XMPP Service Operators - 2022-03-15


  1. moparisthebest

    well this seems absolutely fatal for every XMPP server on the internet that uses OpenSSL https://www.openssl.org/news/secadv/20220315.txt update soon?

  2. pup ART

    'Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1.'

  3. Holger

    1.0.2zd, I'll miss their versioning scheme when 1.x is dead!

  4. Licaon_Kter

    _Premium versioning schemes_

  5. moparisthebest

    Soon: 1.0.2zzzzzzzzz

  6. mjk

    Eternal slumber

  7. moparisthebest

    Guess I'll finally slap rustls in front of my server later instead of upgrading...

  8. pup ART

    OpenSSL high volunablity https://www.openssl.org/news/secadv/20220315.txt

  9. Holger

    moparisthebest: 0.x versions for the win!

  10. Holger

    > There are no major breaking interface changes envisioned after the set included in the 0.20 release. Wouldn't SemVer suggest 1.0 then?

  11. jonas’

    moparisthebest, I wouldn't call a remote unauthenticated DoS "absolutely fatal". A remote unauthenticated code execution, *that's* absolutely fatal.

  12. jonas’

    you had me scared there for a second.

  13. moparisthebest

    jonas’: I mean, you can cripple the entire public federated XMPP network I'd guess

  14. jonas’

    sure, but then people will update and restart their servers.

  15. jonas’

    that's ok

  16. moparisthebest

    You are right RCE would be worse, I'd still call this fatal

  17. jonas’

    absoutely fatal has some absolute fatalism to me and the bare possibility of a worse bug precludes the use of that term :)

  18. moparisthebest

    Well there's always a worse bug... :D

  19. Holger

    FWIW I also went "huh did I misread their announcement, wasn't it just DoS?".

  20. Menel

    Debian has only 1.1.1.k?

  21. mjk

    ...if not patched much earlier

  22. Licaon_Kter

    moparisthebest: only xmpp?

  23. mjk

    Licaon_Kter: I mean, who does TLS with SMTP?

  24. jonas’

    or HTTP for that matter

  25. jonas’

    Menel, for debian, see https://security-tracker.debian.org/tracker/CVE-2022-0778

  26. moparisthebest

    It's almost only XMPP

  27. moparisthebest

    You can't force an arbitrary https or SMTP server to parse a certificate of your choosing

  28. moparisthebest

    Where as you can force any XMPP server that does s2s to do it

  29. jonas’

    moparisthebest, clients though.

  30. mjk

    > or HTTP for that matter Yeah, not that many http servers accept client certs, I think

  31. MattJ

    And SMTP servers don't?

  32. mjk

    *Clients accessing evil.com

  33. MattJ

    "My browser is using 100% CPU... that's never happened before, oh no"

  34. mjk

    xD

  35. jonas’

    well, it would be interesting to have something other than ublock origin eat a CPU core for a change

  36. moparisthebest

    SMTP doesn't authenticate certificates at all by default

  37. Menel

    jonas’: thanks. Got confused but of course.. Debian stable not updating the version "number"

  38. MattJ

    moparisthebest: does it need to authenticate using them, or only parse them?

  39. jonas’

    moparisthebest, for certain definitions of "by default"

  40. moparisthebest

    MattJ: just parse, but they wouldn't accept client certs at all I suspect

  41. Holger

    > It's almost only XMPP Matrix!

  42. mjk

    Oh yeah, there's that other ~homeserver~ federated protocol

  43. moparisthebest

    Holger: do they do client cert auth for s2s? It wouldn't surprise me I just don't know anything about it

  44. Holger

    moparisthebest: I had no idea and was hoping someone would tell us 😁 Seems the answer is no: > Requests are authenticated at the HTTP layer rather than at the TLS layer because HTTP services like Matrix are often deployed behind load balancers that handle the TLS and these load balancers make it difficult to check TLS client certificates. They then go on saying "if you like just do it nevertheless" (not sure how that's supposed to be useful): > A homeserver may provide a TLS client certificate and the receiving homeserver may check that the client certificate matches the certificate of the origin homeserver.

  45. moparisthebest

    Holger, could someone running a matrix homeserver tell between a pinned CPU and normal use though?

  46. Holger

    Heh.