XMPP Service Operators - 2024-09-16


  1. Roi

    moparisthebest, I just checked. For XMPP stuff I use the dehydrated script to create new certs. There is a setting PRIVATE_KEY_RENEW="no" and I see that the private keys are only renewed from time to time. I guess because there is an expiration date.

  2. Roi

    For openim.de there is only one private key, which was created last year when I took over the domain. So 1.5 years ago.

  3. Roi

    So I am a bit lost why there is/was a problem with TLSA. When I checked everything was okay...

  4. Martin

    According to https://www.huque.com/bin/danecheck it's OK now.

  5. Roi

    Thanks for checking. It was okay yesterday at 8:25pm, too. Checked with sys4.de

  6. Roi

    No idea if there really were problems before.

  7. Martin

    >> 15.09.24 18:36:18 - mdosch.de: Establishing a secure connection from mdosch.de to openim.de failed. Certificate hash: e848346b9b635ab1f58cafe6249547aaf3a83e07b35bb6330d742a2ea38a0a45. Error with certificate 0: no matching DANE TLSA records. But seems now the hash is different:

  8. Martin

    https://files.mdosch.de/upload/2ZHq7FQBIISVtStLQ6junnM2/bIZTQhVpRoWOSHydERGT2A.jpg

  9. Menel

    Hacked!! 😉 (maybe serious?) 😂

  10. Menel

    Didn't propagate all the way to the xmpp cert checker yet https://certwatch.xmpp.net/servers

  11. Menel

    Didn't propagate all the way to the xmpp cert checker yet https://certwatch.xmpp.net/

  12. Martin

    Ah, i checked openim.de for TLSA with huque… …when checking jabber.hot-chili.net it fails indeed.

  13. Martin

    https://files.mdosch.de/upload/W-NrKRw46CmGdnQZlHevIvG3/2024-09-16-201432_grim.png

  14. moparisthebest

    Roi: so with keeping the key (good) and the record type of 3 1 1 (good: roughly, pinning the key) you don't need to change DNS records at all when renewing the cert The problem is you are using a different key for the openim.de cert and the hot-chilli.net cert but only have 1 tlsa record and therefore 1 key allowed, that's what Martin's screenshot shows The solution is to add a tlsa record for each key port 5269 on jabber.hot-chilli.net is configured to serve, once, and you never have to touch it again unless you change keys

  15. moparisthebest

    And don't forget the 2 c2s ports 5222 and 80

  16. Menel

    Yeah it's important to note that the srv target will be validated. I'm using the same key for all my certs on the same server, only one tlsa record😬

  17. moparisthebest

    Nothing wrong with that

  18. moparisthebest

    There is 0 reason to ever rotate a key unless you have reason to believe it's been compromised

  19. Roi

    > The problem is you are using a different key for the openim.de cert and the hot-chilli.net cert but only have 1 tlsa record and therefore 1 key allowed, that's what Martin's screenshot shows There should be TLSA keys for every host/service in the zone files.

  20. Roi

    I'm a little confused. What is not correct in the check Martin ran? Is there a TLSA record or is it the wrong one? Or do I need all TLSA records for every domain for port 5269? Which I would also need to check if this is set or not.

  21. Roi

    It's some time ago I set everything up here...

  22. Martin

    Roi: jabber.hot-chilli.net offers a cert with a fingerprint different from the one pinned in jabber.hot-chilli.nets TLSA records.

  23. Martin

    AFAIU. I'm also not the expert in all this TLSA DANE stuff.

  24. moparisthebest

    Roi: run `dig tlsa _5269._tcp.jabber.hot-chilli.net` I get 1 record, this is used for all connections to here, including openim.de connections

  25. Roi

    Martin, you used https://www.huque.com/bin/danecheck for the check?

  26. moparisthebest

    And whatever other domains you are hosting if they are DNSSEC enabled too

  27. Roi

    Entering jabber.hot-chilli.net, port 5269 and xmpp s2s shows green...

  28. Martin

    Roi: Yes

  29. Martin

    Funny, now it's green here as well. Earlier it failed…

  30. Roi

    moparisthebest, I do not understand. It should matter if you connect to the different domains.

  31. Roi

    Only for SSL one cert is served for all domains.

  32. moparisthebest

    Nope, go to your tool https://www.huque.com/bin/danecheck Enter jabber.hot-chili.net + 5269 up top Check XMPP s2s In service, enter jabber.hot-chili.net, this passes Now go back and leave everything the same but change service to openim.de, this fails because it serves a different cert

  33. Roi

    Martin, I just checked. The cert was last updated on August 4th. And as I reuse the key, the TLSA record should not have changed. 🤷‍♂️ As I said, I am bit of lost here. I do not understand many of the details or these do not match...

  34. Roi

    moparisthebest, But why should I change the service name and not the host name?

  35. Roi

    In Prosody there is no main vhost. So it matters to which domain you are connecting. Client and server.

  36. Roi

    Except SSL and HTTPS, there you can only provide one cert for all connection, no matter which hostname you are using.

  37. moparisthebest

    Because srv records for both openim.de and jabber.hot-chili.net point to the same right?

  38. moparisthebest

    They both point to port 5269 on jabber.hot-chilli.net

  39. Roi

    I use hostnames in the SRV records, right. Everybody does. Especially if you are running other services like web for the same hostname (domain) you have to do it that way.

  40. moparisthebest

    But from that port you are serving 2 different certs depending on domain you ask for

  41. moparisthebest

    But tlsa has only 1 key pinned

  42. Roi

    Yeah because the domain name should matter. Not where the SRV record is "forwarding" this.

  43. moparisthebest

    Nope that's not how DNSSEC/TLSA work

  44. Roi

    https://upload.jabber.hot-chilli.net:5281/file_share/600709ad-332d-4dcc-ba07-ea8bfdbf4372/2024-09-16%2020_52_38-Check%20a%20DANE%20TLS%20Service%20%e2%80%93%20Opera.png

  45. Roi

    In my eyes this is okay.

  46. moparisthebest

    That's secure delegation so connecting to openim.de with Dane uses the tlsa record at _5269._tcp.jabber.hot-chilli.net

  47. Roi

    Btw, I cannot set more than one TLSA record the way I am updating the certs and records. So that would be a big problem.

  48. moparisthebest

    You shouldn't set them when updating certs, only once then never again

  49. moparisthebest

    > https://upload.jabber.hot-chilli.net:5281/file_share/600709ad-332d-4dcc-ba07-ea8bfdbf4372/2024-09-16%2020_52_38-Check%20a%20DANE%20TLS%20Service%20%e2%80%93%20Opera.png It's not ok because your srv records don't say to connect here, so nothing does, and so nothing grabs that TLSA record

  50. Roi

    At some point the private key will expire. Then what? I would need to monitor that and update by hand. Great.

  51. moparisthebest

    So to fix your setup: 1. Remove updating TLSA records when renewing certs since they always stay the same there is no need 2. Either add multiple tlsa records to the srv target, or change all srv targets to point to their own target with their own tlsa record

  52. moparisthebest

    Private keys never expire

  53. Roi

    Thank you. But I still do not understand.

  54. Roi

    Let me check something.

  55. Roi

    Okay... I am using a hot-chilli.im account and the SRV records are the same as for any other domain here. So 5222 and 5269 points to jabber.hot-chilli.net

  56. Roi

    If I check the cert in Gajim, it should be the jabber.hot-chilli.net cert. As you said that because of the SRV record the jabber.hot-chilli.net domain is used and clients are sent there?

  57. Roi

    But I see the hot-chilli.im cert in Gajim

  58. Roi

    So if I (the client) would like to check TLSA it does not make sense to check jabber.hot-chilli.net but hot-chilli.im

  59. Roi

    Same with openim.de and so on.

  60. Roi

    Or I am really lost here and totally on the wrong train...

  61. moparisthebest

    no that is not how TLSA works

  62. moparisthebest

    I am a client or server that supports DANE, I want to connect to openim.de, so I ``` $ dig +short srv _xmpp-server._tcp.openim.de 0 0 5269 jabber.hot-chilli.net. ``` that response is signed with DNSSEC and validates, so I know I can connect to jabber.hot-chilli.net:5269, and now I will accept a cert valid for *either* openim.de *or* jabber.hot-chilli.net so I request the TLSA record for that target: ``` $ dig +short tlsa _5269._tcp.jabber.hot-chilli.net. 3 1 1 C953D7B5EA30F4D579D9F3CD6842A2A3AE3B01E9A63A4AB6E7165B25 4B074B52 ``` that's also DNSSEC signed, so now I will ensure the public key matches, but your server gives me the cert for openim.de and the public key doesn't match

  63. Roi

    That is very unpleasant.

  64. Roi

    Does it make sense from a technical point of view?

  65. moparisthebest

    the 2 ways you can fix this: 1. if ``` $ dig +short tlsa _5269._tcp.jabber.hot-chilli.net. 3 1 1 C953D7B5EA30F4D579D9F3CD6842A2A3AE3B01E9A63A4AB6E7165B25 4B074B52 3 1 1 OTHERKEYVALIDFOROPENIMDECERT 4B074B52 ``` it will just work 2. if ``` $ dig +short srv _xmpp-server._tcp.openim.de 0 0 5269 openim.de. ``` then I will grab the TLSA key for that target: ``` $ dig +short tlsa _5269._tcp.openim.de 3 1 1 C1B74D329E7766D6E8263A6251DDF7813ED558DB6D9746B5F9E64DB3 449C754E ``` and assuming it's right it'll connect

  66. Roi

    So SNI or whatever it is called here is not used?

  67. moparisthebest

    SNI is used and you hand back a different cert on the same target which is the cause of the problem, if you squint lol

  68. moparisthebest

    this makes sense because in a world where everyone uses DANE, you only need 1 cert here for unlimited domains

  69. Roi

    Okay thank you again. I still do not understand (or want to understand, as it seems that I need to do something and that it was wrong for many years), but I will take care of it. Solution number 1 sounds less worse to me at the moment...

  70. Roi

    Done. Now 5222 and 5269 for jabber.hot-chilli.net have both a lot of TLSA records.

  71. Roi

    Test still fails the way you did it - maybe caching is involved...

  72. moparisthebest

    Don't forget port 80 on server.jabber.hot....

  73. Roi

    Ah you're right

  74. Martin

    > Sep 16 21:35:48 s2sout559ce62580c0 debug connection mdosch.de->openim.de is now authenticated for openim.de \o/

    👍 1
  75. Roi

    > Don't forget port 80 on server.jabber.hot.... Thank you. Done, too.

  76. Menel

    For the future I would recommend you use https://certwatch.xmpp.net/ Roi, it's specifically made for xmpp and will exactly say what records it expects where if there is an issue

    👍 1
  77. Menel

    Only the propagation takes quite some time there

  78. Roi

    Well this checker is still not so happy about openim.de... Caching or still a config problem?

  79. Menel

    I bet caching, or slow propagation to their end. Just wait for it. Will be happy tomorrow

  80. Menel

    (because my sever is)

  81. Menel

    (because my server is)

  82. Roi

    Okay I will wait and try again tomorrow. :-)

  83. Menel

    Once it is happy, It will also tell you how to subscribw to it, so you'll get informed when even it detects a mitm / misconfiguration again

  84. Roi

    I'm not too young anymore, but I can still wait a day or two... ;-)

  85. Roi

    Menel, yeah I know. I once subscribed to jabber.hot-chilli.net and did not continue with the other domains.

  86. Roi

    I was stucked with hot-chilli.im and noticed that .im domains do not support DNSSEC. Btw, MattJ, you do not know any news about this? ;-)

  87. moparisthebest

    I will wait some hours and then check too thanks for fixing Roi , also sorry if I was poor at explaining

  88. Roi

    No I do not search the problem on your side. Thank you for your patience. :-D

  89. moparisthebest

    When you stare into the eye of DNSSEC/Dane too long I think something breaks in your brain

  90. Roi

    🤣😂

  91. moparisthebest

    Also it's super cheesy but this legitimately helped me understand this better early on https://wiki.xmpp.org/web/The_Knight

    😀 1
  92. moparisthebest

    Predates DANE but the DNSSEC part is right

  93. Menel

    Maybe it's bad somehow, but I didn't have patience with all the ports entries and just did *._tcp.xmpp_example.com for the tlsa record.

  94. Menel

    Maybe it's bad somehow, but I didn't have patience with all the ports entries and just did *._tcp.xmpp.example.com for the tlsa record. Is `*.*.*.example.com` possible btw? 😂

  95. luca

    I spent a stupid amount of time with all components and ports all with different certs and i'm honestly not sure if it was worth it

  96. luca

    But it's scripted at least /shrug