XMPP Service Operators - 2023-12-22


  1. Licaon_Kter

    PSA: https://www.postfix.org/smtp-smuggling.html

  2. Martin

    > Establishing a secure connection from mdosch.de to pwned.life failed. Certificate hash: d4f7cd6edcffbc5780174ec0f9e8ea97fe8fe71afe9a6a591ff907f8305237ba. This certificate is invalid for pwned.life. Oh no, I can't get my pwned because they failed to get valid certs. 😂

  3. Martin

    Amolith: Is that your domain? The website claims to be yours.

  4. Martin

    Forwards to nixnet.services.

  5. Amolith

    Martin, yes, it's mine. Thanks for the ping. Cert rotation should be set up and working properly 🤔

  6. Amolith

    > v:NotBefore: Nov 25 16:19:43 2023 GMT; NotAfter: Feb 23 16:19:42 2024 GMT 🤔

  7. Amolith

    ``` $ echo | openssl s_client -showcerts -servername pwned.life -connect pwned.life:443 2>/dev/null Connecting to 49.12.186.223 CONNECTED(00000003) --- Certificate chain 0 s:CN=pwned.life i:C=US, O=Let's Encrypt, CN=R3 a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256 v:NotBefore: Nov 25 16:19:43 2023 GMT; NotAfter: Feb 23 16:19:42 2024 GMT ``` 🤔

  8. jonas’

    odd

  9. jonas’

    also looks good on s2s

  10. jonas’

    don't know how to get the certificate hash out of openssl to compare with Martin's output

  11. Amolith

    ``` $ export SERVER=pwned.life && echo | openssl s_client -showcerts -servername $SERVER -connect $SERVER:443 2>/dev/null | openssl x509 -inform pem -pubkey -noout 2>/dev/null | openssl ec -pubin -outform der 2>/dev/null | sha256sum 865926349f5bd42f337288a742843cd22e9953d2642e12047fd9ed3f345cdad1 ```

  12. Amolith

    This gets a hash suitable for TLSA records. Not sure whether it's the same method Martin used though ``` $ export SERVER=pwned.life && echo | openssl s_client -showcerts -servername $SERVER -connect $SERVER:443 2>/dev/null | openssl x509 -inform pem -pubkey -noout 2>/dev/null | openssl ec -pubin -outform der 2>/dev/null | sha256sum 865926349f5bd42f337288a742843cd22e9953d2642e12047fd9ed3f345cdad1 ```

  13. jonas’

    dunno if that's the same hash method as the module Martin uses uses.

  14. Martin

    Prosody devs probably know.

  15. Menel

    Seems to work (now?) in any case