XMPP Service Operators - 2022-05-22


  1. smooth_operator

    my server has a self-signed certificate. but in my logs i can see the s2s_in connection fails, but then the other server retries and it gets established. why does another server accept bad certificates on the second try?

  2. moparisthebest

    They may be configured to fallback to dialback

  3. smooth_operator

    what's dialback?

  4. moparisthebest

    smooth_operator: https://xmpp.org/extensions/xep-0220.html

  5. smooth_operator

    oh so i do have a mod_dialback. if i disable mod_dialback, will that prevent other servers that try to use it from succeeding?

  6. smooth_operator

    i don't want another server to do anything if the tls fails

  7. moparisthebest

    smooth_operator: if you want to block other servers you should block them

  8. moparisthebest

    Using an untrusted cert or disabling dialback doesn't actually do that

  9. smooth_operator

    the aim is preventing an already trusted cert falling victim to impersonation

  10. smooth_operator

    *already trusted server

  11. smooth_operator

    because dialback looks like it's just dns

  12. smooth_operator

    never mind, lemme read through the whole thing first :)

  13. smooth_operator

    before asking more questions

  14. 404.city

    smooth_operator, "mod_dialback" Absolutely obsolete and unnecessary module. Cargo cult. The only reason this module is needed is to satisfy the needs of server administrators who do not know how to set up encryption

  15. Licaon_Kter

    404 as usual :)

  16. Martin

    I'm also not using dialback. I think it's not too hard to obtain a valid cert nowadays.

  17. Holger

    404 makes it sound like enabling Dialback is an alternative to obtaining a valid cert. Probably stating the obvious but it's about whether to break communication with users of servers without valid cert, rather.

  18. Martin

    The only server I know of which needs dialback enabled for s2s is jabber.org. 🙊

  19. Holger

    I've seen various others forget to update certs in time. Including push app servers for iOS apps.

  20. Holger

    Each time that happens that obviously adds to the general perception of XMPP being broken. So in my book there's a trade-off vs. the (quite specific) attack vectors you protect against by disabling Dialback. Hence I wouldn't agree with 404.city's summary.

  21. Licaon_Kter

    _Expired certs, XMPP's greatest enemy_

  22. moparisthebest

    404.city: dialback doesn't disable encryption though? Hopefully no server allows plaintext nowadays, dialback is just a different form of certificate authentication

  23. Bjarkan

    > _Expired certs, XMPP's greatest enemy_ Is it so hard to write a simple script to update the certificate?

  24. MattJ

    No

  25. MattJ

    It's hard to stop it from failing for stupid reasons though

  26. MattJ

    Monitoring helps a lot, but not everyone sets up any monitoring

  27. MattJ

    (i.e. monitoring that tells you *before* it expires)

  28. moparisthebest

    It's kind of hard to keep something that's only supposed to run every 2 months running honestly, and hard to test properly in the first place

  29. 404.city

    moparisthebest, (C2S) Users of a server with a self-signed certificate are extremely insecure and will push and accept any certificate

  30. ernst.on.tour

    > Is it so hard to write a simple script to update the certificate? Really hard to code 😉 ``` servername=chat.foo.bar connthost=raspi.foo.bar:5269 TTL=20 echo | openssl s_client -starttls xmpp -servername $servername -connect $connethost 2>/dev/null | openssl x509 -noout -dates -subject -checkend $(($TTL*24*60*60)) && echo $servername okay || echo $servername less than $TTL days left ``` echo could be anything else, maybe curl to send xmpp-msg to the admin Normally the getssl/certbot/... is running everyday and if less than 30days left the update will be done. Above 3 lines could run every day and if getssl/certbot miss 10 tries, the admin should have a look. Without getssl/certbot you could use the 3 lines as a reminder to wake up and prepare your steps for a new cert.

  31. Licaon_Kter

    ernst.on.tour: theory is good, practice? We see it here every month

  32. moparisthebest

    404.city: I mean I agree with you, but it's made more secure in that you can't just silently replace it with trust on first use and such

  33. moparisthebest

    Still far better than not encrypted

  34. ernst.on.tour

    "My" 5 servers were never named 😛 But for sure, you must have a look about it in your InBox

  35. moparisthebest

    ernst.on.tour: I have similar alerts set up, do you notice if they stop coming though? :)

  36. mimi89999

    Establishing a secure connection from jabber.gg to lebihan.pl failed. Certificate hash: 151045a9417eb1efacf0a7f6dfb7aa68a6b5f68c13a1e6d8c3b29752e447ec60. Error with certificate 0: certificate has expired.

  37. mimi89999

    Got it 2h ago

  38. mjk

    > do you notice if they stop coming? Exactly. You'll need a kind of watchdog xmpp client on your client devices (like, your phone) that'd alert you if it didn't receive a keepalive message. Or better: maintain session on the sending side, and alert when presence changes to offline. Then again, who'd be watching the watchers?

  39. moparisthebest

    mjk: that's the problem

  40. ernst.on.tour

    > ernst.on.tour: I have similar alerts set up, do you notice if they stop coming though? :) Yes, because i've pimp up my 3liner and every day 1 msg will be send that $servername=notexist.foo.bar couldn't be reached. Every day there will be *1* msg No msg = no function More than 1 = problems with certrenewal

  41. moparisthebest

    Right, except I have 20 of those alerts coming in for various things and I've become numb to them, I'll never know if only 1 quit working

  42. mjk

    My theoretical solution so far is: make your daily driver the watcher. Like, open a chat with your server-side watchdog right in your $mobile_xmpp_client, pin it at the top and patch Conversations so that it displays contacts presence as color-coded something, right in the chat list. This way your eyes get used to seeing a green thingy, so when it goes grey, consider yourself notified

  43. moparisthebest

    Just because it's connected doesn't mean it's running anything

  44. mjk

    Right, there's no absolute here, but seems like a huge improvement to expecting be spammed daily

  45. mjk

    Right, there's no absolute here, but seems like a huge improvement over expecting to be spammed daily

  46. ernst.on.tour

    Sorry, maybe lost in translation, but each monitorjob got its own serviceaccount, means 5jobs (monitor cert, monitor filespace, monitor ....) will have Svc01/Svc02/Svc.... Each day there should be 5 msg from 5 accounts to my monitoring-account. Thanks god xmpp is a multi-identity-chat-app, without neet of 5 different mobile-numbers 😉

  47. ernst.on.tour

    > Right, there's no absolute here, but seems like a huge improvement over expecting to be spammed daily You could blowup the 3liner to a 300liner, don't check for cert only, monitor all you need and only 1 msg will send.

  48. mjk

    ernst.on.tour: I'll elaborate what I mean: instead of sending regular messages that say everything is right, only send a message when something's wrong. That's basically polling vs. pushing. The problem, though, is absence of "it broke" messages could mean the thing that sends them broke. If we assume it goes offline when it breaks, the presence-based solution works.

  49. ernst.on.tour

    > ... If we assume it goes offline when it breaks, the presence-based solution works. Sadly presence isn't shown live. Maybe a problem with mod_csi/csi_simple Also a broken script will shown as online 😕

  50. Menel

    Wasn't there someone having an external xmpp service checker fro free?

  51. Menel

    monitor for free

  52. Menel

    Also.. Just listen to your let's encrypt mails

  53. Menel

    Also, somebody ©®™, should update https://modules.prosody.im/mod_checkcerts.html 😄

  54. mjk

    > Sadly presence isn't shown live. Sure, but the timeouts are reasonable enough for presence to become offline by the next day at worst :))

  55. abdullah

    Sorry, I have a question about uploading images clips, the Connect client, are there any specific options or settings!

  56. Licaon_Kter

    abdullah, what's a "Connect client" ?

  57. abdullah

    One of the xmpps cleants

  58. Licaon_Kter

    Didn't hear about them before. First test with known working ones like Dino/Gajim/Conversations/Siskin...

  59. abdullah

    > Didn't hear about them before. First test with known working ones like Dino/Gajim/Conversations/Siskin... One compatible with Android

  60. Menel

    Its apparently an conversation fork (duh) 😄

  61. Maranda

    Another?

  62. Menel

    No source to be seen easily..

  63. Licaon_Kter

    abdullah: c0nnect pro? Pls don't use that... two points, source promised years ago yet none...so violation of license. And two...they broke http uploads? There's your answer about its worth.

  64. smooth_operator

    ok so what i understand is dialback is only used for (temporary) convenience in case certificates expire? if that's so i will disable dialback. i would rather be secure and suffer the inconvenience

  65. smooth_operator

    so for the most s2s security, i have: s2s_require_encryption = true s2s_secure_auth = true ssl { protocol = tlsv1_2+ } ssl { capath = /etc/mytrustedservers } tls_profile = modern mod_dialback disabled