XMPP Service Operators - 2024-08-09


  1. worlio.com

    What possible reason could there be for why new users are having issues seeing the avatars of others in a semi-anonymous MUC? It seems to be oddly inconsistent, with each user seeing different users with and without an avatar, and some having no issues at all. I have found no consistency with s2s, clients, networks, or whether the users have added themselves.

  2. Menel

    One possible reason can be different clients and what vCard standard they support. As a server admin one can only deploy a module to do https://xmpp.org/extensions/xep-0398.html and hope for the best

  3. worlio.com

    The clients this was mostly seen on are Gajim and monocles, suggesting to me it isn't a client issue as these should be up-to-datew.

  4. worlio.com

    The clients this was mostly seen on are Gajim and monocles, suggesting to me it isn't a client issue as these should be up-to-date.

  5. nuegia.net

    That module had some bugs and needed to be disabled

  6. nuegia.net

    In prosody

  7. nuegia.net

    At some point I had to remove it and go back to vcards instead of pep

  8. nuegia.net

    Most of the clients used vcard anyways

  9. nuegia.net

    Something to do with a conflict in the database

  10. worlio.com

    The problem was the default account settings sets the sharing of the vCard to be contact only, and every client needed to be restarted in order for the avatars to be updated.

  11. worlio.com

    Someone in the MUC figured it out and told everyone how to change the setting.

  12. Menel

    In what client, gajim I suppose worlio.com?

  13. Trung

    so you can't share the card, you need to restart ?

  14. worlio.com

    Any client they would use seemed to exhibit the problem, but the guide the user who discovered it shared around was for Gajim.

  15. Menel

    nuegia.net: I think most clients fallback to vCard if they don't see the conversion module, to not split the avatar storages. Eternally stuck at vcard that has no good permission options

  16. kapad

    what is the new address of servers@joinjabber.org ?

  17. kapad

    Kris?

  18. Kris

    same?

  19. Kris

    we moved the server, but the address is still the same

  20. Kris

    you have connection issues? Here it seems to work fine

  21. kapad

    yes, psi says cert is expired

  22. Kris

    odd

  23. Kris

    you are the secon person that claims that there is a certificate issue. but it seems to work fine and there are many people connected

  24. kapad

    ``` CheckCert joinjabber.org s2s service: joinjabber.org port: 5269 proto: s2s * : openssl s_client -showcerts -connect joinjabber.org:5269 -starttls xmpp-server -xmpphost joinjabber.org Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = R3 Not Before: May 6 14:19:25 2024 GMT Not After : Aug 4 14:19:24 2024 GMT Subject: CN = joinjabber.org ```

  25. Martin

    https://files.mdosch.de/upload/bhOCZozEAyrnp_dvXu34FERO/XjN1rFBRT-O96KSKk5rNcA.jpg

  26. kapad

    i think it's almost to a week now

  27. Martin

    Kris: Seems still expired to me.

  28. Kris

    yeah, I can replicate it via openssl

  29. Kris

    ok MsSavoritas will fix it tomorrow morning. we are still in the middle of reworking our certs automation, so it looks like something went wrong with the temporary fix

  30. Kris

    sorry for the trouble

  31. kapad

    ✌️

  32. Martin

    > but it seems to work fine and there are many people connected Many servers don't check certs? 😲

  33. kapad

    /offtopic ``` Input #0, ogg, from 'https://ua3.anondns.net/radio/live': Metadata: icy-name : live icy-pub : 0 icy-url : /radio/live Duration: N/A, start: 127.137959, bitrate: 112 kb/s Stream #0:0: Audio: vorbis, 44100 Hz, stereo, fltp, 112 kb/s Metadata: title : Kick Bong - Just Let Go server : Icecast 2.4.4 ```

  34. Kris

    > > but it seems to work fine and there are many people connected > Many servers don't check certs? 😲 there are lots of servers that accept expired certs, yes. I also recently did that on my server to route around some problems with another server. Was ment to be only temporarily

  35. Kris

    🤷‍♂️️

  36. moparisthebest

    My money is on the servers that connected anyway having dialback enabled... But that should probably be tested and dialback impls probably shouldn't try to connect anyway if the cert is expired?

  37. kapad

    in ejabberd even some domain that have no cert records works normal without the need of dialback. i have disable it some years now, never meet an issue

  38. moparisthebest

    > in ejabberd even some domain that have no cert records works normal without the need of dialback. i have disable it some years now, never meet an issue That shouldn't be possible for s2s, certs and dialback are the only 2 authentication methods, no?

  39. kapad

    moparisthebest: sorry, i think i meant DNS records, of course domains have certs

  40. kapad

    don't exactly remember what my problem was and use dialback to solve it ...

  41. Menel

    Ah I thought you know you had the cert and server issue so I didn't report. I've that issues ongoing wtoo with joinjabber

  42. Menel

    Ah I thought you know you had the cert and server issue so I didn't report. I've that cert issue ongoing with joinjabber too

  43. MSavoritias (fae/ve)

    on the jj issue writing it here also (wasnt part of the group before for a while) i am gonna fix it tomorrow

    👍 2
  44. Martin

    > My money is on the servers that connected anyway having dialback enabled... My server refused to connect a few days ago but connected right now. No dialback enabled. Maybe dane?

  45. moparisthebest

    Interesting... Are there multiple servers?

  46. moparisthebest

    Martin: joinjabber.org appears to have no srv or tlsa records

  47. moparisthebest

    And 1 IP

  48. Menel

    Hm? I've still got no connection because of the cert. Mysterious case, considering we have nearly the same setup Martin

  49. Martin

    Than it's weird.

  50. Martin

    I was even the one who reported being unable to connect due to cert issues on 3. August.

  51. moparisthebest

    Kris, MSavoritias (fae/ve): link on front page to https://chat.joinjabber.org/ is broken too, cert invalid for that name

  52. moparisthebest

    Martin: can you grep logs to see how you connected :/

  53. Martin

    Yeah, but need to get home first. No fun on phone screens.

  54. Menel

    I've got no cert issue for https'//chat.joinjabber.org

  55. Kris

    yeah, the chat. webclient is currently broken

  56. Martin

    ACAB!

  57. Menel

    I've got no cert issue for https://chat.joinjabber.org

  58. Kris

    its all work in progress due to the server move

  59. moparisthebest

    > I've got no cert issue for https://chat.joinjabber.org That points to a DNS issue where we are connected to different servers (: is the old server still up Kris ?

  60. Kris

    the problem is that everything is recreated from ground up in guix and the cert creation via dns-01 challenge isn't finished

  61. Kris

    so it was just a quick workaround to create the certs for the main website

  62. Menel

    Hm testssl confirms no valid SAN but fennec is happy what's going on today 👀

  63. moparisthebest

    > Hm testssl confirms no valid SAN but fennec is happy what's going on today 👀 Haha that's worse

  64. moparisthebest

    🐛, 🐛 everywhere

  65. Menel

    Hm. I'm guessing I must have pressed OK for insecure connection at some point in the past for that website. After clearing the data for the website it is correctly distrusted

  66. Martin

    > Aug 09 21:01:01 s2sout55b9b8f9b180 info Outgoing s2s stream mdosch.de->joinjabber.org closed: stream closed > Aug 09 21:01:01 s2sout55b9b8f9b180 debug Destroying outgoing session mdosch.de->joinjabber.org > Aug 09 21:01:01 unbound.queryVw0GSs4G-S_Y debug Resolve _xmpps-server._tcp.joinjabber.org IN SRV > Aug 09 21:01:01 s2sout55b9b5612d40 debug trying to send over unauthed s2sout to joinjabber.org > Aug 09 21:01:01 s2sout55b9b5612d40 debug trying to send over unauthed s2sout to joinjabber.org > Aug 09 21:01:01 s2sout55b9b5612d40 debug trying to send over unauthed s2sout to joinjabber.org > Aug 09 21:01:01 s2sout55b9b5612d40 debug trying to send over unauthed s2sout to joinjabber.org > Aug 09 21:01:01 s2sout55b9b5612d40 debug trying to send over unauthed s2sout to joinjabber.org > Aug 09 21:01:01 unbound.queryVw0GSs4G-S_Y debug Results for _xmpps-server._tcp.joinjabber.org IN SRV: NXDomain (Insecure, 0.122279 sec) > Aug 09 21:01:01 unbound.query3_M4OwB-TfJ4 debug Resolve _xmpp-server._tcp.joinjabber.org IN SRV > Aug 09 21:01:02 unbound.query3_M4OwB-TfJ4 debug Results for _xmpp-server._tcp.joinjabber.org IN SRV: NXDomain (Insecure, 0.353176 sec) > Aug 09 21:01:02 unbound.queryqQVTCXNElgA_ debug Resolve joinjabber.org IN A > Aug 09 21:01:02 unbound.queryH_-tZfKjXpBL debug Resolve joinjabber.org IN AAAA > Aug 09 21:01:02 unbound.queryqQVTCXNElgA_ debug Results for joinjabber.org IN A: 1 items (Insecure, 0.034280 sec) > Aug 09 21:01:02 unbound.queryH_-tZfKjXpBL debug Results for joinjabber.org IN AAAA: 1 items (Insecure, 0.034284 sec) > Aug 09 21:01:02 mdosch.de:tls debug joinjabber.org is offering TLS, taking up the offer... > Aug 09 21:01:02 s2sout55b9b5612d40 warn Forbidding insecure connection to/from joinjabber.org because its certificate has expired > Aug 09 21:01:02 s2sout55b9b5612d40 debug Disconnecting mdosch.de->joinjabber.org[s2sout_unauthed], <stream:error> is: <stream:error><not-authorized xmlns='urn:ietf:params:xml:ns:xmpp-streams'/><text xmlns='urn:ietf:params:xml:ns:xmpp > -streams'>Your server&apos;s certificate has expired</text></stream:error> > Aug 09 21:01:02 s2sout55b9b5612d40 info Outgoing s2s stream mdosch.de->joinjabber.org closed: Your server's certificate has expired > Aug 09 21:01:02 s2sout55b9b5612d40 debug Destroying outgoing session mdosch.de->joinjabber.org: Your server's certificate has expired > Aug 09 21:01:02 s2sout55b9b5612d40 info Sending error replies for 6 queued stanzas because of failed outgoing connection to joinjabber.org Just closed s2s and now it fails again. But weird that I got a connection in between. Maybe there was a short period were a valid cert was presented? Totally weird things going on there.

  67. moparisthebest

    Martin: ah, aaaa records! I'm not at a place where I can check IPv6, can you and see if that server has a correct cert ?

  68. taba

    > at a place where I can check IPv6 there is no place in georgia where you can check if an ipv6 address is working i don't think

  69. Martin

    moparisthebest: Same > xmpp-dns -sft6 joinjabber.org > failure in xmpp-server lookup: lookup _xmpp-server._tcp.joinjabber.org on 192.168.178.55:53: no such host > failure in xmpps-server lookup: lookup _xmpps-server._tcp.joinjabber.org on 192.168.178.55:53: no such host > Trying fallback ports. > > xmpp-server joinjabber.org 5269 > Priority: 0 Weight: 0 > IP: 2a0c:f040:0:8::3b > Connection: [OK] > STartTLS: [Not OK] > tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-08-09T21:10:47+02:00 is after 2024-08-04T14:19:24Z > > xmpps-server joinjabber.org 5270 > Priority: 0 Weight: 0 > IP: 2a0c:f040:0:8::3b > Connection: [Not OK] > dial tcp6 [2a0c:f040:0:8::3b]:5270: connect: connection refused

  70. moparisthebest

    Alright I'm back to being out of ideas...

  71. moparisthebest

    >> at a place where I can check IPv6 > there is no place in georgia where you can check if an ipv6 address is working i don't think taba: sure there is, anyplace set up with a tunnel from https://tunnelbroker.net/ (that's where I get my IPv6 from too)