-
b1t.rip admin
Wirlaburla: whats up. joined here to antagonize me some more i suppose??
-
b1t.rip admin
ignored.
-
Wirlaburla
I've been here for quite awhile.
-
rewtkid
dont care, save your sly remarks for some other place. no one wants to hear it
-
rewtkid
ignored here aswell
-
luca
My certificates will expire soon. What will happen federation wise with my server?
-
rewtkid
depends on configuration of other servers, some servers like mine will accept "invalid" certs. others will not.
-
rewtkid
just renew your certs?
-
luca
Work in progress
-
luca
> depends on configuration of other servers, some servers like mine will accept "invalid" certs. others will not. Will all users in a muc recieve my messages? Only some? Will the whole muc not see my messages? ↺
-
rewtkid
most will probably get a certificate error
-
rewtkid
meaning they will not even be able to connect to your server
-
rewtkid
but like i said it depends on the configuration of whatever server they are using, aswell
-
Guus
luca: I'm not sure. It will likely differ from client to client. I don't expect that users that are idle will receive a warning. Users that try to send a message may receive errors like 'service unavailable'
-
luca
What about federated mucs like this one? Assuming xmpp.org allows expired certs, will everything work as usual? Or it's still client dependent
-
ernst.on.tour
My server will drop your connection. Your clients/member will got no msg anymore
-
snikket dot deeeeee
Yes, we all will see your messages here. Because xmpp.org is the relevant server, and it allows that
-
snikket dot deeeeee
The rest of us here is also only connected to xmpp.org, not to your sever. So I'll see your messages here. If we would try to talk 1:1, not in this channel, then it wouldn't work. Because my sever would reject the connection
-
luca
Ok, thanks!
-
ernst.on.tour
*This* server will work on, but others not. What is the problem to get a new cert ?
-
moparisthebest
> My server will drop your connection. > Your clients/member will got no msg anymore ernst.on.tour: most (all?) servers (and clients) won't actually drop active connections when a cert expires, they just won't successfully connect again when they get disconnected ↺
-
ernst.on.tour
For sure, but my line is dropped once a night 😉
-
snikket dot deeeeee
> What about federated mucs like this one? Assuming xmpp.org allows expired certs, will everything work as usual? Or it's still client dependent Clients only ever connect to your own server, so this behavior is not client dependent. The only client dependent thing is: if your own clients will connect to your server with an expired cert ↺
-
luca
> *This* server will work on, but others not. What is the problem to get a new cert ? Some authentication issue from acme.sh (the script) to cloudflare. I'll find a fix for it eventually, but it might take a while ↺
-
Guus
Many servers will drop server-to-server connections after a time of inactivity. With an expired cert, those connections won't be re-established.
-
ernst.on.tour
Didn't know acme.sh, I'm using getssl.sh
-
moparisthebest
I'm happily using acme.sh for many years
-
ernst.on.tour
Same for me with getssl.sh 😉
-
luca
> Didn't know acme.sh, I'm using getssl.sh Thanks, I might switch if I don't figure this out :P ↺
-
snikket dot deeeeee
Then there is dehydrated too, that's my favorite. I hope we have all relevant shell clients covered then 😊
-
Polarian
> https://b1t.rip/xmpp.php rewtkid is it really wise to have no logs, and no way of seeing how your service is being used... I get privacy and everything but this leaves you open to nasty allegations... how do you know the service isn't being exploited?
-
moparisthebest
Well he has no proof it is right? ;)
-
Polarian
> Well he has no proof it is right? ;) Well as soon as I saw "Anarchism now" I kinda figured it all out 🙂 ↺
-
mirux
Establishing a secure connection to chat.cluxia.eu failed. Certificate hash: ff7670eb77c7a3f65d589252906b52ea1ffc00e5. Error with certificate 0: certificate has expired.
-
mirux
operator around from that server?
-
rewtkid
Polarian: if abuse is reported to the admin account, i can block it then. as of right now ive had no issues.
-
rewtkid
Polarian: hey whats wrong with the anarchism blinkie?
-
rewtkid
oh and, i do get a message when someones registered, however it only includes their username and timestamp, not anything else. i guess i should add that there
-
rewtkid
so if someone starts creating tons of accounts to spam or whatever, it wouldnt be hard to find which ones are them and block them.
-
rewtkid
the service is relatively new, (started in 2023), so i havent faced any issues like this, yet.
-
Polarian
> Polarian: if abuse is reported to the admin account, i can block it then. as of right now ive had no issues. hmmm ↺
-
Polarian
> Polarian: hey whats wrong with the anarchism blinkie? let's not get political :) ↺
-
Polarian
it just explains the... point of view let's just say
-
rewtkid
dont worry, im not all leftist anarchist-antifa or anything, i just dont like the idea of a central authority :D
-
rewtkid
but yes, lets not get politial, probably not the place
-
rewtkid
s/politial/political
-
moparisthebest
rewtkid: it's crystal clear to anyone paying attention that data is toxic, so less is better, and none is best, keep it up https://www.schneier.com/essays/archives/2016/03/data_is_a_toxic_asse.html
-
opinionplatform.org
Data is not the new gold or oil?
-
Polarian
> rewtkid: it's crystal clear to anyone paying attention that data is toxic, so less is better, and none is best, keep it up https://www.schneier.com/essays/archives/2016/03/data_is_a_toxic_asse.html Don't confuse data required to provide a service, and data required to protect yourself the same as data harvesting ↺
-
Polarian
keeping logs is important
-
Polarian
One of the most important parts of security is monitoring logs for bad actors... no logs... no ability to do so
-
Polarian
its got a name, I forgot it... but you get the point
-
rewtkid
Polarian: my XMPP server is not a huge attack surface, its in its own container with nothing else besides the XMPP daemon. i also have low and high interaction honeypots set up on my server, for any possible threats. the logs for all of those get sent to an XMPP muc on my server.
-
Polarian
> Polarian: my XMPP server is not a huge attack surface, its in its own container with nothing else besides the XMPP daemon. i also have low and high interaction honeypots set up on my server, for any possible threats. the logs for all of those get sent to an XMPP muc on my server. but then you quote ZERO log storage ↺
-
Polarian
and yet you send them to a muc
-
rewtkid
i actually have honeypots set up on my backend and all my frontend round robin servers.
-
rewtkid
yes, the XMPP server keeps not logs.
-
rewtkid
no*
-
Polarian
but you said you send the logs to a muc
-
rewtkid
meaning the XMPP service only. i never claimed there werent other services running on the same server that keeps logs.
- Polarian is confused
-
rewtkid
you can disable logs for the XMPP daemon and have other services still keep logs.
-
Polarian
hmmm
-
rewtkid
normal XMPP users wont have anything logged. any threat actors scanning or trying to hack into my box will likely get caught in a pot and i will see it.
-
Polarian
No IPv6 support?
-
Polarian
damn
-
rewtkid
soon there will be. not yet, though.
-
Polarian
also server info is unsupported
-
Polarian
I assume that is intentional though
-
Polarian
hmm
-
Polarian
rewtkid, you proxy your traffic through someone else though✎ -
Polarian
rewtkid, you proxy your traffic through someone else though? ✏
-
rewtkid
no, the round robin servers are also ran by me. i dont use anything like cloudflare
-
Polarian
> no, the round robin servers are also ran by me. i dont use anything like cloudflare CGI global limited? thats you? ↺
-
rewtkid
that is the ISP.
-
Polarian
or they provide hardware?
-
Polarian
oh
-
Polarian
they are a ISP
-
Polarian
what if your ISP logs your packets, then surely there is logging 😉
-
Polarian
no srv records?
-
rewtkid
thats what encryption is for, also as far as i know there is nothing like this going on. however you cant be too sure.
-
Polarian
well the ISP owns no IPv6 blocks
-
Polarian
so... you will need to proxy for IPv6 support
-
rewtkid
when it comes to privacy its probably safe to assume everything is being intercepted or logged on the internet, so just use encryption. theres a reason encryption is standard in everything now.
-
Polarian
which thus means you got a third party to worry about too 🙂
-
Polarian
welp im done being nosy... see it as some friendly karma for /info'ing me 🙂
-
Polarian
> no srv records? Why no srv records though? ↺
-
Polarian
doesn't hurt to have them?
-
rewtkid
what exactly do i need them for?
-
Polarian
standardisation I guess
-
rewtkid
i guess i can add them, i just didnt see a reason to.
-
Polarian
technically you don't need tcp round robin if you used srv records
-
Polarian
wait no you
-
Polarian
but also yes
-
Polarian
it allows flexibility, put a higher weight in
-
rewtkid
also i dont see it as karma, its all public information, as is anything i can get by /info'ing you. so i dont mind
-
Polarian
also multiple A records already have a similar affect as round robin too
-
Polarian
clients tend to pick a random address but I guess its on implementation
-
Polarian
meh if it works it works, I was just curious why there was no srv records
-
Polarian
it was not criticism
-
rewtkid
i understand
-
rewtkid
mainly the only reason i have it set up like that, is because we were under DDoS attacks in the past. and the way i set it up seemed to distribute their attack across all servers, and prevented downtime.
-
rewtkid
im sure there is a better way to handle it, thats just how i set it up in a pinch, and it certainly does need improvement. im still yet to get moparisthebest's xmpp-proxy set up properly with prosody. tried before, but couldnt seem to get it to work properly.
-
rewtkid
it would work for some users, then for some reason others would not be able to connect. so im still yet to get that part figured out
-
rewtkid
actually, i did have it properly set up. but it was s2s_proxy module that would not work properly, for some reason, i could not establish any outbound connections to other servers when using it.