XMPP Service Operators - 2022-01-05

  1. ru_maniac

    phew, I'd already forgotten what a toxic person Xabber main developer is

  2. ru_maniac

    and I thought I got used to kernel developers lingo on LKML

  3. Licaon_Kter

    ru_maniac: umm? Topic?

  4. ru_maniac

    I've dug out an old issue from Xabber's github, one re: OMEMO support

  5. ru_maniac

    the one where he basically said "screw audience if they cannot pay me" and asked to provide him with 1 BTC worth of bounty for him to even consider implementing it

  6. ru_maniac

    and there were a lot of, let's say, harsh words thrown out from his side well, Xabber went and died, all is well, and I've mentioned this openly on Twitter, listing as an example of toxic behavior around open-source communities

  7. ru_maniac

    little did I knew, dude decided to start a flame thread) over his own words from 2017-2019

  8. ru_maniac

    IIRC, btw, people offered some PR's for him back in the day, ready to go i've no hard quotes though, he cleaned up comments in the issue quite extensively

  9. ru_maniac

    I mean, he could've opted out to usual OSS policy: "if you want feature we don't want to code, code it yourself, and if your code is good enough, we'll merge it" -- or straight up said "thanks, i won't implement or merge this in my app" -- both are valid options, IMO

  10. ru_maniac

    instead, he opted out for #3 -- humiliate people based on their wealth, calling them "junkies" along the way (allegedly, some drug users in Russia used Xabber to access illegal marketplaces -- hence the name-calling)

  11. Martin

    Ah, the 'drug addicts and cryptowhores' issue. 😂

  12. Martin

    Wow, is this already over 4 years old.

  13. Martin

    Wow, is this already over 4 years old?

  14. ru_maniac

    yep honestly, I'm baffled that he decided to start a screaming match with me over this -- I've avoided on purpose mentioning him by name or Twitter handle, instead only mentioning the app itself

  15. ru_maniac

    naturally, he replied from Xabber's account, and the rough translation would be: "What a little stupid fool. You should treat open-source software as a gift and be grateful. Mugs like you tend to think that if they've downloaded the app, I must lick their boots, or I won't have good business"

  16. ru_maniac

    which was followed by "The thing with OMEMO went like this: you learn to walk before you run. XMPP for a long time was unable to support sending messages reliably, still is -- and now some retards go and ask for OMEMO, stat"

  17. ru_maniac

    I mean, I can see how cheerful and not bitter at all he is

  18. ru_maniac

    (translations are a bit cleaned up, if it's required -- I can back them up with links to original posts, albeit in Russian)

  19. croax

    ru_maniac: this is not the place here for such a discussion

  20. ru_maniac

    my apologies I've mentioned some server-related questions to the person in question as well, hence the conference choice

  21. croax

    no problem, but mixing facts with personal judgments, so there's probably only a bad outcome for this discussion ;-)

  22. ru_maniac

    croax, appreciate it

  23. Jonny

    Hey, can anyone explain why I still have the outdated certificate from LE in my chain? https://xmpp.net/result.php?domain=rimkus.it&type=client is it xmpp.net, which has the old LE certificates installed or my hoster (my hoster uberspace.de) handles the generation of certificate's for my domains

  24. Jonny

    Hey, can anyone explain why I still have the outdated certificate from LE in my chain? https://xmpp.net/result.php?domain=rimkus.it&type=client is it xmpp.net, which has the old LE certificates installed or my hoster (my hoster uberspace.de handles the generation of certificate's for my domains)

  25. ru_maniac

    it's done for compatibility sake

  26. ru_maniac

    older versions of Android do not check the whole cert chain, which allows to support devices which have only DST root embedded

  27. ru_maniac

    it does not affect the security, since up-to-date browsers and OSes will discard expired cert in chain, and proper ISRG root is included in the separate chain anyway

  28. ru_maniac

    but this little trick allows for devices running Android as old as 7.1.1 to still recognize newly issued certs as the valid ones, with no extra configuration

  29. Jonny

    Hmm so I have to live with the "T" result? sooner or later I'll wish to have my "A" result back🙃

  30. Menel

    Xmpp.net is in the wrong, not your server

  31. Menel

    Its old and outdated and *A+* doesn't mean much

  32. Menel

    Modern curves are not even supportet

  33. Jonny

    Anyone tried to host the docker image elsewhere?

  34. Menel

    Is it really just docker?

  35. Jonny

    Menel: thx I understand, but I like the concept behind it and helps to gain trust for new non tech user's. And I haven't discovered an alternative yet

  36. Jonny

    Menel: when you visit the GitHub repo there's a docker file for running your own instance

  37. Menel

    use testssl.sh -t xmpp your.server.tld:5269

  38. Jonny

    I'll haven't tried out yet

  39. Jonny

    Menel: thx will try out

  40. Menel

    There are also other online services. But I forgot the site..

  41. ru_maniac

    Jonny, is there an option for you to run certbot by yourself?

  42. ru_maniac

    you can force it to issue certs which are signed only by ISRG root

  43. ru_maniac

    with that said, you'll drop support for older OSes

  44. Jonny

    I could run certbot by myself have to check how to do it easily, in worst case I'll have to switch DNS entries temporary

  45. ru_maniac

    the command line argument you're looking for is this one

  46. ru_maniac

    --preferred-chain "ISRG Root X1"

  47. Jonny

    ru_maniac: great thx

  48. ru_maniac

    just make sure that your certbot is up to date

  49. ru_maniac

    i had to install it via snap, the one that Debian has in its repos is quite outdated

  50. Jonny

    ru_maniac: will do, but I'll also want to try the docker image of xmpp.net

  51. Jonny

    Hmm I don't like snaps, anyway the system of my hoster is centos

  52. Jonny

    So I won't use a package for it

  53. ru_maniac

    i'm pretty sure that you can install it via source or appimage, but can't be 100% sure

  54. ru_maniac

    as for the Docker version: eh, I would imagine it would be faster than public service, but probably will produce the same results

  55. ru_maniac

    in any event, I wouldn't pay much attention to XMPP.net results -- as Menel mentioned, it is quite old and out-of-date service, in terms of security checks and metrics

  56. Jonny

    My hope is that using it with a more recent base system image and installing the recent deb packages it leads to the new certificates in /etc/ssl

  57. Jonny

    Maybe I should then first try testssl.sh first

  58. ru_maniac

    won't produce results which are any different

  59. ru_maniac

    the knack here is that while old Android doesn't check the whole cert chain, modern Linux and Windows do

  60. ru_maniac

    as such, it will fail regardless, due to the xmpp.net's logic -- if one of the CAs gone bad, the whole trust chain gone bad

  61. ru_maniac

    i've forced my own server to use only ISRG chain, and xmpp.net reports valid results -- at least, in terms of cert configuration so this is not an issue of older or newer certs at /etc/ssl

  62. ru_maniac

    it's an issue because the cert your server is currently using has DST cross-sign in it

  63. ru_maniac

    once you'll upgrade to ISRG chain only, it'll work properly for XMPP.net -- and should work right now for pretty much any use, other than "security benchmarking"

  64. ru_maniac

    do check your logs and see whether there are any errors for s2s or c2s connections related to cert trust issues -- if there are none, you're probably good to go

  65. Jonny

    ru_maniac: thx, so the only way of getting rid of the outdated certificate in my chain is to re-create my certificate with the switch you mentioned above right?

  66. ru_maniac

    if you'd like to get that "A" in the bench results, whilst continue to use LE -- I would say, yes

  67. ru_maniac

    once again, I'd like to stress out that this is an issue limited only to how XMPP.net interprets certificate chain check results

  68. ru_maniac

    in terms of actually establishing connection to client or another server, the presence of an older expired root CA should matter none

  69. ru_maniac

    so in my opinion, you may do nothing unless you really have to, for some reason -- your security won't be affected

  70. Jonny

    ru_maniac: thank you 🫂✌️

  71. ru_maniac

    my pleasure