-
smooth_operator
my server has a self-signed certificate. but in my logs i can see the s2s_in connection fails, but then the other server retries and it gets established. why does another server accept bad certificates on the second try?
-
moparisthebest
They may be configured to fallback to dialback
-
smooth_operator
what's dialback?
-
moparisthebest
smooth_operator: https://xmpp.org/extensions/xep-0220.html
-
smooth_operator
oh so i do have a mod_dialback. if i disable mod_dialback, will that prevent other servers that try to use it from succeeding?
-
smooth_operator
i don't want another server to do anything if the tls fails
-
moparisthebest
smooth_operator: if you want to block other servers you should block them
-
moparisthebest
Using an untrusted cert or disabling dialback doesn't actually do that
-
smooth_operator
the aim is preventing an already trusted cert falling victim to impersonation
-
smooth_operator
*already trusted server
-
smooth_operator
because dialback looks like it's just dns
-
smooth_operator
never mind, lemme read through the whole thing first :)
-
smooth_operator
before asking more questions
-
404.city
smooth_operator, "mod_dialback" Absolutely obsolete and unnecessary module. Cargo cult. The only reason this module is needed is to satisfy the needs of server administrators who do not know how to set up encryption
-
Licaon_Kter
404 as usual :)
-
Martin
I'm also not using dialback. I think it's not too hard to obtain a valid cert nowadays.
-
Holger
404 makes it sound like enabling Dialback is an alternative to obtaining a valid cert. Probably stating the obvious but it's about whether to break communication with users of servers without valid cert, rather.
-
Martin
The only server I know of which needs dialback enabled for s2s is jabber.org. 🙊
-
Holger
I've seen various others forget to update certs in time. Including push app servers for iOS apps.
-
Holger
Each time that happens that obviously adds to the general perception of XMPP being broken. So in my book there's a trade-off vs. the (quite specific) attack vectors you protect against by disabling Dialback. Hence I wouldn't agree with 404.city's summary.
-
Licaon_Kter
_Expired certs, XMPP's greatest enemy_
-
moparisthebest
404.city: dialback doesn't disable encryption though? Hopefully no server allows plaintext nowadays, dialback is just a different form of certificate authentication
-
Bjarkan
> _Expired certs, XMPP's greatest enemy_ Is it so hard to write a simple script to update the certificate?
-
MattJ
No
-
MattJ
It's hard to stop it from failing for stupid reasons though
-
MattJ
Monitoring helps a lot, but not everyone sets up any monitoring
-
MattJ
(i.e. monitoring that tells you *before* it expires)
-
moparisthebest
It's kind of hard to keep something that's only supposed to run every 2 months running honestly, and hard to test properly in the first place
-
404.city
moparisthebest, (C2S) Users of a server with a self-signed certificate are extremely insecure and will push and accept any certificate
-
ernst.on.tour
> Is it so hard to write a simple script to update the certificate? Really hard to code 😉 ``` servername=chat.foo.bar connthost=raspi.foo.bar:5269 TTL=20 echo | openssl s_client -starttls xmpp -servername $servername -connect $connethost 2>/dev/null | openssl x509 -noout -dates -subject -checkend $(($TTL*24*60*60)) && echo $servername okay || echo $servername less than $TTL days left ``` echo could be anything else, maybe curl to send xmpp-msg to the admin Normally the getssl/certbot/... is running everyday and if less than 30days left the update will be done. Above 3 lines could run every day and if getssl/certbot miss 10 tries, the admin should have a look. Without getssl/certbot you could use the 3 lines as a reminder to wake up and prepare your steps for a new cert.
-
Licaon_Kter
ernst.on.tour: theory is good, practice? We see it here every month
-
moparisthebest
404.city: I mean I agree with you, but it's made more secure in that you can't just silently replace it with trust on first use and such
-
moparisthebest
Still far better than not encrypted
-
ernst.on.tour
"My" 5 servers were never named 😛 But for sure, you must have a look about it in your InBox
-
moparisthebest
ernst.on.tour: I have similar alerts set up, do you notice if they stop coming though? :)
-
mimi89999
Establishing a secure connection from jabber.gg to lebihan.pl failed. Certificate hash: 151045a9417eb1efacf0a7f6dfb7aa68a6b5f68c13a1e6d8c3b29752e447ec60. Error with certificate 0: certificate has expired.
-
mimi89999
Got it 2h ago
-
mjk
> do you notice if they stop coming? Exactly. You'll need a kind of watchdog xmpp client on your client devices (like, your phone) that'd alert you if it didn't receive a keepalive message. Or better: maintain session on the sending side, and alert when presence changes to offline. Then again, who'd be watching the watchers?
-
moparisthebest
mjk: that's the problem
-
ernst.on.tour
> ernst.on.tour: I have similar alerts set up, do you notice if they stop coming though? :) Yes, because i've pimp up my 3liner and every day 1 msg will be send that $servername=notexist.foo.bar couldn't be reached. Every day there will be *1* msg No msg = no function More than 1 = problems with certrenewal
-
moparisthebest
Right, except I have 20 of those alerts coming in for various things and I've become numb to them, I'll never know if only 1 quit working
-
mjk
My theoretical solution so far is: make your daily driver the watcher. Like, open a chat with your server-side watchdog right in your $mobile_xmpp_client, pin it at the top and patch Conversations so that it displays contacts presence as color-coded something, right in the chat list. This way your eyes get used to seeing a green thingy, so when it goes grey, consider yourself notified
-
moparisthebest
Just because it's connected doesn't mean it's running anything
-
mjk
Right, there's no absolute here, but seems like a huge improvement to expecting be spammed daily✎ -
mjk
Right, there's no absolute here, but seems like a huge improvement over expecting to be spammed daily ✏
-
ernst.on.tour
Sorry, maybe lost in translation, but each monitorjob got its own serviceaccount, means 5jobs (monitor cert, monitor filespace, monitor ....) will have Svc01/Svc02/Svc.... Each day there should be 5 msg from 5 accounts to my monitoring-account. Thanks god xmpp is a multi-identity-chat-app, without neet of 5 different mobile-numbers 😉
-
ernst.on.tour
> Right, there's no absolute here, but seems like a huge improvement over expecting to be spammed daily You could blowup the 3liner to a 300liner, don't check for cert only, monitor all you need and only 1 msg will send.
-
mjk
ernst.on.tour: I'll elaborate what I mean: instead of sending regular messages that say everything is right, only send a message when something's wrong. That's basically polling vs. pushing. The problem, though, is absence of "it broke" messages could mean the thing that sends them broke. If we assume it goes offline when it breaks, the presence-based solution works.
-
ernst.on.tour
> ... If we assume it goes offline when it breaks, the presence-based solution works. Sadly presence isn't shown live. Maybe a problem with mod_csi/csi_simple Also a broken script will shown as online 😕
-
Menel
Wasn't there someone having an external xmpp service checker fro free?
-
Menel
monitor for free
-
Menel
Also.. Just listen to your let's encrypt mails
-
Menel
Also, somebody ©®™, should update https://modules.prosody.im/mod_checkcerts.html 😄
-
mjk
> Sadly presence isn't shown live. Sure, but the timeouts are reasonable enough for presence to become offline by the next day at worst :))
-
abdullah
Sorry, I have a question about uploading images clips, the Connect client, are there any specific options or settings!
-
Licaon_Kter
abdullah, what's a "Connect client" ?
-
abdullah
One of the xmpps cleants
-
Licaon_Kter
Didn't hear about them before. First test with known working ones like Dino/Gajim/Conversations/Siskin...
-
abdullah
> Didn't hear about them before. First test with known working ones like Dino/Gajim/Conversations/Siskin... One compatible with Android
-
Menel
Its apparently an conversation fork (duh) 😄
-
Maranda
Another?
-
Menel
No source to be seen easily..
-
Licaon_Kter
abdullah: c0nnect pro? Pls don't use that... two points, source promised years ago yet none...so violation of license. And two...they broke http uploads? There's your answer about its worth.
-
smooth_operator
ok so what i understand is dialback is only used for (temporary) convenience in case certificates expire? if that's so i will disable dialback. i would rather be secure and suffer the inconvenience
-
smooth_operator
so for the most s2s security, i have: s2s_require_encryption = true s2s_secure_auth = true ssl { protocol = tlsv1_2+ } ssl { capath = /etc/mytrustedservers } tls_profile = modern mod_dialback disabled