XMPP Service Operators - 2023-02-05


  1. william.chatner has left

  2. huxxer has left

  3. kuba_ has left

  4. Friendly Resident Cynic has left

  5. stefan has left

  6. stefan has joined

  7. resoli has left

  8. mjk has left

  9. belong has left

  10. ishcse has left

  11. ' has left

  12. kuba_ has joined

  13. ' has joined

  14. mjk has joined

  15. belong has joined

  16. sonny has joined

  17. papatutuwawa has left

  18. millesimus has left

  19. PingufromWoodquarter (xmpp.pingu.at) has left

  20. schäfchen726 has left

  21. schäfchen726 has joined

  22. jgart has joined

  23. PingufromWoodquarter (xmpp.pingu.at) has joined

  24. millesimus has joined

  25. sonny has left

  26. marc0s has left

  27. marc0s has joined

  28. ij has left

  29. sonny has joined

  30. ewagner has joined

  31. marc0s has left

  32. marc0s has joined

  33. millesimus has left

  34. j.r (jugendhacker.de) has left

  35. j.r (jugendhacker.de) has joined

  36. antranigv has joined

  37. pod has left

  38. marc0s has left

  39. marc0s has joined

  40. marc0s has left

  41. marc0s has joined

  42. millesimus has joined

  43. homebeach has left

  44. homebeach has joined

  45. p42ity has left

  46. sonny has left

  47. djorz has left

  48. xso has left

  49. millesimus has left

  50. xso has joined

  51. sonny has joined

  52. millesimus has joined

  53. nicoco has left

  54. alien has left

  55. alien has joined

  56. msavoritias has left

  57. neox has left

  58. kuba_ has left

  59. marc0s has left

  60. marc0s has joined

  61. sonny has left

  62. sonny has joined

  63. tbm16 has joined

  64. kuba_ has joined

  65. djorz has joined

  66. sonny has left

  67. Dead Head has left

  68. Maranda[x] has left

  69. sonny has joined

  70. marc0s has left

  71. marc0s has joined

  72. snow has joined

  73. gooya has left

  74. snow has left

  75. snow has joined

  76. patasca has left

  77. patasca has joined

  78. dryan has joined

  79. djorz has left

  80. sonny has left

  81. schäfchen726 has left

  82. Dead Head has joined

  83. stefan has left

  84. stefan has joined

  85. sonny has joined

  86. kapad has left

  87. millesimus has left

  88. millesimus has joined

  89. sonny has left

  90. sonny has joined

  91. dryan has left

  92. dryan has joined

  93. dryan has left

  94. dryan has joined

  95. dryan has left

  96. millesimus has left

  97. Steven Roose has left

  98. xso has left

  99. millesimus has joined

  100. sonny has left

  101. xso has joined

  102. sonny has joined

  103. dryan has joined

  104. catchy has joined

  105. dryan has left

  106. dryan has joined

  107. Katherine has joined

  108. dryan has left

  109. millesimus has left

  110. Katherine has left

  111. sonny has left

  112. sonny has joined

  113. snow has left

  114. raghavgururajan has joined

  115. xso has left

  116. xso has joined

  117. millesimus has joined

  118. ernst.on.tour has left

  119. sonny has left

  120. ernst.on.tour has joined

  121. sonny has joined

  122. millesimus has left

  123. raghavgururajan has left

  124. millesimus has joined

  125. etaurus has left

  126. dryan has joined

  127. etaurus has joined

  128. dryan has left

  129. sonny has left

  130. wael has joined

  131. Maranda[x] has joined

  132. sonny has joined

  133. millesimus has left

  134. PingufromWoodquarter (xmpp.pingu.at) has left

  135. PingufromWoodquarter (xmpp.pingu.at) has joined

  136. ernst.on.tour has left

  137. raghavgururajan has joined

  138. ernst.on.tour has joined

  139. catchy has left

  140. catchy has joined

  141. millesimus has joined

  142. stefan has left

  143. stefan has joined

  144. p42ity has joined

  145. writer77 has joined

  146. sonny has left

  147. millesimus has left

  148. writer77 has left

  149. writer77 has joined

  150. sonny has joined

  151. millesimus has joined

  152. dryan has joined

  153. Ingolf has left

  154. Ingolf has joined

  155. sonny has left

  156. sonny has joined

  157. ibikk has joined

  158. allbombson has left

  159. allbombson has joined

  160. Maranda[x] has left

  161. sonny has left

  162. sonny has joined

  163. jc has joined

  164. balabol.im has joined

  165. dryan has left

  166. dryan has joined

  167. mirux has joined

  168. sonny has left

  169. Menel has joined

  170. dryan has left

  171. sonny has joined

  172. Menel has left

  173. Menel has joined

  174. jzmartin has left

  175. jzmartin has joined

  176. xso has left

  177. xso has joined

  178. Maranda[x] has joined

  179. *IM* has joined

  180. kuba_ has left

  181. karim has left

  182. sonny has left

  183. Ingolf has left

  184. Ingolf has joined

  185. sonny has joined

  186. kuba_ has joined

  187. dora71 has joined

  188. pod has joined

  189. resoli has joined

  190. Mario Sabatino has joined

  191. nicoco has joined

  192. sonny has left

  193. sonny has joined

  194. schäfchen726 has joined

  195. Ingolf has left

  196. Ingolf has joined

  197. eevvoor has joined

  198. xso has left

  199. xso has joined

  200. resoli has left

  201. kuba_ has left

  202. karl has left

  203. sonny has left

  204. sonny has joined

  205. xso has left

  206. xso has joined

  207. tsk has left

  208. tsk has joined

  209. kuba_ has joined

  210. *IM* has left

  211. *IM* has joined

  212. resoli has joined

  213. allbombson has left

  214. allbombson has joined

  215. sonny has left

  216. ij has joined

  217. sonny has joined

  218. xso has left

  219. neox has joined

  220. karme has joined

  221. xso has joined

  222. allbombson has left

  223. schäfchen726 has left

  224. schäfchen726 has joined

  225. resoli has left

  226. hearty has left

  227. me9 has joined

  228. eevvoor has left

  229. sonny has left

  230. eevvoor has joined

  231. sonny has joined

  232. writer77 has left

  233. writer77 has joined

  234. ru_maniac has left

  235. ru_maniac has joined

  236. frog has joined

  237. jgart has left

  238. hotaru has left

  239. msavoritias has joined

  240. jc has left

  241. jc has joined

  242. hotaru has joined

  243. marc0s has left

  244. marc0s has joined

  245. schäfchen726 has left

  246. schäfchen726 has joined

  247. sonny has left

  248. marc0s has left

  249. marc0s has joined

  250. sonny has joined

  251. hearty has joined

  252. jgart has joined

  253. dora71 has left

  254. dora71 has joined

  255. sven has left

  256. Trung has left

  257. Trung has joined

  258. xso has left

  259. kuba_ has left

  260. ij has left

  261. kuba_ has joined

  262. Trung has left

  263. Trung has joined

  264. Trung has left

  265. Trung has joined

  266. Trung has left

  267. Trung has joined

  268. *IM* has left

  269. *IM* has joined

  270. marc0s has left

  271. marc0s has joined

  272. Trung has left

  273. Trung has joined

  274. Trung has left

  275. Trung has joined

  276. ororo has joined

  277. John has left

  278. PingufromWoodquarter (xmpp.pingu.at) has left

  279. John has joined

  280. Menel has left

  281. ij has joined

  282. loopboom has joined

  283. Menel has joined

  284. SJM has left

  285. loopboom has left

  286. SJM has joined

  287. xso has joined

  288. SJM has left

  289. xi has left

  290. tbm16 has left

  291. xi has joined

  292. homebeach has left

  293. homebeach has joined

  294. dora71 has left

  295. dora71 has joined

  296. etaurus has left

  297. etaurus has joined

  298. PingufromWoodquarter (xmpp.pingu.at) has joined

  299. kaligatt has left

  300. kaligatt has joined

  301. frog has left

  302. timothy has joined

  303. dora71 has left

  304. dora71 has joined

  305. Sam@! has left

  306. Sam@! has joined

  307. marc0s has left

  308. papatutuwawa has joined

  309. papatutuwawa has left

  310. sonny has left

  311. ororo has left

  312. papatutuwawa has joined

  313. djorz has joined

  314. djorz has left

  315. djorz has joined

  316. marc0s has joined

  317. *IM* has left

  318. *IM* has joined

  319. SJM has joined

  320. sonny has joined

  321. *IM* has left

  322. *IM* has joined

  323. karme has left

  324. karme has joined

  325. Steven Roose has joined

  326. marc0s has left

  327. bean has joined

  328. belong has left

  329. Menel has left

  330. jjrh has left

  331. bean has left

  332. jjrh has joined

  333. Menel has joined

  334. belong has joined

  335. metta has joined

  336. marc0s has joined

  337. SouL has left

  338. Menel has left

  339. Menel has joined

  340. kaligatt has left

  341. kaligatt has joined

  342. sonny has left

  343. gooya has joined

  344. jaj has joined

  345. p42ity has left

  346. SouL has joined

  347. sonny has joined

  348. kuba_ has left

  349. p42ity has joined

  350. ij has left

  351. sven has joined

  352. djorz has left

  353. riccio has left

  354. kuba_ has joined

  355. Ingolf has left

  356. ZeoZ olikis has left

  357. Chris Mac has left

  358. ij has joined

  359. ij has left

  360. huxxer has joined

  361. me9 has left

  362. Chris Mac has joined

  363. marc0s has left

  364. marc0s has joined

  365. riccio has joined

  366. sonny has left

  367. sonny has joined

  368. karme has left

  369. karme has joined

  370. karme has left

  371. karme has joined

  372. hearty has left

  373. mx has left

  374. djorz has joined

  375. mx has joined

  376. ZeoZ olikis has joined

  377. ij has joined

  378. djorz has left

  379. marc0s has left

  380. marc0s has joined

  381. marc0s has left

  382. marc0s has joined

  383. sonny has left

  384. sven has left

  385. Ingolf has joined

  386. sonny has joined

  387. karme has left

  388. hearty has joined

  389. marc0s has left

  390. marc0s has joined

  391. antranigv has left

  392. antranigv has joined

  393. antranigv has left

  394. antranigv has joined

  395. resoli has joined

  396. riccio has left

  397. jc has left

  398. schäfchen726 has left

  399. schäfchen726 has joined

  400. jc has joined

  401. PingufromWoodquarter (xmpp.pingu.at) has left

  402. riccio has joined

  403. sven has joined

  404. antranigv has left

  405. Maranda[x] has left

  406. ralphm has left

  407. wladmis has left

  408. wladmis has joined

  409. frog has joined

  410. marc0s has left

  411. marc0s has joined

  412. Maranda[x] has joined

  413. sonny has left

  414. resoli has left

  415. Chris Mac has left

  416. sonny has joined

  417. Sirrdg has left

  418. Sirrdg has joined

  419. serge90 has joined

  420. marc0s has left

  421. marc0s has joined

  422. PingufromWoodquarter (xmpp.pingu.at) has joined

  423. me9 has joined

  424. Chris Mac has joined

  425. djorz has joined

  426. dora71 has left

  427. dora71 has joined

  428. dora71 has left

  429. dora71 has joined

  430. dora71 has left

  431. dora71 has joined

  432. dora71 has left

  433. dora71 has joined

  434. sonny has left

  435. Chris Mac has left

  436. sonny has joined

  437. bung has joined

  438. Jona

    Hi, I wonder if it is possible to use BOSH and/or websocket connections with DNS delegation? I see that TXT records have been deprecated for this purpose and no SRV records seem to exist for this

  439. karme has joined

  440. Licaon_Kter

    Jona: you wanna point to what?

  441. Jona

    I want to point to a prosody instance which runs on a subdomain. I successfully use xmpp-client SRV for records for this but I was wondering about HTTP to get through corporate firewalls

  442. Chris Mac has joined

  443. Steven Roose has left

  444. Jona

    I want to point to a prosody instance which runs on a subdomain. I successfully use xmpp-client SRV records for this but I was wondering about HTTP to get through corporate firewalls

  445. william.chatner has joined

  446. papatutuwawa has left

  447. Maranda[x] has left

  448. marc0s has left

  449. marc0s has joined

  450. jaj has left

  451. ralphm has joined

  452. ij has left

  453. Peter Waher

    You have the _xmppconnect TXT record you can add, with a _xmpp-client-websocket=wss://... string.

  454. Peter Waher has left

  455. marc0s has left

  456. marc0s has joined

  457. belong has left

  458. resoli has joined

  459. Peter Waher has joined

  460. belong has joined

  461. sonny has left

  462. Menel

    Jona: on your main domain serve https://xmpp.org/extensions/xep-0156.html At your /.well-known location and point that to your prosody webserver

  463. Menel

    No txt or srv records needed

  464. Menel

    Peter Waher: > A previous version of this XEP defined a DNS method to look up this info using a TXT _xmppconnect record, this was insecure and has been removed. Thats not a thing anymore

  465. *IM* has left

  466. sonny has joined

  467. Peter Waher

    In what way insecure? Insecure as much as DNS is insecure? Or something else?

  468. Maranda[x] has joined

  469. moparisthebest

    Jona, Peter Waher: https://xmpp.org/extensions/xep-0156.html#security > A previous version of this XEP defined a DNS method to look up this info using a TXT _xmppconnect record, this was insecure and has been removed. But you can add the host-meta file instead

  470. Jona

    Menel: my main domain has no IP address so it cannot serve the /.well-known location

  471. Menel

    Then you're out of luck.

  472. moparisthebest

    Peter Waher: https://mail.jabber.org/pipermail/standards/2022-February/038759.html

  473. moparisthebest

    Jona: you can use this instead to listen on 443 and go through most firewalls that only allow https https://wiki.xmpp.org/web/Tech_pages/XEP-0368

  474. Peter Waher

    Thanks. Yes, I remember this mail. But it is the same problem as with DNS overall, and SRV records as well, no?

  475. *IM* has joined

  476. Jona

    moparisthebest: thanks, that sounds interesting

  477. resoli has left

  478. Jona

    The mail explain domain validation is not the same for https as it is fir xmpp c2s

  479. Jona

    The mail explains domain validation is not the same for https as it is fir xmpp c2s

  480. ij has joined

  481. $h00tthe®00t has left

  482. qwemnb has left

  483. moparisthebest

    No with SRV we validate the record with TLS certificates, with this record that wasn't happening

  484. moparisthebest

    Example: you are example.com: 1. Your srv record say your XMPP is hosted at bob.com, clients/servers will connect there, but only proceed if bob.com has a valid cert for example.com 2. Your xmppconnect txt record says your XMPP is hosted at bob.com, clients connect and only check that the cert is valid for bob.com, this is insecure

  485. $h00tthe®00t has joined

  486. moparisthebest

    Plus #2 is an impossible situation, what do you sent for SNI and Host: header?

  487. Peter Waher

    The wss would also validate using a TLS certificate. But the point in the mail seems to indicate that in the xmpp c2s case, the certificate includes the domain name of the original domain (and/or the host name used?) and in the wss case the certificate only contains the host name pointed to? Sounds like an implementation issue, or is this behaviour specified as well?

  488. moparisthebest

    It wasn't specified and all implementations were vulnerable, and no known http servers allow you to configure it to serve a cert for example.com if Bob.com is sni

  489. Peter Waher

    (I mean, the same operations occur in both cases: DNS resolve, redirect, connect via TLS, validate certificate)

  490. moparisthebest

    And nearly no clients or libraries allow you to do that kind of certificate validation either

  491. Peter Waher

    Se set the same certificate for both XMPP server and HTTP server (they are integrated), so the problem is the same (for us) for both XMPP SRV and TXT paths. But, better to use another method, if client libraries have issues.

  492. Peter Waher

    We set the same certificate for both XMPP server and HTTP server (they are integrated), so the problem is the same (for us) for both XMPP SRV and TXT paths. But, better to use another method, if client libraries have issues.

  493. moparisthebest

    Yes that could work, and specify clients always send bob.com in sni and host: but always write custom cert validation code to also check for example.com but... In practice it'd likely never work

  494. schäfchen726 has left

  495. schäfchen726 has joined

  496. sonny has left

  497. ralphm has left

  498. barlas has left

  499. barlas has joined

  500. antranigv has joined

  501. Jona has left

  502. sonny has joined

  503. ralphm has joined

  504. djorz has left

  505. marc0s has left

  506. marc0s has joined

  507. schäfchen726 has left

  508. schäfchen726 has joined

  509. allbombson has joined

  510. serge90 has left

  511. Friendly Resident Cynic has joined

  512. Steven Roose has joined

  513. Chris Mac has left

  514. timothy has left

  515. timothy has joined

  516. p42ity has left

  517. marc0s has left

  518. marc0s has joined

  519. allbombson has left

  520. sonny has left

  521. p42ity has joined

  522. allbombson has joined

  523. millesimus has left

  524. sonny has joined

  525. marc0s has left

  526. marc0s has joined

  527. karim has joined

  528. millesimus has joined

  529. ru_maniac has left

  530. ru_maniac has joined

  531. schäfchen726 has left

  532. schäfchen726 has joined

  533. marc0s has left

  534. marc0s has joined

  535. Chris Mac has joined

  536. xso has left

  537. marc0s has left

  538. marc0s has joined

  539. xso has joined

  540. hshdhdhc has joined

  541. ralphm has left

  542. papatutuwawa has joined

  543. snow has joined

  544. sonny has left

  545. sonny has joined

  546. Ingolf has left

  547. alacer has joined

  548. Ingolf has joined

  549. schäfchen726 has left

  550. schäfchen726 has joined

  551. allbombson has left

  552. allbombson has joined

  553. antranigv has left

  554. sonny has left

  555. belong has left

  556. Steven Roose has left

  557. mx has left

  558. mx has joined

  559. marc0s has left

  560. marc0s has joined

  561. bean has joined

  562. belong has joined

  563. schäfchen726 has left

  564. schäfchen726 has joined

  565. marc0s has left

  566. marc0s has joined

  567. bean has left

  568. sonny has joined

  569. Chris Mac has left

  570. marc0s has left

  571. marc0s has joined

  572. catchy has left

  573. catchy has joined

  574. ralphm has joined

  575. marc0s has left

  576. marc0s has joined

  577. djorz has joined

  578. marc0s has left

  579. marc0s has joined

  580. 世界之保證 has left

  581. 世界之保證 has joined

  582. schäfchen726 has left

  583. schäfchen726 has joined

  584. marc0s has left

  585. marc0s has joined

  586. sonny has left

  587. Ingolf has left

  588. Steven Roose has joined

  589. marc0s has left

  590. marc0s has joined

  591. marc0s has left

  592. marc0s has joined

  593. sonny has joined

  594. Ingolf has joined

  595. marc0s has left

  596. marc0s has joined

  597. Chris Mac has joined

  598. schäfchen726 has left

  599. schäfchen726 has joined

  600. jgart has left

  601. resoli has joined

  602. Chris Mac has left

  603. antranigv has joined

  604. kuba_ has left

  605. antranigv has left

  606. Trung has left

  607. Trung has joined

  608. Chris Mac has joined

  609. andrey.utkin has left

  610. mx has left

  611. bean has joined

  612. dora71 has left

  613. dora71 has joined

  614. bean has left

  615. mx has joined

  616. antranigv has joined

  617. dora71 has left

  618. dora71 has joined

  619. Trung has left

  620. dora71 has left

  621. dora71 has joined

  622. Trung has joined

  623. andrey.utkin has joined

  624. kuba_ has joined

  625. sonny has left

  626. writer77 has left

  627. resoli has left

  628. sonny has joined

  629. allbombson has left

  630. allbombson has joined

  631. belong has left

  632. sonny has left

  633. marc0s has left

  634. marc0s has joined

  635. Arne has left

  636. mx has left

  637. marc0s has left

  638. marc0s has joined

  639. Arne has joined

  640. mx has joined

  641. belong has joined

  642. sonny has joined

  643. marc0s has left

  644. marc0s has joined

  645. Steven Roose has left

  646. antranigv has left

  647. papatutuwawa has left

  648. marc0s has left

  649. marc0s has joined

  650. belong has left

  651. abdullah has joined

  652. riccio has left

  653. riccio has joined

  654. marc0s has left

  655. marc0s has joined

  656. Ingolf has left

  657. kuba_ has left

  658. Chris Mac has left

  659. Chris Mac has joined

  660. abdullah has left

  661. kuba_ has joined

  662. writer77 has joined

  663. djorz has left

  664. savagepeanut has joined

  665. belong has joined

  666. jaj has joined

  667. savagepeanut has left

  668. savagepeanut has joined

  669. Chris Mac has left

  670. papatutuwawa has joined

  671. jgart has joined

  672. Maranda[x] has left

  673. Menel has left

  674. belong has left

  675. karl has joined

  676. belong has joined

  677. savagepeanut has left

  678. dryan has joined

  679. savagepeanut has joined

  680. Menel has joined

  681. alacer has left

  682. Steven Roose has joined

  683. kapad has joined

  684. schäfchen726 has left

  685. schäfchen726 has joined

  686. djorz has joined

  687. dryan has left

  688. alacer has joined

  689. Ingolf has joined

  690. andrey.utkin has left

  691. jgart has left

  692. antranigv has joined

  693. andrey.utkin has joined

  694. loopboom has joined

  695. riccio has left

  696. Maranda[x] has joined

  697. alacer has left

  698. snow has left

  699. riccio has joined

  700. loopboom has left

  701. grey has left

  702. grey has joined

  703. frog has left

  704. riccio has left

  705. riccio has joined

  706. savagepeanut has left

  707. savagepeanut has joined

  708. schäfchen726 has left

  709. schäfchen726 has joined

  710. djorz has left

  711. djorz has joined

  712. jaj

    You could have a cert which is valid for example.com and sub.example.com though. And the client could check whether the cert is valid for both. That's how it works for c2s anyway. So I don't see why http would be different

  713. me9 has left

  714. jaj

    FWIW XMPP c2s is vulnerable to the same kind of domain exploit, it is just manually checked by the client. XMPP clients could do the same kind of check independently of the http library they use

  715. jaj

    This is the way it is implemented in matrix which allows domain delegation with https

  716. marc0s has left

  717. marc0s has joined

  718. resoli has joined

  719. hshdhdhc has left

  720. xso has left

  721. xso has joined

  722. bean has joined

  723. bean has left

  724. msavoritias has left

  725. savagepeanut has left

  726. savagepeanut has joined

  727. schäfchen726 has left

  728. schäfchen726 has joined

  729. j.r (jugendhacker.de) has left

  730. j.r (jugendhacker.de) has joined

  731. bean has joined

  732. schäfchen726 has left

  733. schäfchen726 has joined

  734. bean has left

  735. belong has left

  736. Menel

    c2s is not vulnerable, because certs have to be valid for their host. Independent of the dns name. And yes, obviously clients need to check that. Thats always true for everything.

  737. Menel

    There just isn't yet a rule for webstuff and normal webserver don't work that way. I guess Matrix isn't a normal webserver

  738. serge90 has joined

  739. Menel

    And yes, theoretically, xmpp connection methods could add it to a xep to specify it and clients could implement it

  740. Licaon_Kter

    jaj: what's the difference between "manually checked by the client" and "automatically checked by the client"? :)

  741. belong has joined

  742. moparisthebest

    jaj: domain delegation with https is what host-meta files are in XMPP, it's secure

  743. Menel

    At the moment they don't. But generally, if you own example.net you can add stuff to .well-known/ there and everything works

  744. riccio has left

  745. $h00tthe®00t has left

  746. moparisthebest

    But the way the xmppconnect txt record was underspecified and used was incompatible with how any http server works, and I found dozens of vulnerable implementations

  747. karim has left

  748. karim has joined

  749. patasca has left

  750. patasca has joined

  751. jc has left

  752. jc has joined

  753. grey has left

  754. jaj

    > jaj: what's the difference between "manually checked by the client" and "automatically checked by the client"? :) "automatically" would be to just trust your http library (libcurl etc.) and if they don't error out on https then everything is okay. Manual would be to fetch the certificate and invoke some additional openssl magic to make sure the certificate is valid for all the domain names

  755. grey has joined

  756. jaj

    > There just isn't yet a rule for webstuff and normal webserver don't work that way. > I guess Matrix isn't a normal webserver Matrix runs behind a reverse proxy most of the time and nginx is quite happy to use a cert which is valid for both example.com and foo.example.com when example.com is your "pretty" domain and foo.example.com is the actual server

  757. djorz has left

  758. jaj

    Of course you can provide an IP for example.com and spin up a web server there to serve /.well-known but it's much less elegant IMO.

  759. andrey.utkin has left

  760. Licaon_Kter

    jaj: not sure I follow, you say domain and subdomain, while moparisthebest was way more complex with domain and different domain. You sure not talking past each other? :)

  761. moparisthebest

    In practice it doesn't really matter

  762. wael has left

  763. andrey.utkin has joined

  764. moparisthebest

    jaj: can you point to where matrix does delegation with DNS? I'm curious now

  765. djorz has joined

  766. jaj

    moparisthebest: https://github.com/matrix-org/synapse/blob/develop/docs/delegate.md

  767. jaj

    I have it working at joachim.cc. I have a SRV record for _matrix._tcp.joachim.cc which points to menial.joachim.cc and the certificate is valid for both joachim.cc and menial.joachim.cc

  768. jaj

    This is required by the spec and if the certificate is noy valid for both, the client will error out

  769. Steven Roose has left

  770. marc0s has left

  771. jaj

    Also briefly explained here: https://matrix.org/blog/2020/04/06/running-your-own-secure-communication-service-with-matrix-and-jitsi

  772. jaj

    " Alternatively, you could advertise the server via DNS, if you don't have write access to /.well-known on your main domain. However, to prove you are allowed to host the Matrix traffic for dangerousdemos.net, you would have to configure nginx to use the dangerousdemos.net TLS certificate for the matrix.dangerousdemos.net vhost (i.e. the "wrong" one), and in general we think that /.well-known is much easier to reason about. In this case you would advertise the server with an SRV record like this: _matrix._tcp.dangerousdemos.net. 300 IN SRV 10 5 443 matrix.dangerousdemos.net. "

  773. moparisthebest

    That says use .well-known and that DNS is not recommended, and links https://matrix.org/docs/spec/server_server/latest#resolving-server-names for how DNS works, still chasing it

  774. $h00tthe®00t has joined

  775. bung has left

  776. jzmartin has left

  777. etaurus has left

  778. etaurus has joined

  779. moparisthebest

    > If the /.well-known request resulted in an error response, a server is found by resolving an SRV record for _matrix._tcp.<hostname>. This may result in a hostname (to be resolved using AAAA or A records) and port. Requests are made to the resolved IP address and port, using 8448 as a default port, with a Host header of <hostname>. The target server must present a valid certificate for <hostname>. This is the relevant part, it's secure to do it this way, just impossible to configure most https servers this way, and not how any https clients work out of the box

  780. moparisthebest

    Basically fetch page https://bob.com/ but ask for TLS cert for example.com in SNI and Host: header

  781. pep.

    domain fronting?

  782. pep.

    Hmm not really

  783. pep.

    You're still getting bob.com

  784. riccio has joined

  785. moparisthebest

    You are connecting to bob.com's IP but asking for example.com

  786. guus.der.kinderen has joined

  787. guus.der.kinderen has left

  788. moparisthebest

    I wonder what clients/servers implement this and if they do it right considering it'd be trivial to get wrong

  789. Steven Roose has joined

  790. patasca has left

  791. patasca has joined

  792. ororo has joined

  793. sonny has left

  794. antranigv has left

  795. raver has left

  796. raver has joined

  797. Peter Waher has left

  798. sonny has joined

  799. Steven Roose has left

  800. Peter Waher has joined

  801. djorz has left

  802. Maranda[x] has left

  803. Steven Roose has joined

  804. xso has left

  805. riccio has left

  806. Trung has left

  807. me9 has joined

  808. xso has joined

  809. riccio has joined

  810. jaj

    Yes, you cannot have > Basically fetch page https://bob.com/ but ask for TLS cert for example.com in SNI and Host: header It would be problematic if you were to serve on bob.com a certificate which is valid exclusively for example.com but if you have a certificate which is valid for both then you're golden. And that's something that can be easily achieved even for letsencrypt. But indeed the client needs to check it correctly

  811. resoli has left

  812. antranigv has joined

  813. alacer has joined

  814. eevvoor has left

  815. grey has left

  816. grey has joined

  817. resoli has joined

  818. moparisthebest

    jaj: that's what the matrix spec suggests

  819. moparisthebest

    It doesn't say it can't be valid for bob.com of course but doesn't require or suggest it

  820. jaj

    Yes but in practice it will be valid fir bob.com as well or the http server will complain

  821. Maranda[x] has joined

  822. moparisthebest

    The https server doesn't even know about bob.com in this case, only example.com

  823. belong has left

  824. Steven Roose has left

  825. jaj

    Anyway I didn't want to complain or anything, I was just wondering whether this was possible. I found the documentation a bit misleading because it says TXT records have been deprecated and you can use SRV records but just not for the same protocol

  826. belong has joined

  827. jaj

    I thought maybe you could have a _xmpp-client SRV record which point to an http port and then magically the client would detect it's http and switch to BOSH or ws

  828. Steven Roose has joined

  829. Licaon_Kter

    jaj: only web clients use bosh/ws anyway

  830. moparisthebest

    Licaon_Kter: untrue

  831. Licaon_Kter

    Oh?

  832. resoli has left

  833. jaj

    Something like that: _xmpp-client._tcp.example.net. TTL IN SRV 10 0 5222 foo.example.com. _xmpp-client._tcp.example.net. TTL IN SRV 20 0 443 foo.example.com.

  834. frog has joined

  835. moparisthebest

    jaj: how do you discover the path etc? That's not hardcoded

  836. jaj

    Yes indeed, that's a problem I was considering

  837. wurstsalat has left

  838. moparisthebest

    Licaon_Kter: pidgin supports Bosh, gajim supports WebSocket for sure and I think Bosh too...

  839. Licaon_Kter

    Interesting, good to know

  840. moparisthebest

    converse-tauri also ;)

  841. riccio has left

  842. djorz has joined

  843. patasca has left

  844. patasca has joined

  845. dora71 has left

  846. Christopher M0YNG has left

  847. Christopher M0YNG has joined

  848. kuba_ has left

  849. kuba_ has joined

  850. tbm16 has joined

  851. snow has joined

  852. raver has left

  853. Chris Mac has joined

  854. raver has joined

  855. antranigv has left

  856. antranigv has joined

  857. bean has joined

  858. bean has left

  859. bean has joined

  860. bean has left

  861. jc has left

  862. Steven Roose has left

  863. pod has left

  864. jaj

    moparisthebest: I looked at XEP-0368 about using XMPP with ALPN. It's very interesting and nearly what I need. Unfortunately, the institution I have in mind allows outgoing connections only over an authenticated http proxy, so websocket works but if you start talking XMPP over port 443, the http proxy will not like it. Using a hosted movim or converse instance works of course :)

  865. ibikk has left

  866. Maranda[x] has left

  867. p42ity has left

  868. catchy has left

  869. Menel has left

  870. resoli has joined

  871. moparisthebest

    jaj: most http proxies accept a CONNECT command and proxy TLS directly without MITM'ing it, xep368 works fine over this, if they MITM then all bets are off

  872. moparisthebest has left

  873. moparisthebest has joined

  874. karme has left

  875. belong has left

  876. belong has joined

  877. bean has joined

  878. bean has left

  879. earthling has left

  880. me9 has left

  881. andrey.utkin has left

  882. andrey.utkin has joined

  883. earthling has joined

  884. writer77 has left

  885. riccio has joined

  886. resoli has left

  887. bean has joined

  888. bean has left

  889. moparisthebest has left

  890. p42ity has joined

  891. ralphm has left

  892. ralphm has joined

  893. marc0s has joined

  894. balabol.im has left

  895. ernst.on.tour has left

  896. schäfchen726 has left

  897. schäfchen726 has joined

  898. ernst.on.tour has joined

  899. marc0s has left

  900. marc0s has joined

  901. ororo has left

  902. Steven Roose has joined

  903. Maranda[x] has joined

  904. riccio has left

  905. marc0s has left

  906. marc0s has joined

  907. huxxer has left

  908. nicoco has left

  909. patasca has left

  910. Django has left

  911. riccio has joined

  912. mirux has left

  913. tbm16 has left

  914. snow has left

  915. p42ity has left

  916. TheCoffeMaker has left

  917. TheCoffeMaker has joined

  918. patasca has joined

  919. ij has left

  920. djorz has left

  921. riccio has left

  922. djorz has joined

  923. John has left

  924. dominion has left

  925. moparisthebest has joined

  926. John has joined

  927. jzmartin has joined

  928. sonny has left

  929. papatutuwawa has left

  930. sonny has joined