XMPP Service Operators - 2023-12-21

  1. mightyBroccoli

    There will be a 3h downtime of magicbroccoli.de XMPP service tomorrow starting at 10:00 german time up until 13:00 german time.

  2. mitrov

    Best of luck

  3. nuegia.net

    I'm switching primary nameservers

  4. nuegia.net

    no downtime is expected but this is a major change

  5. moparisthebest

    nuegia.net: direct TLS requires SRV records so slap some xmpps-server on there :)

  6. mitrov

    What is benefit of direct TLS?

  7. moparisthebest

    For servers, slightly faster, more details here: https://xmpp.org/extensions/xep-0368.html#usecases

  8. unix.dog

    i’ve heard varying things about XMPPS, but i think one of its use-cases is making it slightly easier to access XMPP behind shitty firewalls

  9. unix.dog

    (you can set it to port 443 and then it kind of just looks like HTTPS, but it’s dumb that you have to do that…)

  10. moparisthebest

    That's the main advantage for clients yes

  11. moparisthebest

    You never know when you might encounter a crappy WiFi firewall

  12. unix.dog

    i swear i’ve heard people call it “deprecated” though

  13. moparisthebest

    You mean jabber on 5223 ? That indeed was deprecated in 1999 or whatever, the IETF was big into starttls and only handing out 1 port per protocol, it was the early days when unencrypted was ok

  14. unix.dog

    oooh, i see

  15. unix.dog

    that's interesting

  16. moparisthebest

    But now everything is expected to be encrypted, and xep368 standardizes it with a way to discover it (srv records)

  17. unix.dog

    makes sense. thanks for explaining

  18. moparisthebest

    np 🤜🤛

  19. Guus

    > are SRV records for every xmpp componet neccecary? > > someone suggested i setup srv records for dig SRV _xmpp-server._tcp.conference.nuegia.net If you use standard tcp ports, you can sometimes get away with having A and/or AAAA records only, but you might as well add SRV records for all of the components that users on remote domains may want to access. These include MUC services, but also Pub-Sub services, for example. Make sure that the TLS certificate of your server also covers these subdomains, or people will still have issues with establishing a connection to your services.

  20. Licaon_Kter

    unix.dog: > conference, pubsub, biboumi, etc If your biboumi is only for local users you don't even need a DNS entry :)

  21. nuegia.net

    I switched my DNS provider to one that doesn't have bugs with setting complex SRV records.

  22. nuegia.net

    setup SRV records for conference

  23. nuegia.net

    i'll add srv records for pubsub and biboumi later

  24. nuegia.net

    I'm not sure if anything is using the pubsub service I may turn it off if that's the case.

  25. nuegia.net

    Is pubsub used for anything?

  26. nuegia.net

    > What is benefit of direct TLS? mitrov, none really, slightly less round trip packets to setup a long lived TCP connection anyway

  27. nuegia.net

    direct tls was mainly a temporary stopcap to add SSL functionality to servers without having to make any changes to the daemons with a TCP add-on like stunnel.

  28. nuegia.net

    Ounce server software implemented TLS it was advised to switch back to using one port and then issuing the STARTTLS command

  29. nuegia.net

    starttls isn't unecrypted by any means, and it's no less secure then tls

  30. nuegia.net

    it is easier to reverse proxy

  31. nuegia.net

    and troubleshoot

  32. moparisthebest

    it's less secure if you don't enforce it, can be stripped, luckily most (all?) servers nowadays are configured to require encryption

  33. nuegia.net

    so can TLS if you don't enforce a ciphersuite

  34. moparisthebest

    but TLS is clearly easier to reverse proxy since everything supports it, so not sure what you mean there ?

  35. nuegia.net

    TLS has NULL ciphers

  36. moparisthebest

    which equally applies with STARTTLS

  37. moparisthebest

    so a non-argument in comparing them

  38. Menel

    Since we all require encryption it's just an evolutionary atavism

  39. nuegia.net

    even tls sends the domain name in the clear your trying to connect to, so you can have multiple encrypted sites on the same port. The only difference here is do you want to send the domain name in human readable format, or a binary format.

  40. nuegia.net

    do you want an extra port hanging around you have to maintain in your firewall

  41. mitrov

    do any xmpp clients/servers support ech yet?

  42. Menel


  43. nuegia.net


  44. mitrov

    encrypted client hello

  45. Menel

    Well maybe moparisthebest proxy 🙂

  46. moparisthebest

    mitrov, no but the spec that enables it was just submitted, I'm still trying to convince folks to adopt it

  47. mitrov


  48. nuegia.net


  49. nuegia.net


  50. Menel

    But are our sever addresses really sooo secret?

  51. nuegia.net


  52. nuegia.net

    their domains

  53. moparisthebest

    it *was* ESNI, but now it's ECH because it protects more than SNI, for example also ALPN

  54. mitrov

    it can help with restrictive firewalls and mass surveillence

  55. mitrov

    and isps selling browsing history

  56. nuegia.net

    also consider that if you enable that, your throwing out the ability to route connections with a reverse proxy without having to trust your reverse proxy server to do TLS termination.

  57. moparisthebest

    > do you want an extra port hanging around you have to maintain in your firewall nuegia.net, what are you talking about

  58. Menel

    One reverse lookup on my domain, and there is the domain anyway

  59. Menel


  60. nuegia.net

    vhosts but for tls is a useful feature

  61. Menel

    >> do you want an extra port hanging around you have to maintain in your firewall > nuegia.net, what are you talking about Maybe we should close the starttls port 😊

  62. mitrov

    if dtls is better, why is starttls used?

  63. nuegia.net

    and break compatability with all xmpp iplementations since 1999?

  64. nuegia.net


  65. moparisthebest

    what is this multiple ports you are talking about ???

  66. moparisthebest

    listen on 443 only

  67. Menel

    Because they don't connect to my sever anyway

  68. nuegia.net

    having a second port for dtls

  69. moparisthebest

    don't do that, it's silly

  70. nuegia.net

    your also making it very difficult to adapt xmpp to ham radio

  71. mitrov


  72. nuegia.net

    or non-IP protocols

  73. nuegia.net

    for no good reason

  74. unix.dog

    what does encryption have to do with non-IP protocols

  75. Menel

    They all don't connect to my sever. You could setup srv records for them

  76. nuegia.net

    well some transports provide confidentiality by themselves and don't need tls,

  77. nuegia.net

    onion routing for one

  78. unix.dog

    ah, yeah

  79. mitrov

    is there a srv record generator?

  80. moparisthebest

    I listen for HTTPS (nginx), STARTTLS (XMPP), Direct TLS (XMPP), Websocket (XMPP), IMAPS (dovecot), SMTPS (postfix), and SSH (openssh) on TCP port 443

  81. unix.dog

    but if you’re providing a strictly clearnet service anyway, it’s not like dropping STARTTLS for DTLS from default configurations is bad

  82. Menel

    mitrov: no, because all the input masks look different on any provider

  83. nuegia.net

    yeah it is

  84. moparisthebest

    onion routing needs TLS too for S2S auth

  85. moparisthebest

    doesn't need valid CA signed cert, but it needs any old self signed cert

  86. nuegia.net

    it's a major breaking change that goes against standards for a negligible benfit, for something that doesn't even need to be hyper-optimized

  87. Menel

    mitrov: https://prosody.im/doc/dns Doesn't get much better then what you see here

  88. moparisthebest

    what's a breaking change ?

  89. nuegia.net

    so wait if you reduce a few round trips for a long lived TCP connection?

  90. unix.dog

    i think that’s a bit of an exaggeration. It’s been in standards for ages now, and it’s not exactly a breaking change

  91. nuegia.net

    it's change for the sake of change.

  92. moparisthebest

    you are saying an additional transport that is discoverable is a breaking change? that's crazy

  93. unix.dog

    moparisthebest, i don’t think a tone like that is appropriate or useful

  94. Menel

    > what's a breaking change ? My (not totally serious) proposal to reverse the standard what port to connect and what to expect there (starttls and direct tls)

  95. nuegia.net

    no, i'm saying removing starttls is

  96. moparisthebest

    XEP-0368 explicitly spells out the reasons for it, it solved real problems for me

  97. Guus

    One strategy for a server admin could be to allow for as many different ways for others to connect to you, to provide optimal interoperability. Some people will want to use direct TLS, others STARTTLS. As long as you seem the configurations secure enough, you may not want to limit their options.

  98. moparisthebest

    maybe one day we'll be able to remove STARTTLS but indeed we are far from that

  99. Licaon_Kter

    Could you all stop calling direct tls as `dtls`? Thanks

    ❤️ 1
  100. Menel

    > Could you all stop calling direct tls as `dtls`? Thanks ❤️

  101. moparisthebest

    indeed, dtls is something different

  102. nuegia.net

    you don't break core-xmpp

  103. moparisthebest

    no argument there, but can we extend it ?

  104. nuegia.net


  105. moparisthebest

    ok good cause that's what XEP-0368 is, and now QUIC and WebTransport ;)

  106. deport

    nuegia.net: did you change your name server?

  107. nuegia.net

    deport, I did.

  108. mitrov

    can prosody or ejabberd natively use 443 for all connections? c2s/s2s/httpupload?

  109. deport

    hmm, I thought you were on the same one before

  110. unix.dog

    yeah, i take some of what I said back. it’s good to have options, but I think in my idea of an ideal world we’d just have guaranteed encrypted communications at the network layer

  111. unix.dog

    like onion routing or yggdrasil or whatever other options there are

  112. moparisthebest

    mitrov, I think prosody can with mod_net_multiplex, but I use sslh, you could also use xmpp-proxy

  113. unix.dog

    > ok good cause that's what XEP-0368 is, and now QUIC and WebTransport ;) what’s webtransport?

  114. nuegia.net

    deport, I had multiple nameservers before for redundancy. Most of the DNS traffic was weighted to my old provider. The rest was slave DNS servers replicating from the primary. I promoted the slave servers to primary and removed the old provider's NS records.

  115. moparisthebest

    tl;dr of webtransport is QUIC that browser clients can also use https://www.w3.org/TR/webtransport/

  116. unix.dog

    hm, so is it like web sockets 2.0?

  117. nuegia.net

    unix.dog, look at IPSEC

  118. nuegia.net

    also the authenticity problem is still not solved. Even the creators of tls said certificate authorities were just a stop-gap until somebody could figure out a better solution.

  119. unix.dog

    > unix.dog, look at IPSEC i’ve heard of IPSEC

  120. nuegia.net

    and a spec with no implementation is useless

  121. unix.dog

    > and a spec with no implementation is useless are you referencing a specific spec? or just in general

  122. nuegia.net

    in general

  123. unix.dog


  124. Menel

    mitrov: prosody can do eveything direct tls on one port (including https) and unencrypted +starttls on annother.

  125. nuegia.net

    but that could be said for a lot of xeps

  126. unix.dog

    it really can be

  127. nuegia.net

    Menel, calling starttls "unencrypted" is intelectually dishonest

  128. unix.dog

    personally I like the idea that instead of assigned numbers, we can simply use public keys as routing endpoints. Therefore by sending information “to” a public key, you’re technically guaranteeing authenticity as well

  129. moparisthebest

    well starttls allows for unencrypted connections, that indeed was the entire point of it

  130. unix.dog

    that’s basically what Tor does with onion address anyway

  131. nuegia.net

    moparisthebest, NO it does not. That a policy decision enforced by the client and the server. It has nothing to do with starttls.

  132. moparisthebest

    starttls does, a server/client can of course enforce encryption over it anyway, but that's different

  133. Menel

    nuegia.net: I didn't write that and didn't meant that. But it is how prosody works. Unencrypted AND starttls needs to be on one port, (http) Direct tls including https on another

  134. nuegia.net

    just like it's a POLICY decision to allow NULL ciphers with TLS.

  135. moparisthebest

    nuegia.net, XEP-0368 directtls is implemented by all major servers and clients for some time now, and will be helpful to let your clients connect from shitty wifi if you listen on 443

  136. moparisthebest

    good TLS libraries don't even implement NULL ciphers (rustls)

  137. nuegia.net

    try allowing unencrypted submission and see how far you really go. Most email clients or even SMTP daemons won't let you allow authenticated transactions without first issusing starttls without source code changes.

  138. moparisthebest

    very soon (with ech) you will be able to make all your XMPP connections without announcing they are XMPP connections or what domain they are to, that's a real win, but only possible with direct tls and quic, not starttls

  139. nuegia.net

    > and will be helpful to let your clients connect from shitty wifi if you listen on 443 sure, and that's helpful. But that doesn't mean you should stop listening on port 5222 for starttls either.

  140. moparisthebest

    see https://www.rfc-editor.org/rfc/rfc7258.html

  141. moparisthebest

    > > and will be helpful to let your clients connect from shitty wifi if you listen on 443 > sure, and that's helpful. But that doesn't mean you should stop listening on port 5222 for starttls either. if an extra port scares you you can listen for starttls on 443 also, everything does SRV records, nothing hard-codes 5222 (it's just a fallback)

  142. nuegia.net

    I've read that RFC before I'm well aware of it's contents

  143. MattJ

    moparisthebest [06:29]: > well starttls allows for unencrypted connections, that indeed was the entire point of it Not the entire point - it let you choose the domain name before a certificate was presented. It's easy to forget how relatively recent SNI is, and how multiple domains used to require dedicated IP addresses. Another reason for starttls was using fewer ports. At the time XMPP was standardized at the IETF, many internet people were concerned about "running out of ports", so they didn't want us to standardize 5223 (which was widely used).

  144. moparisthebest


  145. mightyBroccoli

    magicbroccoli.de is up again 🥦️

  146. Guus

    mightyBroccoli : can you please look into accounts kievlyaninz necessarilyt and vstavkaz? They're sending spam to us. I assume they're automated spam accounts.

  147. mightyBroccoli

    On it.

  148. Guus

    Thank you

  149. noob123

    How do you check the version of the server you are running from the linux terminal? Was trying to use ejabberdctl

  150. unix.dog

    ejabberdctl status prints the version for me

  151. noob123

    thank you...let me try

  152. noob123

    yes, that worked

  153. noob123

    Anyone ever have issues with large MUC's crashing conversejs and resetting the connection? Caveat I am running a bit of an older version of ejabberd. 21

  154. Licaon_Kter

    noob123: converse has a lot of crashes... https://github.com/conversejs/converse.js/issues/3043

  155. noob123

    Read through this and looks similar to the issues I am experiencing.