my server has a self-signed certificate. but in my logs i can see the s2s_in connection fails, but then the other server retries and it gets established. why does another server accept bad certificates on the second try?
oh so i do have a mod_dialback. if i disable mod_dialback, will that prevent other servers that try to use it from succeeding?
smooth_operator
i don't want another server to do anything if the tls fails
Dexterhas joined
yushyinhas left
moparisthebest
smooth_operator: if you want to block other servers you should block them
moparisthebest
Using an untrusted cert or disabling dialback doesn't actually do that
antranigvhas left
croaxhas joined
smooth_operator
the aim is preventing an already trusted cert falling victim to impersonation
smooth_operator
*already trusted server
smooth_operator
because dialback looks like it's just dns
smooth_operator
never mind, lemme read through the whole thing first :)
smooth_operator
before asking more questions
Ivan A.has left
Ivan A.has joined
Maranda[x]has joined
Dexterhas left
surenhas left
surenhas joined
myjabber1337has joined
smooth_operatorhas left
'has left
'has joined
yushyinhas joined
Dexterhas joined
writer77has joined
surenhas left
surenhas joined
tskhas joined
Silvio Titzmannhas joined
Bjarkanhas joined
վարյաhas left
վարյաhas joined
marchas joined
patascahas joined
jjrhhas left
jjrhhas joined
Marandahas left
Mjolnir Archonhas left
bkilmhas left
scilenshas left
Menelhas joined
Menelhas left
Menelhas joined
mhhas left
surenhas left
surenhas joined
scilenshas joined
Dead Headhas left
Dead Headhas joined
bkilmhas joined
surenhas left
surenhas joined
surenhas left
surenhas joined
ibikkhas joined
jl4has left
jl4has joined
yushyinhas left
Mjolnir Archonhas joined
Marandahas joined
*IM*has left
*IM*has joined
surenhas left
surenhas joined
gagikhas joined
secretasianmanhas joined
secretasianmanhas left
surenhas left
surenhas joined
kuba_has left
kuba_has joined
surenhas left
surenhas joined
surenhas left
surenhas joined
tskhas left
kuba_has left
croaxhas left
croaxhas joined
undefinedhas left
Ingolfhas left
anamulhaquehas joined
barlashas left
kuba_has joined
VesselWavehas joined
abdullahihas joined
mazenghubarihas joined
surenhas left
surenhas joined
eevvoorhas left
undefinedhas joined
MSavoritias (she,they)has joined
surenhas left
surenhas joined
patascahas left
albertohas joined
patascahas joined
greenkeeperhas joined
karmehas joined
yyyyyypx4has left
neoxhas joined
karimhas left
balabol.imhas joined
Marandahas left
Mjolnir Archonhas left
bkilmhas left
scilenshas left
Ingolfhas joined
andrewhas left
*IM*has left
Abbehas joined
andrewhas joined
surenhas left
surenhas joined
scilenshas joined
bkilmhas joined
anamulhaquehas left
surenhas left
surenhas joined
greenkeeperhas left
greenkeeperhas joined
yushyinhas joined
patascahas left
gagikhas left
gagikhas joined
Samhas left
Abbehas left
surenhas left
surenhas joined
Mjolnir Archonhas joined
Marandahas joined
Samhas joined
karimhas joined
Ingolfhas left
CKhas left
patascahas joined
*IM*has joined
test1has joined
Mjolnir Archonhas left
bkilmhas left
Marandahas left
scilenshas left
Dead Headhas left
Dead Headhas joined
scilenshas joined
Abbehas joined
surenhas left
surenhas joined
bkilmhas joined
404.cityhas joined
Menelhas left
Menelhas joined
myjabber1337has left
myjabber1337has joined
surenhas left
surenhas joined
hotaruhas left
Abbehas left
hotaruhas joined
404.city
smooth_operator, "mod_dialback" Absolutely obsolete and unnecessary module. Cargo cult. The only reason this module is needed is to satisfy the needs of server administrators who do not know how to set up encryption
bkilmhas left
scilenshas left
404.cityhas left
mazenghubarihas left
antranigvhas joined
Huxxhas joined
scilenshas joined
kuba_has left
bkilmhas joined
antranigvhas left
VesselWavehas left
Licaon_Kter
404 as usual :)
Martin
I'm also not using dialback. I think it's not too hard to obtain a valid cert nowadays.
balabol.imhas left
kuba_has joined
jchas joined
Léohas left
Martinhas left
surenhas left
surenhas joined
Martinhas joined
mjkhas joined
Mjolnir Archonhas joined
Marandahas joined
opensourcedhas left
opensourcedhas joined
Mjolnir Archonhas left
bkilmhas left
Marandahas left
scilenshas left
John has joined
surenhas left
surenhas joined
jakobhas left
balabol.imhas joined
scilenshas joined
jakobhas joined
bkilmhas joined
jl4has left
kuba_has left
Chris Machas joined
404.cityhas joined
homebeachhas left
homebeachhas joined
404.cityhas left
Samhas left
mjkhas left
Samhas joined
Chris Machas left
Samhas left
jjrhhas left
Mjolnir Archonhas joined
Marandahas joined
surenhas left
surenhas joined
Samhas joined
surenhas left
surenhas joined
abdullahihas left
myjabber1337has left
myjabber1337has joined
Samhas left
Samhas joined
Tyler B. Joneshas left
Tyler B. Joneshas joined
jchas left
Léohas joined
surenhas left
surenhas joined
gooyahas joined
surenhas left
surenhas joined
大明白20210720has left
abdullahihas joined
mjkhas joined
kryptoshas left
pseikoheikohas joined
myjabber1337has left
belonghas joined
gagikhas left
վարյաhas left
վարյաhas joined
homebeachhas left
homebeachhas joined
kryptoshas joined
surenhas left
surenhas joined
pablohas joined
[czar]has left
surenhas left
surenhas joined
balabol.imhas left
myjabber1337has joined
balabol.imhas joined
[czar]has joined
myjabber1337has left
վարյաhas left
վարյաhas joined
svenhas left
myjabber1337has joined
froghas joined
jchas joined
surenhas left
surenhas joined
sanderhas left
stampirlhas left
stampirlhas joined
sanderhas joined
sanderhas left
sanderhas joined
kryptoshas left
sanderhas left
Bjarkanhas left
Bjarkanhas joined
kryptoshas joined
Ingolfhas joined
surenhas left
SouLhas left
surenhas joined
surenhas left
surenhas joined
kryptoshas left
albertohas left
abdullahihas left
surenhas left
surenhas joined
abdullahihas joined
Tyler B. Joneshas left
Tyler B. Joneshas joined
ianhas left
ianhas joined
patascahas left
surenhas left
surenhas joined
Yerayhas left
antranigvhas joined
andrey.utkinhas left
karmehas left
SouLhas joined
surenhas left
surenhas joined
Mjolnir Archonhas left
bkilmhas left
Marandahas left
scilenshas left
william.chatnerhas joined
emushas joined
svenhas joined
antranigvhas left
surenhas left
surenhas joined
agateshas left
ilmaisin_has joined
scilenshas joined
bkilmhas joined
Maranda[x]has left
andrey.utkinhas joined
bkilmhas left
scilenshas left
Maranda[x]has joined
agateshas joined
surenhas left
surenhas joined
Yerayhas joined
Abbehas joined
scilenshas joined
վարյաhas left
վարյաhas joined
ianhas left
ianhas joined
bkilmhas joined
sanderhas joined
yushyinhas left
ijhas left
Chris Machas joined
Ingolfhas left
Ingolfhas joined
patascahas joined
bkilmhas left
scilenshas left
Tyler B. Joneshas left
Tyler B. Joneshas joined
stampirlhas left
william.chatnerhas left
ijhas joined
大明白20210720has joined
william.chatnerhas joined
yushyinhas joined
sanderhas left
Abbehas left
surenhas left
surenhas joined
sanderhas joined
scilenshas joined
Chris Machas left
pablohas left
Chris Machas joined
Ivan A.has left
Ivan A.has joined
bkilmhas joined
sanderhas left
Abbehas joined
sanderhas joined
Menelhas left
stampirlhas joined
Menelhas joined
candyman188has left
candyman188has joined
robhas joined
Chris Machas left
Chris Machas joined
agateshas left
Abbehas left
patascahas left
Dexterhas left
jjrhhas joined
Abbehas joined
Silvio Titzmannhas left
ianhas left
ianhas joined
patascahas joined
Silvio Titzmannhas joined
bkilmhas left
scilenshas left
Abbehas left
agateshas joined
andrey.utkinhas left
kikuchiyohas left
scilenshas joined
writer77has left
writer77has joined
froghas left
bkilmhas joined
Abbehas joined
surenhas left
surenhas joined
Ivan A.has left
Ivan A.has joined
antranigvhas joined
Dexterhas joined
surenhas left
surenhas joined
patascahas left
Abbehas left
Holger
404 makes it sound like enabling Dialback is an alternative to obtaining a valid cert. Probably stating the obvious but it's about whether to break communication with users of servers without valid cert, rather.
jjrhhas left
Martin
The only server I know of which needs dialback enabled for s2s is jabber.org. 🙊
antranigvhas left
Holger
I've seen various others forget to update certs in time. Including push app servers for iOS apps.
zhoskahas left
kahlbhas left
kahlbhas joined
Holger
Each time that happens that obviously adds to the general perception of XMPP being broken. So in my book there's a trade-off vs. the (quite specific) attack vectors you protect against by disabling Dialback. Hence I wouldn't agree with 404.city's summary.
Mjolnir Archonhas joined
Marandahas joined
patascahas joined
agateshas left
Silvio Titzmannhas left
Silvio Titzmannhas joined
Licaon_Kter
_Expired certs, XMPP's greatest enemy_
zhoskahas joined
patascahas left
agateshas joined
վարյաhas left
վարյաhas joined
surenhas left
surenhas joined
վարյաhas left
վարյաhas joined
moparisthebest
404.city: dialback doesn't disable encryption though? Hopefully no server allows plaintext nowadays, dialback is just a different form of certificate authentication
Bjarkan
> _Expired certs, XMPP's greatest enemy_
Is it so hard to write a simple script to update the certificate?
MattJ
No
MattJ
It's hard to stop it from failing for stupid reasons though
MattJ
Monitoring helps a lot, but not everyone sets up any monitoring
MattJ
(i.e. monitoring that tells you *before* it expires)
Chris Machas left
Chris Machas joined
Bjarkanhas left
Bjarkanhas joined
antranigvhas joined
froghas joined
surenhas left
surenhas joined
antranigvhas left
antranigvhas joined
antranigvhas left
antranigvhas joined
thndrbvrhas left
moparisthebest
It's kind of hard to keep something that's only supposed to run every 2 months running honestly, and hard to test properly in the first place
inkyhas left
Abbehas joined
Bjarkanhas left
surenhas left
surenhas joined
Bjarkanhas joined
bakehas left
bakehas joined
shaaradhas left
mjkhas left
jakobhas left
kuba_has joined
ilmaisin_has left
Abbehas left
kuba_has left
kuba_has joined
svenhas left
sezuanhas left
balabol.imhas left
balabol.imhas joined
sezuanhas joined
sezuanhas left
antranigvhas left
inkyhas joined
opensourcedhas left
opensourcedhas joined
404.cityhas joined
jakobhas joined
dinosaurdynastyhas left
belonghas left
purhas joined
belonghas joined
myjabber1337has left
myjabber1337has joined
greenkeeperhas left
greenkeeperhas joined
test1has left
Calvinhas joined
test1has joined
surenhas left
surenhas joined
kuba_has left
kuba_has joined
antranigvhas joined
barlashas joined
sezuanhas joined
dinosaurdynastyhas joined
'has left
'has joined
Calvinhas left
antranigvhas left
patascahas joined
froghas left
greenkeeperhas left
greenkeeperhas joined
svenhas joined
404.city
moparisthebest, (C2S) Users of a server with a self-signed certificate are extremely insecure and will push and accept any certificate
Silvio Titzmannhas left
404.cityhas left
stampirlhas left
Silvio Titzmannhas joined
loopboomhas joined
stampirlhas joined
robhas left
'has left
'has joined
404.cityhas joined
404.cityhas left
surenhas left
surenhas joined
Dead Headhas left
kr1phas left
etaurushas left
patascahas left
surenhas left
surenhas joined
greenkeeperhas left
greenkeeperhas joined
abdullahihas left
abdullahihas joined
Marandahas left
bkilmhas left
Mjolnir Archonhas left
scilenshas left
stampirlhas left
stampirlhas joined
stampirlhas left
stampirlhas joined
Menelhas left
Menelhas joined
patascahas joined
Calvinhas joined
scilenshas joined
wladmishas left
wladmishas joined
bkilmhas joined
Bjarkanhas left
Bjarkanhas joined
Katherinehas left
jchas left
Calvinhas left
Calvinhas joined
Bjarkanhas left
Bjarkanhas joined
froghas joined
surenhas left
surenhas joined
Calvinhas left
Calvinhas joined
balabol.imhas left
VesselWavehas joined
loopboomhas left
Calvinhas left
Calvinhas joined
balabol.imhas joined
Calvinhas left
Calvinhas joined
Calvinhas left
Calvinhas joined
RayTutuhas joined
Calvinhas left
Calvinhas joined
Calvinhas left
Mjolnir Archonhas joined
robhas joined
greenkeeperhas left
kryptoshas joined
greenkeeperhas joined
Amolithhas left
Marandahas joined
mjkhas joined
surenhas left
surenhas joined
Ivan A.has left
Ivan A.has joined
balabol.imhas left
Calvinhas joined
Amolithhas joined
John has left
Calvinhas left
greenkeeperhas left
greenkeeperhas joined
greenkeeperhas left
greenkeeperhas joined
Ivan A.has left
Ivan A.has joined
patascahas left
patascahas joined
VesselWavehas left
balabol.imhas joined
greenkeeperhas left
վարյաhas left
greenkeeperhas joined
վարյաhas joined
John has joined
kr1phas joined
albertohas joined
surenhas left
surenhas joined
antranigvhas joined
froghas left
bakehas left
bakehas joined
404.cityhas joined
404.cityhas left
greenkeeperhas left
greenkeeperhas joined
antranigvhas left
leohas joined
surenhas left
surenhas joined
dcuba.ar adminhas joined
patascahas left
test1has left
RayTutuhas left
ernst.on.tour
> Is it so hard to write a simple script to update the certificate?
Really hard to code 😉
```
servername=chat.foo.bar
connthost=raspi.foo.bar:5269
TTL=20
echo | openssl s_client -starttls xmpp -servername $servername -connect $connethost 2>/dev/null | openssl x509 -noout -dates -subject -checkend $(($TTL*24*60*60)) && echo $servername okay || echo $servername less than $TTL days left
```
echo could be anything else, maybe curl to send xmpp-msg to the admin
Normally the getssl/certbot/... is running everyday and if less than 30days left the update will be done.
Above 3 lines could run every day and if getssl/certbot miss 10 tries, the admin should have a look.
Without getssl/certbot you could use the 3 lines as a reminder to wake up and prepare your steps for a new cert.
Chris Machas left
etaurushas joined
վարյաhas left
վարյաhas joined
Licaon_Kter
ernst.on.tour: theory is good, practice? We see it here every month
patascahas joined
վարյաhas left
վարյաhas joined
Chris Machas joined
Sam@!has left
Sam@!has joined
VesselWavehas joined
moparisthebest
404.city: I mean I agree with you, but it's made more secure in that you can't just silently replace it with trust on first use and such
moparisthebest
Still far better than not encrypted
balabol.imhas left
surenhas left
surenhas joined
ernst.on.tour
"My" 5 servers were never named 😛
But for sure, you must have a look about it in your InBox
*IM*has left
balabol.imhas joined
moparisthebest
ernst.on.tour: I have similar alerts set up, do you notice if they stop coming though? :)
secretasianmanhas joined
belonghas left
belonghas joined
secretasianmanhas left
jchas joined
secretasianmanhas joined
mimi89999
Establishing a secure connection from jabber.gg to lebihan.pl failed. Certificate hash: 151045a9417eb1efacf0a7f6dfb7aa68a6b5f68c13a1e6d8c3b29752e447ec60. Error with certificate 0: certificate has expired.
mimi89999
Got it 2h ago
karmehas joined
secretasianmanhas left
secretasianmanhas joined
secretasianmanhas left
patascahas left
Abbehas joined
VesselWavehas left
VesselWavehas joined
secretasianmanhas joined
secretasianmanhas left
mjk
> do you notice if they stop coming?
Exactly. You'll need a kind of watchdog xmpp client on your client devices (like, your phone) that'd alert you if it didn't receive a keepalive message. Or better: maintain session on the sending side, and alert when presence changes to offline. Then again, who'd be watching the watchers?
moparisthebest
mjk: that's the problem
secretasianmanhas joined
secretasianmanhas left
rosshas left
rosshas joined
ernst.on.tour
> ernst.on.tour: I have similar alerts set up, do you notice if they stop coming though? :)
Yes, because i've pimp up my 3liner and every day 1 msg will be send that $servername=notexist.foo.bar couldn't be reached.
Every day there will be *1* msg
No msg = no function
More than 1 = problems with certrenewal
rosshas left
rosshas joined
Abbehas left
leohas left
opensourcedhas left
moparisthebest
Right, except I have 20 of those alerts coming in for various things and I've become numb to them, I'll never know if only 1 quit working
balabol.imhas left
mjk
My theoretical solution so far is: make your daily driver the watcher. Like, open a chat with your server-side watchdog right in your $mobile_xmpp_client, pin it at the top and patch Conversations so that it displays contacts presence as color-coded something, right in the chat list. This way your eyes get used to seeing a green thingy, so when it goes grey, consider yourself notified
ianhas left
ianhas joined
opensourcedhas joined
jl4has joined
patascahas joined
moparisthebest
Just because it's connected doesn't mean it's running anything
mjk
Right, there's no absolute here, but seems like a huge improvement to expecting be spammed daily✎
mjk
Right, there's no absolute here, but seems like a huge improvement over expecting to be spammed daily ✏
thndrbvrhas joined
robhas left
ernst.on.tour
Sorry, maybe lost in translation, but each monitorjob got its own serviceaccount, means 5jobs (monitor cert, monitor filespace, monitor ....) will have Svc01/Svc02/Svc....
Each day there should be 5 msg from 5 accounts to my monitoring-account.
Thanks god xmpp is a multi-identity-chat-app, without neet of 5 different mobile-numbers 😉
ernst.on.tour
> Right, there's no absolute here, but seems like a huge improvement over expecting to be spammed daily
You could blowup the 3liner to a 300liner, don't check for cert only, monitor all you need and only 1 msg will send.
*IM*has joined
balabol.imhas joined
patascahas left
mjk
ernst.on.tour: I'll elaborate what I mean: instead of sending regular messages that say everything is right, only send a message when something's wrong. That's basically polling vs. pushing. The problem, though, is absence of "it broke" messages could mean the thing that sends them broke. If we assume it goes offline when it breaks, the presence-based solution works.
jakobhas left
jakobhas joined
Chris Machas left
kryptoshas left
patascahas joined
Chris Machas joined
secretasianmanhas joined
secretasianmanhas left
ernst.on.tour
> ... If we assume it goes offline when it breaks, the presence-based solution works.
Sadly presence isn't shown live.
Maybe a problem with mod_csi/csi_simple
Also a broken script will shown as online 😕
belonghas left
belonghas joined
Menel
Wasn't there someone having an external xmpp service checker fro free?
> Sadly presence isn't shown live.
Sure, but the timeouts are reasonable enough for presence to become offline by the next day at worst :))
alex11has left
Ian Blashas left
patascahas left
mhhas joined
henrikhas joined
andrey.utkinhas joined
Bjarkanhas left
Holgerhas joined
VesselWavehas left
patascahas joined
Ian Blashas joined
antranigvhas left
croaxhas left
mhhas left
VesselWavehas joined
Bjarkanhas joined
kryptoshas joined
Bjarkanhas left
mhhas joined
ilmaisin_has joined
Bjarkanhas joined
test1has left
test1has joined
somenamehas joined
croaxhas joined
patascahas left
Bjarkanhas left
somenamehas left
somenamehas joined
patascahas joined
kryptoshas left
zhoskahas left
inkyhas left
barlashas left
barlashas joined
John has left
Ivan A.has left
Ivan A.has joined
Holgerhas left
Bjarkanhas joined
zhoskahas joined
Ivan A.has left
Ivan A.has joined
yyyyyypx4has left
yyyyyypx4has joined
jgarthas joined
Bjarkanhas left
inkyhas joined
Chris Machas left
homebeachhas left
homebeachhas joined
antranigvhas joined
John has joined
surenhas left
surenhas joined
Chris Machas joined
Ivan A.has left
homebeachhas left
Ivan A.has joined
homebeachhas joined
Ingolfhas left
greenkeeperhas left
greenkeeperhas joined
antranigvhas left
bakehas joined
svenhas left
p55shas left
myjabber1337has left
jl4has left
kryptoshas joined
jchas left
jchas joined
Holgerhas joined
ianhas left
ianhas joined
jl4has joined
hotaruhas left
antranigvhas joined
Bjarkanhas joined
patascahas left
tskhas joined
Dead Headhas joined
kryptoshas left
patascahas joined
candyman188has left
candyman188has joined
Amolithhas left
VesselWavehas left
balabol.imhas left
Ingolfhas joined
balabol.imhas joined
tskhas left
surenhas left
surenhas joined
emushas left
candyman188has left
candyman188has joined
candyman188has left
candyman188has joined
Ivan A.has left
Ivan A.has joined
patascahas left
patascahas joined
inkyhas left
waelhas left
jl4has left
surenhas left
surenhas joined
antranigvhas left
antranigvhas joined
podhas left
Amolithhas joined
raphanushas left
sanderhas left
candyman188has left
candyman188has joined
myjabber1337has joined
hotaruhas joined
myjabber1337has left
surenhas left
abdullahhas joined
surenhas joined
Calvinhas joined
myjabber1337has joined
Calvinhas left
beanhas left
abdullah
Sorry, I have a question about uploading images clips, the Connect client, are there any specific options or settings!
jgarthas left
alex11has joined
antranigvhas left
antranigvhas joined
Holgerhas left
RayTutuhas joined
jchas left
Calvinhas joined
Calvinhas left
inkyhas joined
antranigvhas left
Licaon_Kter
abdullah, what's a "Connect client" ?
Dead Headhas left
Calvinhas joined
Tyler B. Joneshas left
Tyler B. Joneshas joined
antranigvhas joined
VesselWavehas joined
Silvio Titzmannhas left
surenhas left
Calvinhas left
surenhas joined
abdullah
One of the xmpps cleants
marchas left
Licaon_Kter
Didn't hear about them before. First test with known working ones like Dino/Gajim/Conversations/Siskin...
patascahas left
Ingolfhas left
Ingolfhas joined
surenhas left
surenhas joined
belonghas left
belonghas joined
abdullah
> Didn't hear about them before. First test with known working ones like Dino/Gajim/Conversations/Siskin...
One compatible with Android
patascahas joined
balabol.imhas left
sanderhas joined
VesselWavehas left
ibikkhas left
Dexterhas left
Chris Machas left
Dexterhas joined
VesselWavehas joined
antranigvhas left
Chris Machas joined
jchas joined
balabol.imhas joined
croaxhas left
croaxhas joined
kazihas joined
Menel
Its apparently an conversation fork (duh) 😄
Maranda
Another?
ilmaisin_has left
robhas joined
karmehas left
marc0shas left
marc0shas joined
barlashas left
barlashas joined
Menel
No source to be seen easily..
antranigvhas joined
Licaon_Kter
abdullah: c0nnect pro? Pls don't use that... two points, source promised years ago yet none...so violation of license. And two...they broke http uploads? There's your answer about its worth.
sanderhas left
Licaon_Kterhas left
emushas joined
balabol.imhas left
kazihas left
Licaon_Kterhas joined
belonghas left
belonghas joined
william.chatnerhas left
kazihas joined
404.cityhas joined
patascahas left
balabol.imhas joined
MSavoritias (she,they)has left
404.cityhas left
sanderhas joined
Holgerhas joined
'has left
'has joined
patascahas joined
mjkhas left
mjkhas joined
patascahas left
abdullahihas left
abdullahihas joined
pablohas joined
վարյաhas left
վարյաhas joined
patascahas joined
RayTutuhas left
patascahas left
Dead Headhas joined
raverhas left
test1has left
test1has joined
Echo1has left
Echo1has joined
Chris Machas left
patascahas joined
Chris Machas joined
bunghas joined
վարյաhas left
surenhas left
surenhas joined
վարյաhas joined
Sam@!has left
Sam@!has joined
p55shas joined
Menelhas left
greenkeeperhas left
Chris Machas left
gooyahas left
VesselWavehas left
Chris Machas joined
surenhas left
surenhas joined
pablohas left
albertohas left
Dexterhas left
smooth_operatorhas joined
mjkhas left
albertohas joined
patascahas left
mjkhas joined
mjkhas left
smooth_operator
ok so what i understand is dialback is only used for (temporary) convenience in case certificates expire? if that's so i will disable dialback. i would rather be secure and suffer the inconvenience
Dead Headhas left
balabol.imhas left
millesimushas left
antranigvhas left
antranigvhas joined
'has left
'has joined
mjkhas joined
patascahas joined
millesimushas joined
Chris Machas left
surenhas left
surenhas joined
kazihas left
John has left
mjkhas left
secretasianmanhas joined
mjkhas joined
Chris Machas joined
tom_has joined
Huxxhas left
secretasianmanhas left
robhas left
mjkhas left
abdullahihas left
secretasianmanhas joined
mjkhas joined
smooth_operator
so for the most s2s security, i have:
s2s_require_encryption = true
s2s_secure_auth = true
ssl { protocol = tlsv1_2+ }
ssl { capath = /etc/mytrustedservers }
tls_profile = modern
mod_dialback disabled