I must lick their boots, or I won't have good business"

which was followed by "The thing with OMEMO went like this: you learn to walk before you run. XMPP for a long time was unable to support sending messages reliably, still is -- and now some retards go and ask for OMEMO, stat"

I mean, I can see how cheerful and not bitter at all he is

(translations are a bit cleaned up, if it's required -- I can back them up with links to original posts, albeit in Russian)

ru_maniac: this is not the place here for such a discussion

my apologies I've mentioned some server-related questions to the person in question as well, hence the conference choice

no problem, but mixing facts with personal judgments, so there's probably only a bad outcome for this discussion ;-)

croax, appreciate it

Hey, can anyone explain why I still have the outdated certificate from LE in my chain? https://xmpp.net/result.php?domain=rimkus.it&type=client is it xmpp.net, which has the old LE certificates installed or my hoster (my hoster uberspace.de handles the generation of certificate's for my domains) ✏

it's done for compatibility sake

older versions of Android do not check the whole cert chain, which allows to support devices which have only DST root embedded

it does not affect the security, since up-to-date browsers and OSes will discard expired cert in chain, and proper ISRG root is included in the separate chain anyway

but this little trick allows for devices running Android as old as 7.1.1 to still recognize newly issued certs as the valid ones, with no extra configuration

Hmm so I have to live with the "T" result? sooner or later I'll wish to have my "A" result back🙃

Xmpp.net is in the wrong, not your server

Its old and outdated and *A+* doesn't mean much

Modern curves are not even supportet

Anyone tried to host the docker image elsewhere?

Is it really just docker?

Menel: thx I understand, but I like the concept behind it and helps to gain trust for new non tech user's. And I haven't discovered an alternative yet

Menel: when you visit the GitHub repo there's a docker file for running your own instance

use testssl.sh -t xmpp your.server.tld:5269

I'll haven't tried out yet

Menel: thx will try out

There are also other online services. But I forgot the site..

Jonny, is there an option for you to run certbot by yourself?

you can force it to issue certs which are signed only by ISRG root

with that said, you'll drop support for older OSes

I could run certbot by myself have to check how to do it easily, in worst case I'll have to switch DNS entries temporary

the command line argument you're looking for is this one

--preferred-chain "ISRG Root X1"

ru_maniac: great thx

just make sure that your certbot is up to date

i had to install it via snap, the one that Debian has in its repos is quite outdated

ru_maniac: will do, but I'll also want to try the docker image of xmpp.net

Hmm I don't like snaps, anyway the system of my hoster is centos

So I won't use a package for it

i'm pretty sure that you can install it via source or appimage, but can't be 100% sure

as for the Docker version: eh, I would imagine it would be faster than public service, but probably will produce the same results

in any event, I wouldn't pay much attention to XMPP.net results -- as Menel mentioned, it is quite old and out-of-date service, in terms of security checks and metrics

My hope is that using it with a more recent base system image and installing the recent deb packages it leads to the new certificates in /etc/ssl

Maybe I should then first try testssl.sh first

won't produce results which are any different

the knack here is that while old Android doesn't check the whole cert chain, modern Linux and Windows do

as such, it will fail regardless, due to the xmpp.net's logic -- if one of the CAs gone bad, the whole trust chain gone bad

i've forced my own server to use only ISRG chain, and xmpp.net reports valid results -- at least, in terms of cert configuration so this is not an issue of older or newer certs at /etc/ssl

it's an issue because the cert your server is currently using has DST cross-sign in it

once you'll upgrade to ISRG chain only, it'll work properly for XMPP.net -- and should work right now for pretty much any use, other than "security benchmarking"

do check your logs and see whether there are any errors for s2s or c2s connections related to cert trust issues -- if there are none, you're probably good to go

ru_maniac: thx, so the only way of getting rid of the outdated certificate in my chain is to re-create my certificate with the switch you mentioned above right?

if you'd like to get that "A" in the bench results, whilst continue to use LE -- I would say, yes

once again, I'd like to stress out that this is an issue limited only to how XMPP.net interprets certificate chain check results

in terms of actually establishing connection to client or another server, the presence of an older expired root CA should matter none

so in my opinion, you may do nothing unless you really have to, for some reason -- your security won't be affected

ru_maniac: thank you 🫂✌️

my pleasure