XMPP Service Operators - 2022-01-13

hello, the XMPP.net's observatory gives my certificate a T, how can I fix this while I can see that other servers with same signing certificate (R3 by LE) do pass

roland77, just ignore it, it's xmpp.net's fault

The service will probably be retired soon

that would be very sad to hear!

https://xmpp.net/result.php?domain=f.haeder.net&type=server#certificates for instance

With luck (i.e. effort) we will have a replacement

I hope so because that's a very nice way to know which servers are configured correctly

It's not doing a good job at that

Lots of the recommendations are out of date

Which is just a way to prove that you shouldn't trust every green checkmark you find on the internet :)

ah, okay. I then just ignore the recommendations and get an A and 90+ everywhere

sure! 😉

At the time it was developed it was more important - OpenSSL (the library that most software uses for TLS) has very bad default settings

roland77: regenerate cert with intermediary ISRG instead of DST. Beware that Android 6 and older devices might no longer connect unless you import said cert.

Eg. https://www.stoutner.com/lets-encrypt-isrg-root-x1-and-privacy-browser/

Events like the Snowden leaks and Heartbleed brought more attention on OpenSSL and its widespread use, and these days they have more sensible defaults. It's very uncommon to find software that is using modern OpenSSL that actually has insecure settings.

MattJ unless someone made a mistake and configures it insecure, maybe only by accident

Right. That's why for Prosody we generally recommend that people *don't* configure it manually. And we have recommended that for many years.

Because the defaults are checked by us, and when people configure it manually they tend to make mistakes because they don't know what they are doing (often they copy/paste from online guides that offer terrible advice)

and SSLLabs won't test anything other than port 443 😕

testssl.sh is a recommended testing tool these days

Licaon Kter: will check it 🙂

Mattj is it shipped with prosody?

roland77, no, but debian has it and you can also download it from https://testssl.sh

though that gives a lot of information and doesn't provide a score or similar

jonas okay, thank you :0

🙂

oh, no TLS 1.2/1.3 is offered. okay, I have work to do. thank you everybody here for pointing me the right direction! 🙂

What OS/server wouldn't offer TLS 1.2?

strange, yes. I have tlsv1_2+ in place

And that's bad? Wrong? ✏

okay, wrong direction. I thought it ENABLES TLS versions, but it disables them 🙁

okay, reverted to tlsv1_1

> when people configure it manually they tend to make mistakes because they don't know what they are doing 😂️

roland77, just sticking to the defaults won't do the trick?

😂️ ✏

You'll probably enjoy Prosody 0.12 (coming soon). It has room for configuration of this stuff while making it less likely to shoot yourself in the foot.

super_secure = yes|no|maybe

Holger, close! something_profile = modern|intermediate|old ✏

based on the mozilla recommendations

In a perfect world this stuff would be maintained by TLS libraries.

I just use OpenSSL's `HIGH` as default in my software. If someone believes HIGH isn't high enough they should go complain to OpenSSL.

Yes

I guess in theory you could argue that some ecosystems are more likely to have to deal with outdated peers than others though.

I killed the "protocols" all together as the default in "options" seems more promising, still no TLSv1.2+ 🙁

Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 not offered TLS 1.3 not offered

roland77, did testssl print a warning above that something may be wrong?

did you run it with --starttls xmpp?

oh, I didn't use the later one

188.138.90.169:5269 doesn't seem to be a TLS/SSL enabled server The results might look ok but they could be nonsense. Really proceed ? ("yes" to continue) --> yes

yeah ^ that was the warning I was talking about

you shouldn't see that, if you see it, you called testssl incorrectly for xmpp

ah, working better now, thanks!

fwiw, I have a replacement for xmpp.net in the pipeline which calls testssl in the backend

that testssl is way more detailed

it is

LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches

okay, my daughter is here now. I better join her and play with her 🙂

have fun :)

Tell her about your choice of ciphers... :)

thanks 🙂

will do 😉

fixed the LUCKY13 thing: ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL:!SHA1:!SHA256:!SHA384";

I just took the default and added the !SHA1 thingy 🙂

are there any ciphers left after that? :)

note that CBC is always vulnerable, AIUI ("check patches")

is there any difference between using R3 and XSRG?

yes.

R3 locks android <= 6 devices out ✏

ah, okay

ISRG locks android <= 6 devices out ✏

sorry, I always mix that up

but I might not have to worry about it as my server is limited to their users (only 2, including me) 🙂

X3 locks out OpenSSL 1.0.2, for example.

https://letsencrypt.org/2020/12/21/extending-android-compatibility.html vs.: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

even debian oldoldstable has 1.1.x tho

Even my oldest phone has Android 7 tho 😉

my oldest phone has android 4.4

and even that was an experimental update

You're right and I'm wrong.

nobody said anything which is objectively wrong :)

next stop: courier -> dovecot replacement as courier uses TLSv1.1 (looks like no 1.2+ support)

Courier!

So you skipped Cyrus 🙂

I need MySQL support as my authentication data is such database

and mails are ordered in /var/mail/virtual/$domain/$user

Maybe considering migration from sql to ldap as auth backend would be a good idea as well...

I don't regret the migration myself

Is there any public libera irc-xmpp gateway available?

Other way round, there are many.. (Xmpp--irc)

oops i meant xmpp-irc

E.g. https://irc.jabberfr.org/

thx

The syntax is on that site as example. Don't forget the #

Its always #room%irchost@thegatewayxmppserver.tld

Join as you join any open room

Prosody 0.11.12 released, security update for remote unauthenticated Denial of Service via websockets: https://prosody.im/security/advisory_20220113/

jonas’, what version does `prosodyctl shell module unload websocket` work on? I had to `telnet 127.0.0.1 5582` and run `module:unload('websocket')` instead

trunk

that would probably have been worth differentiating

I'll post a note

+1

follow up sent, thanks

Time to update: - https://news.ycombinator.com/item?id=29921870 - https://www.reddit.com/r/xmpp/comments/s327wa/prosody_01112_released_cve20220217_fix/

Neustradamus, next time, check if the very same info has not been posted just above

but it's about karma points!

How come Neustradamus you didn't post the official direct links at all?

jonas’: It is not the same link ;) It is the 0.11.12 Prosody announcement.

Neustradamus, it's the same content though

hence, I did not say "link", but "info"

is blah.im ok?.. >.<

Ellenor Bjornsd.: I did not had a good Messege Delivery Exp in S2S case in Past, Somewhere in 2018-2019 or Q3/4 2019.. But its S2S has issue for messege deliverys