XMPP Service Operators - 2024-12-25


  1. Jerry

    Hi. I'm hosting an XMPP server (https://chat.between-us.online) using Prosody 0.12.4. I'm failing the XEP-0368 compliance test and I just can't find a way to pass it. I'm hoping someone can help me. First, the intructions at the site are outdated. It says to use ""legacy_ssl_ports = { 5223 }" which Prosody no longer supports (it gives me an error). The error message I get from prosody says to instead use, "c2s_direct_tls_ports = { 5223 } ", which I am using. The compliance instructions also say, "Add _xmpps-client._tcp SRV records to your DNS for this port" which I did: host -t SRV _xmpps-client._tcp.between-us.online. + _xmpps-client._tcp.between-us.online has SRV record 0 5 5223 chat.between-us.online.

  2. Jerry

    Hi. I'm hosting an XMPP server (https://chat.between-us.online) using Prosody 0.12.4. I'm failing the XEP-0368 compliance test and I just can't find a way to pass it. I'm hoping someone can help me. First, the intructions at the site are outdated. It says to use ""legacy_ssl_ports = { 5223 }" which Prosody no longer supports (it gives me an error). The error message I get from prosody says to instead use, "c2s_direct_tls_ports = { 5223 } ", which I am using. The compliance instructions also say, "Add _xmpps-client._tcp SRV records to your DNS for this port" which I did: host -t SRV _xmpps-client._tcp.between-us.online. + Result: _xmpps-client._tcp.between-us.online has SRV record 0 5 5223 chat.between-us.online. Since I'm using a sub-domain, I also added one for that chat sub-domain: host -t SRV _xmpps-client._tcp.chat.between-us.online. Result: xmpps-client._tcp.between-us.online has SRV record 0 5 5223 chat.between-us.online. Does anyone know why I'm still failing this compliance test? Thanks!!

  3. Kris

    https://kingant.net/check_xmpp_dns/

  4. Jerry

    > https://kingant.net/check_xmpp_dns/ Thanks, Kris. When I enter "chat.between-us.online" into the page, the results appear as I expect. So, I still don't know why I see the test failing at https://compliance.conversations.im/server/chat.between-us.online/ I know I'm missing something, but no idea what.

  5. Kris

    Maybe doublecheck your firewall config for the extra open ports?

  6. Menel

    Jerry: it may be you need a s2s direct tls port too for it to pass

  7. Jerry

    > Maybe doublecheck your firewall config for the extra open ports? Actually, reading the information at the website you've provided might have a clue. It mentions that this is for "Direct TLS". In Gajim, when I do an advanced sign up and I specify "Direct TLS" on port 5223, it's failing. Based on what I read, it should work.

  8. Jerry

    > Jerry: it may be you need a s2s direct tls port too for it to pass Hmm. I'll try it.

  9. MattJ

    Also, just a general warning that that "compliance" tester is out of date and unmaintained. The HTTP/CORS test also usually fails, but it is due to a bug in the tester.

  10. Kris

    Wasn't there a nlnet funded project to update and move it under the XSF?

  11. Jerry

    > Also, just a general warning that that "compliance" tester is out of date and unmaintained. The HTTP/CORS test also usually fails, but it is due to a bug in the tester. This is the other test I'm failing. I've been talking to Melvin Keskin from kde.org who maintains the list of instances that achieve compliance. He just told me to reach out to Prosody support.

  12. Jerry

    > Maybe doublecheck your firewall config for the extra open ports? It's working now! And I'm showing 100% compliance, even though the CORS check is still failing. Pointing me to that SRV test website was all I needed. It explained that port 5223 was direct TLS. Then when I tried signing up with Gaijim using port 5223 with Direct TLS it said it couldn't connect. Then I ran "openssl s_client -connect chat.between-us.online:5223" and saw that the negotiation failed because of a certificate issue. I moved the SSL={} certification information in the Prosody configuration file from the virtual host section to the global section and everything started working. Thank you Kris, for giving me the push that got me onto the right path! Thank you everyone for helping me so quickly!

  13. Jerry

    > Maybe doublecheck your firewall config for the extra open ports? It's working now! And I'm showing 100% compliance, even though the CORS check is still failing. Pointing me to that SRV test website was all I needed. It explained that port 5223 was direct TLS. Then when I tried signing up with Gaijim using port 5223 with Direct TLS it said it couldn't connect. Then I ran "openssl s_client -connect chat.between-us.online:5223" and saw that the negotiation failed because of a certificate issue. I moved the SSL={} certificate information in the Prosody configuration file from the virtual host section to the global section and everything started working. Thank you Kris, for giving me the push that got me onto the right path! Thank you everyone for helping me so quickly!

  14. Kris

    Great, glad I could help even though I did very little 😅

  15. moparisthebest

    Jerry: note direct TLS on 5223 is basically useless, you want it on 443 for maximum firewall avoidance

    👍 1