-
roland77
hello, the XMPP.net's observatory gives my certificate a T, how can I fix this while I can see that other servers with same signing certificate (R3 by LE) do pass
-
MattJ
roland77, just ignore it, it's xmpp.net's fault
-
MattJ
The service will probably be retired soon
-
roland77
that would be very sad to hear!
-
roland77
https://xmpp.net/result.php?domain=f.haeder.net&type=server#certificates for instance
-
MattJ
With luck (i.e. effort) we will have a replacement
-
roland77
I hope so because that's a very nice way to know which servers are configured correctly
-
MattJ
It's not doing a good job at that
-
MattJ
Lots of the recommendations are out of date
-
MattJ
Which is just a way to prove that you shouldn't trust every green checkmark you find on the internet :)
-
roland77
ah, okay. I then just ignore the recommendations and get an A and 90+ everywhere
-
roland77
sure! š
-
MattJ
At the time it was developed it was more important - OpenSSL (the library that most software uses for TLS) has very bad default settings
-
Licaon_Kter
roland77: regenerate cert with intermediary ISRG instead of DST. Beware that Android 6 and older devices might no longer connect unless you import said cert.
-
Licaon_Kter
Eg. https://www.stoutner.com/lets-encrypt-isrg-root-x1-and-privacy-browser/
-
MattJ
Events like the Snowden leaks and Heartbleed brought more attention on OpenSSL and its widespread use, and these days they have more sensible defaults. It's very uncommon to find software that is using modern OpenSSL that actually has insecure settings.
-
roland77
MattJ unless someone made a mistake and configures it insecure, maybe only by accident
-
MattJ
Right. That's why for Prosody we generally recommend that people *don't* configure it manually. And we have recommended that for many years.
-
MattJ
Because the defaults are checked by us, and when people configure it manually they tend to make mistakes because they don't know what they are doing (often they copy/paste from online guides that offer terrible advice)
-
roland77
and SSLLabs won't test anything other than port 443 š
-
MattJ
testssl.sh is a recommended testing tool these days
-
roland77
Licaon Kter: will check it š
-
roland77
Mattj is it shipped with prosody?
-
jonasā
roland77, no, but debian has it and you can also download it from https://testssl.sh
-
jonasā
though that gives a lot of information and doesn't provide a score or similar
-
roland77
jonas okay, thank you :0
-
roland77
š
-
roland77
oh, no TLS 1.2/1.3 is offered. okay, I have work to do. thank you everybody here for pointing me the right direction! š
-
MattJ
What OS/server wouldn't offer TLS 1.2?
-
roland77
strange, yes. I have tlsv1_2+ in place
-
Licaon_Kter
And that's bad?✎ -
Licaon_Kter
And that's bad? Wrong? ✏
-
roland77
okay, wrong direction. I thought it ENABLES TLS versions, but it disables them š
-
roland77
okay, reverted to tlsv1_1
-
Holger
> when people configure it manually they tend to make mistakes because they don't know what they are doing šļø
-
Holger
roland77, just sticking to the defaults won't do the trick?
-
roland77
š✎ -
roland77
šļø ✏
-
MattJ
You'll probably enjoy Prosody 0.12 (coming soon). It has room for configuration of this stuff while making it less likely to shoot yourself in the foot.
-
Holger
super_secure = yes|no|maybe
-
jonasā
Holger, close! something_profile = modern|intermediate✎ -
jonasā
Holger, close! something_profile = modern|intermediate|old ✏
-
jonasā
based on the mozilla recommendations
-
Holger
In a perfect world this stuff would be maintained by TLS libraries.
-
Holger
I just use OpenSSL's `HIGH` as default in my software. If someone believes HIGH isn't high enough they should go complain to OpenSSL.
-
MattJ
Yes
-
Holger
I guess in theory you could argue that some ecosystems are more likely to have to deal with outdated peers than others though.
-
roland77
I killed the "protocols" all together as the default in "options" seems more promising, still no TLSv1.2+ š
-
roland77
Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 not offered TLS 1.3 not offered
-
jonasā
roland77, did testssl print a warning above that something may be wrong?
-
jonasā
did you run it with --starttls xmpp?
-
roland77
oh, I didn't use the later one
-
roland77
188.138.90.169:5269 doesn't seem to be a TLS/SSL enabled server The results might look ok but they could be nonsense. Really proceed ? ("yes" to continue) --> yes
-
jonasā
yeah ^ that was the warning I was talking about
-
jonasā
you shouldn't see that, if you see it, you called testssl incorrectly for xmpp
-
roland77
ah, working better now, thanks!
-
jonasā
fwiw, I have a replacement for xmpp.net in the pipeline which calls testssl in the backend
-
roland77
that testssl is way more detailed
-
jonasā
it is
-
roland77
LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
-
roland77
okay, my daughter is here now. I better join her and play with her š
-
jonasā
have fun :)
-
Licaon_Kter
Tell her about your choice of ciphers... :)
-
roland77
thanks š
-
roland77
will do š
-
roland77
fixed the LUCKY13 thing: ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL:!SHA1:!SHA256:!SHA384";
-
roland77
I just took the default and added the !SHA1 thingy š
-
jonasā
are there any ciphers left after that? :)
-
jonasā
note that CBC is always vulnerable, AIUI ("check patches")
-
roland77
is there any difference between using R3 and XSRG?
-
jonasā
yes.
-
jonasā
ISRG locks android <= 6 devices out✎ -
jonasā
R3 locks android <= 6 devices out ✏
-
roland77
ah, okay
-
jonasā
ISRG locks android <= 6 devices out ✏
-
jonasā
sorry, I always mix that up
-
roland77
but I might not have to worry about it as my server is limited to their users (only 2, including me) š
-
Holger
X3 locks out OpenSSL 1.0.2, for example.
-
Holger
https://letsencrypt.org/2020/12/21/extending-android-compatibility.html vs.: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
-
jonasā
even debian oldoldstable has 1.1.x tho
-
Holger
Even my oldest phone has Android 7 tho š
-
jonasā
my oldest phone has android 4.4
-
jonasā
and even that was an experimental update
-
Holger
You're right and I'm wrong.
-
jonasā
nobody said anything which is objectively wrong :)
-
roland77
next stop: courier -> dovecot replacement as courier uses TLSv1.1 (looks like no 1.2+ support)
-
Holger
Courier!
-
Holger
So you skipped Cyrus š
-
roland77
I need MySQL support as my authentication data is such database
-
roland77
and mails are ordered in /var/mail/virtual/$domain/$user
-
ij
Maybe considering migration from sql to ldap as auth backend would be a good idea as well...
-
ij
I don't regret the migration myself
-
huhn
Is there any public libera irc-xmpp gateway available?
-
Menel
Other way round, there are many.. (Xmpp--irc)
-
huhn
oops i meant xmpp-irc
-
Menel
E.g. https://irc.jabberfr.org/
-
huhn
thx
-
Menel
The syntax is on that site as example. Don't forget the #
-
Menel
Its always #room%irchost@thegatewayxmppserver.tld
-
Menel
Join as you join any open room
-
jonasā
Prosody 0.11.12 released, security update for remote unauthenticated Denial of Service via websockets: https://prosody.im/security/advisory_20220113/
-
moparisthebest
jonasā, what version does `prosodyctl shell module unload websocket` work on? I had to `telnet 127.0.0.1 5582` and run `module:unload('websocket')` instead
-
jonasā
trunk
-
jonasā
that would probably have been worth differentiating
-
jonasā
I'll post a note
-
moparisthebest
+1
-
jonasā
follow up sent, thanks
-
Neustradamus
Time to update: - https://news.ycombinator.com/item?id=29921870 - https://www.reddit.com/r/xmpp/comments/s327wa/prosody_01112_released_cve20220217_fix/
-
jonasā
Neustradamus, next time, check if the very same info has not been posted just above
-
Ge0rG
but it's about karma points!
-
Licaon_Kter
How come Neustradamus you didn't post the official direct links at all?
-
Neustradamus
jonasā: It is not the same link ;) It is the 0.11.12 Prosody announcement.
-
jonasā
Neustradamus, it's the same content though
-
jonasā
hence, I did not say "link", but "info"
-
Ellenor Bjornsd.
is blah.im ok?.. >.<
-
alacer
Ellenor Bjornsd.: I did not had a good Messege Delivery Exp in S2S case in Past, Somewhere in 2018-2019 or Q3/4 2019.. But its S2S has issue for messege deliverys