-
moparisthebest
well this seems absolutely fatal for every XMPP server on the internet that uses OpenSSL https://www.openssl.org/news/secadv/20220315.txt update soon?
-
pup ART
'Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1.'
-
Holger
1.0.2zd, I'll miss their versioning scheme when 1.x is dead!
-
Licaon_Kter
_Premium versioning schemes_
-
moparisthebest
Soon: 1.0.2zzzzzzzzz
-
mjk
Eternal slumber
-
moparisthebest
Guess I'll finally slap rustls in front of my server later instead of upgrading...
-
pup ART
OpenSSL high volunablity https://www.openssl.org/news/secadv/20220315.txt
-
Holger
moparisthebest: 0.x versions for the win!
-
Holger
> There are no major breaking interface changes envisioned after the set included in the 0.20 release. Wouldn't SemVer suggest 1.0 then?
-
jonas’
moparisthebest, I wouldn't call a remote unauthenticated DoS "absolutely fatal". A remote unauthenticated code execution, *that's* absolutely fatal.
-
jonas’
you had me scared there for a second.
-
moparisthebest
jonas’: I mean, you can cripple the entire public federated XMPP network I'd guess
-
jonas’
sure, but then people will update and restart their servers.
-
jonas’
that's ok
-
moparisthebest
You are right RCE would be worse, I'd still call this fatal
-
jonas’
absoutely fatal has some absolute fatalism to me and the bare possibility of a worse bug precludes the use of that term :)
-
moparisthebest
Well there's always a worse bug... :D
-
Holger
FWIW I also went "huh did I misread their announcement, wasn't it just DoS?".
-
Menel
Debian has only 1.1.1.k?
-
mjk
...if not patched much earlier
-
Licaon_Kter
moparisthebest: only xmpp?
-
mjk
Licaon_Kter: I mean, who does TLS with SMTP?
-
jonas’
or HTTP for that matter
-
jonas’
Menel, for debian, see https://security-tracker.debian.org/tracker/CVE-2022-0778
-
moparisthebest
It's almost only XMPP
-
moparisthebest
You can't force an arbitrary https or SMTP server to parse a certificate of your choosing
-
moparisthebest
Where as you can force any XMPP server that does s2s to do it
-
jonas’
moparisthebest, clients though.
-
mjk
> or HTTP for that matter Yeah, not that many http servers accept client certs, I think
-
MattJ
And SMTP servers don't?
-
mjk
*Clients accessing evil.com
-
MattJ
"My browser is using 100% CPU... that's never happened before, oh no"
-
mjk
xD
-
jonas’
well, it would be interesting to have something other than ublock origin eat a CPU core for a change
-
moparisthebest
SMTP doesn't authenticate certificates at all by default
-
Menel
jonas’: thanks. Got confused but of course.. Debian stable not updating the version "number"
-
MattJ
moparisthebest: does it need to authenticate using them, or only parse them?
-
jonas’
moparisthebest, for certain definitions of "by default"
-
moparisthebest
MattJ: just parse, but they wouldn't accept client certs at all I suspect
-
Holger
> It's almost only XMPP Matrix!
-
mjk
Oh yeah, there's that other ~homeserver~ federated protocol
-
moparisthebest
Holger: do they do client cert auth for s2s? It wouldn't surprise me I just don't know anything about it
-
Holger
moparisthebest: I had no idea and was hoping someone would tell us 😁 Seems the answer is no: > Requests are authenticated at the HTTP layer rather than at the TLS layer because HTTP services like Matrix are often deployed behind load balancers that handle the TLS and these load balancers make it difficult to check TLS client certificates. They then go on saying "if you like just do it nevertheless" (not sure how that's supposed to be useful): > A homeserver may provide a TLS client certificate and the receiving homeserver may check that the client certificate matches the certificate of the origin homeserver.
-
moparisthebest
Holger, could someone running a matrix homeserver tell between a pinned CPU and normal use though?
-
Holger
Heh.