XMPP Service Operators - 2022-01-13

  1. roland77

    hello, the XMPP.net's observatory gives my certificate a T, how can I fix this while I can see that other servers with same signing certificate (R3 by LE) do pass

  2. MattJ

    roland77, just ignore it, it's xmpp.net's fault

  3. MattJ

    The service will probably be retired soon

  4. roland77

    that would be very sad to hear!

  5. roland77

    https://xmpp.net/result.php?domain=f.haeder.net&type=server#certificates for instance

  6. MattJ

    With luck (i.e. effort) we will have a replacement

  7. roland77

    I hope so because that's a very nice way to know which servers are configured correctly

  8. MattJ

    It's not doing a good job at that

  9. MattJ

    Lots of the recommendations are out of date

  10. MattJ

    Which is just a way to prove that you shouldn't trust every green checkmark you find on the internet :)

  11. roland77

    ah, okay. I then just ignore the recommendations and get an A and 90+ everywhere

  12. roland77

    sure! 😉

  13. MattJ

    At the time it was developed it was more important - OpenSSL (the library that most software uses for TLS) has very bad default settings

  14. Licaon_Kter

    roland77: regenerate cert with intermediary ISRG instead of DST. Beware that Android 6 and older devices might no longer connect unless you import said cert.

  15. Licaon_Kter

    Eg. https://www.stoutner.com/lets-encrypt-isrg-root-x1-and-privacy-browser/

  16. MattJ

    Events like the Snowden leaks and Heartbleed brought more attention on OpenSSL and its widespread use, and these days they have more sensible defaults. It's very uncommon to find software that is using modern OpenSSL that actually has insecure settings.

  17. roland77

    MattJ unless someone made a mistake and configures it insecure, maybe only by accident

  18. MattJ

    Right. That's why for Prosody we generally recommend that people *don't* configure it manually. And we have recommended that for many years.

  19. MattJ

    Because the defaults are checked by us, and when people configure it manually they tend to make mistakes because they don't know what they are doing (often they copy/paste from online guides that offer terrible advice)

  20. roland77

    and SSLLabs won't test anything other than port 443 😕

  21. MattJ

    testssl.sh is a recommended testing tool these days

  22. roland77

    Licaon Kter: will check it 🙂

  23. roland77

    Mattj is it shipped with prosody?

  24. jonas’

    roland77, no, but debian has it and you can also download it from https://testssl.sh

  25. jonas’

    though that gives a lot of information and doesn't provide a score or similar

  26. roland77

    jonas okay, thank you :0

  27. roland77


  28. roland77

    oh, no TLS 1.2/1.3 is offered. okay, I have work to do. thank you everybody here for pointing me the right direction! 🙂

  29. MattJ

    What OS/server wouldn't offer TLS 1.2?

  30. roland77

    strange, yes. I have tlsv1_2+ in place

  31. Licaon_Kter

    And that's bad?

  32. Licaon_Kter

    And that's bad? Wrong?

  33. roland77

    okay, wrong direction. I thought it ENABLES TLS versions, but it disables them 🙁

  34. roland77

    okay, reverted to tlsv1_1

  35. Holger

    > when people configure it manually they tend to make mistakes because they don't know what they are doing 😂️

  36. Holger

    roland77, just sticking to the defaults won't do the trick?

  37. roland77


  38. roland77


  39. MattJ

    You'll probably enjoy Prosody 0.12 (coming soon). It has room for configuration of this stuff while making it less likely to shoot yourself in the foot.

  40. Holger

    super_secure = yes|no|maybe

  41. jonas’

    Holger, close! something_profile = modern|intermediate

  42. jonas’

    Holger, close! something_profile = modern|intermediate|old

  43. jonas’

    based on the mozilla recommendations

  44. Holger

    In a perfect world this stuff would be maintained by TLS libraries.

  45. Holger

    I just use OpenSSL's `HIGH` as default in my software. If someone believes HIGH isn't high enough they should go complain to OpenSSL.

  46. MattJ


  47. Holger

    I guess in theory you could argue that some ecosystems are more likely to have to deal with outdated peers than others though.

  48. roland77

    I killed the "protocols" all together as the default in "options" seems more promising, still no TLSv1.2+ 🙁

  49. roland77

    Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 not offered TLS 1.3 not offered

  50. jonas’

    roland77, did testssl print a warning above that something may be wrong?

  51. jonas’

    did you run it with --starttls xmpp?

  52. roland77

    oh, I didn't use the later one

  53. roland77 doesn't seem to be a TLS/SSL enabled server The results might look ok but they could be nonsense. Really proceed ? ("yes" to continue) --> yes

  54. jonas’

    yeah ^ that was the warning I was talking about

  55. jonas’

    you shouldn't see that, if you see it, you called testssl incorrectly for xmpp

  56. roland77

    ah, working better now, thanks!

  57. jonas’

    fwiw, I have a replacement for xmpp.net in the pipeline which calls testssl in the backend

  58. roland77

    that testssl is way more detailed

  59. jonas’

    it is

  60. roland77

    LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches

  61. roland77

    okay, my daughter is here now. I better join her and play with her 🙂

  62. jonas’

    have fun :)

  63. Licaon_Kter

    Tell her about your choice of ciphers... :)

  64. roland77

    thanks 🙂

  65. roland77

    will do 😉

  66. roland77

    fixed the LUCKY13 thing: ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL:!SHA1:!SHA256:!SHA384";

  67. roland77

    I just took the default and added the !SHA1 thingy 🙂

  68. jonas’

    are there any ciphers left after that? :)

  69. jonas’

    note that CBC is always vulnerable, AIUI ("check patches")

  70. roland77

    is there any difference between using R3 and XSRG?

  71. jonas’


  72. jonas’

    ISRG locks android <= 6 devices out

  73. jonas’

    R3 locks android <= 6 devices out

  74. roland77

    ah, okay

  75. jonas’

    ISRG locks android <= 6 devices out

  76. jonas’

    sorry, I always mix that up

  77. roland77

    but I might not have to worry about it as my server is limited to their users (only 2, including me) 🙂

  78. Holger

    X3 locks out OpenSSL 1.0.2, for example.

  79. Holger

    https://letsencrypt.org/2020/12/21/extending-android-compatibility.html vs.: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

  80. jonas’

    even debian oldoldstable has 1.1.x tho

  81. Holger

    Even my oldest phone has Android 7 tho 😉

  82. jonas’

    my oldest phone has android 4.4

  83. jonas’

    and even that was an experimental update

  84. Holger

    You're right and I'm wrong.

  85. jonas’

    nobody said anything which is objectively wrong :)

  86. roland77

    next stop: courier -> dovecot replacement as courier uses TLSv1.1 (looks like no 1.2+ support)

  87. Holger


  88. Holger

    So you skipped Cyrus 🙂

  89. roland77

    I need MySQL support as my authentication data is such database

  90. roland77

    and mails are ordered in /var/mail/virtual/$domain/$user

  91. ij

    Maybe considering migration from sql to ldap as auth backend would be a good idea as well...

  92. ij

    I don't regret the migration myself

  93. huhn

    Is there any public libera irc-xmpp gateway available?

  94. Menel

    Other way round, there are many.. (Xmpp--irc)

  95. huhn

    oops i meant xmpp-irc

  96. Menel

    E.g. https://irc.jabberfr.org/

  97. huhn


  98. Menel

    The syntax is on that site as example. Don't forget the #

  99. Menel

    Its always #room%irchost@thegatewayxmppserver.tld

  100. Menel

    Join as you join any open room

  101. jonas’

    Prosody 0.11.12 released, security update for remote unauthenticated Denial of Service via websockets: https://prosody.im/security/advisory_20220113/

  102. moparisthebest

    jonas’, what version does `prosodyctl shell module unload websocket` work on? I had to `telnet 5582` and run `module:unload('websocket')` instead

  103. jonas’


  104. jonas’

    that would probably have been worth differentiating

  105. jonas’

    I'll post a note

  106. moparisthebest


  107. jonas’

    follow up sent, thanks

  108. Neustradamus

    Time to update: - https://news.ycombinator.com/item?id=29921870 - https://www.reddit.com/r/xmpp/comments/s327wa/prosody_01112_released_cve20220217_fix/

  109. jonas’

    Neustradamus, next time, check if the very same info has not been posted just above

  110. Ge0rG

    but it's about karma points!

  111. Licaon_Kter

    How come Neustradamus you didn't post the official direct links at all?

  112. Neustradamus

    jonas’: It is not the same link ;) It is the 0.11.12 Prosody announcement.

  113. jonas’

    Neustradamus, it's the same content though

  114. jonas’

    hence, I did not say "link", but "info"

  115. Ellenor Bjornsd.

    is blah.im ok?.. >.<

  116. alacer

    Ellenor Bjornsd.: I did not had a good Messege Delivery Exp in S2S case in Past, Somewhere in 2018-2019 or Q3/4 2019.. But its S2S has issue for messege deliverys