XSF Discussion - 2014-03-20

  1. intosi

    Hey guys. I'm about to migrate this XMPP server to a new machine. Expect some downtime, and see you at the other side of the switch.

  2. Zash


  3. intosi

    Ah, it has.

  4. Ge0rG

    awsnap. now that you rebooted the server, my admin rebooted the routers :(

  5. intosi

    Hurrah! http://logs.xmpp.org/xsf/

  6. intosi

    Thanks for your help, Zash!

  7. Zash

    yw :)

  8. intosi

    I think I reenabled logging in all MUCs as well.

  9. intosi

    Owners, would appreciate if you'd check as well.

  10. intosi


  11. Ge0rG

    anyone heard of dwd recently?

  12. ralphm

    intosi: the room being semi-anonymous is that a change?

  13. dwd

    Ge0rG, I have.

  14. dwd

    Ge0rG, I'm doing exciting MUC merging today, BTW.

  15. Ge0rG

    dwd: that's very exciting indeed! My MUC contributor was eagerly awaiting news from you, and asked me every some days

  16. Ge0rG

    in the meantime, I did some little fixes I actually wanted to be part of 0.8.7 but didn't have the time before the summit

  17. Ge0rG

    there will be a new fix release soon

  18. intosi

    ralphm: not deliberately.

  19. ralphm

    intosi: ok, because Gajim said that changed. I am not sure why this room would need to be semi-anonymous

  20. Zash

    I think it was before

  21. intosi checks old config

  22. dwd

    FWIW, I do wonder if the XSF room ought not to be members only and non-anonymous, but that's not something we need discuss now.

  23. ralphm

    dwd: my current opinion: no

  24. ralphm

    dwd: i.e. for the members-only part.

  25. dwd

    Right. I'd prefer the room to be non-anonymous, you see, but I worry about that if it's not also members-only.

  26. intosi

    Switching off nginx on athena. It's mostly spiders now.

  27. ralphm

    you worry too much

  28. dwd

    intosi, Spiders? Eeeek.

  29. intosi

    Yes. Some small, some huge ;)

  30. intosi

    I'm generally kind to all spiders, but no mercy today.

  31. ralphm

    Is Tango still doing XMPP these days?

  32. ralphm


  33. Ge0rG

    I wonder if somebody will approach me to buy yax(.)im as well

  34. ralphm

    Ge0rG: you think it is good enough? Honest question, I am not currently using it because it doesn't do MUC.

  35. Zash

    ~$ nc -zv tango.me xmpp-client Connection to tango.me 5222 port [tcp/xmpp-client] succeeded!

  36. Zash

    Seems to be a HTTP server there

  37. ralphm


  38. ralphm

    they have not SRV records any way

  39. Ge0rG

    ralphm: bug dwd about MUC :P

  40. ralphm

    Ge0rG: dodging the question?

  41. Ge0rG

    ralphm: seriously? I am using yaxim day-to-day for my mobile needs. Never needed MUC there, so I'm really fine with it. Good enough to be bought for millions? Surely not

  42. Kev

    When I'm mobile, I tend to need MUC more than 1:1.

  43. Kev


  44. Kev

    I suspect it's a usage pattern thing.

  45. intosi


  46. ralphm


  47. Ge0rG

    well, I've polished most of the issues that floated up with 0.8.7, will make 0.8.7b soon and then look into the MUC mess. I will do a call for beta testers here if you wish so

  48. ralphm

    Ge0rG: I'd love to see a well-integrated client (UI wise), with MUC, that is as approachable as WhatsApp or the new Hangouts. Obviously with good battery life and all that.

  49. ralphm

    Ge0rG: if yaxim can be that, more power to you

  50. Kev

    Swift for Android!

  51. ralphm

    Kev: only if it is following the Android UI guidelines

  52. Ge0rG

    ralphm: seems like I need to actually install WhatsApp and betray my friends, just to see how it does MUC

  53. Kev

    ralphm: Right. If we did Swift for Android, it's not clear if Qt for Android would suffice as 'good enough'.

  54. Kev

    If it was, getting it running shouldn't be /too/ hard. If it wasn't, that means essentially a port, and that's not trivial.

  55. ralphm

    probably not, this is a generic problem

  56. Kev

    If only there was a straightforward way to implement the C++ interfaces in Java. As 'all' it needs is a new UI to port to other platforms.

  57. ralphm

    The new Hangouts UI for Android is growing on me

  58. ralphm

    it is pretty decent, especially now presence is more prominent (even if only boolean)

  59. MattJ

    I only use Yaxim

  60. MattJ

    I can't deny that there have been times I've wanted MUC (e.g. council meetings), but not often enough for me to switch to any of the alternatives (which have issues)

  61. MattJ

    intosi, thanks for migrating Prosody over :)

  62. MattJ

    It's been on my todo for a while to upgrade it

  63. intosi

    You're welcome :)

  64. intosi

    I didn't see any point in staying at 0.8

  65. Ge0rG

    MattJ: MUC participants still are not kicked on restart :(

  66. Ge0rG

    hm. if I unblock the Hangouts app on my Android, I will be still a lonesome guy hanging out

  67. intosi

    MattJ: feel free to check the config. There is a warning in the logs about a module I didn't yet bother looking at about mod_console or something like that. Trivial to fix, but someone has to do it ;)

  68. MattJ

    mod_console was renamed to mod_admin_telnet, that's all

  69. intosi

    But yay: https://xmpp.net/result.php?id=23660

  70. Ge0rG

    I know I will have regrets, but now I am here, installing hangouts.

  71. intosi

    Compare to https://xmpp.net/result.php?id=20537

  72. Ge0rG

    any volunteers for a hangout?

  73. Zash

    Why is it not doing any DH?

  74. Zash

    intosi: What OS and OpenSSL versions is xmpp.net running on now?

  75. intosi

    Zash: Debian 7, openssl is stock deb7.

  76. intosi


  77. Zash

    But https://xmpp.net/result.php?id=23660#ciphers

  78. intosi


  79. Zash

    Did that require a newer LuaSec?

  80. Zash

    (that = ECDH)

  81. intosi

    No idea, actually ;)

  82. intosi

    I'm just glad all things run and seem to work ;)

  83. xnyhps

    IIRC you need LuaSec 0.5

  84. intosi

    These details can be fixed later.

  85. intosi

    Ah. 0.4.1-1

  86. intosi

    Installed lua-sec-prosody

  87. intosi

    Can this be reloaded without restarting Prosody?

  88. Zash


  89. intosi

    Bummer, dude.

  90. xnyhps

    Generating dhparam can.

  91. Zash


  92. intosi

    I would like to leave those details to someone of the Prosody team ;)

  93. intosi

    Awesome! https://xmpp.net/result.php?domain=5222.nl&type=client

  94. intosi

    I guess the observatory doesn't stop testing after it tries to determine encryption support, but doesn't rate ;)

  95. intosi

    (I reloaded the config very soon after initiating the test because I made a typo in the config)

  96. xnyhps


  97. xnyhps

    It should stop testing when it can't determine support for any SSL or TLS version

  98. xnyhps

    But it will test all of them, even if the first results in "no starttls offered".

  99. Zash

    DANE \o/

  100. intosi

    Zash: yup ;)

  101. intosi

    I managed to convince Joker to add DNSSEC support for the .nl TLD a week or two ago.

  102. Zash


  103. Zash

    Didn't .nl have it since forever?

  104. Zash

    Or is Joker the registrar?

  105. intosi

    .nl had it forever.

  106. intosi

    Joker is the registrar I usually use.

  107. intosi

    .nl was one of the first TLDs that signed the zone, and certainly one of the domains with the highest percentage signed zones.

  108. Zash


  109. intosi


  110. intosi

    Any idea what's causing those cert validation errors?

  111. xnyhps

    My nearby pizza place with a webpage that looks designed in 1999 has DNSSEC. Cracks me up every time.

  112. Zash

    intosi: That's because I have an empty CA store.

  113. Zash

    In order to test DANE-only validation

  114. intosi

    Ah, so that is expected :)

  115. intosi

    In that case, w00t!

  116. Zash

    So, DANE-only test host at dane.zash.se

  117. Ge0rG

    btw, what can I do if my domain reseller does not support / know about DNSSEC?

  118. intosi

    Inform them that you want it.

  119. intosi

    If they are nice, they will look at it.

  120. m&m

    you could try to run your own nameserver, if they allow for that

  121. m&m

    but really, either ask them nicely and frequently, or find another

  122. m&m

    Zash: is that zone signed? Or is that a server that will validate someone else's DNSSEC/DANE information?

  123. m&m is trying to figure out if a middlebox is interfering, or there aren't any signed records

  124. Ge0rG

    right. I just can host my own DNS.

  125. Zash

    m&m: Both

  126. intosi

    But you need support from your registrar to have the DS records published in the TLD zone.

  127. intosi

    You cannot rely on people using dnssec lookaside.

  128. Zash

    xnyhps: https://xmpp.net/result.php?domain=dane.zash.se&type=server why so slow?

  129. Zash

    Altho, it requires DANE

  130. Zash

    and the test server might not have that

  131. Ge0rG

    stpeter wanted to get the .im registrar to support DNSSEC... I wonder if anything happened there yet :>

  132. Zash

    Ge0rG: There was movement IIRC

  133. simon

    I heard dwd has friends in high places in .im and is working on it.

  134. m&m

    Zash: ok, it's possible your DNS updates haven't propagated far enough for me yet

  135. m&m

    they've got to cross an ocean, some plains, and a start up a mountain to get to me (-:

  136. Zash

    m&m: What DNS updates exactly?

  137. Zash

    I updated DANE for that test host yesterday

  138. Ge0rG

    simon: dwd first needs to fix yaxim MUC :D

  139. m&m

    and it can take up to 48 hours for those updates to widely propagate

  140. m&m

    I'm seeing them *now*

  141. m&m

    but I wasn't a few minutes ago

  142. Zash

    DNS doesn't propagate, it expires.

  143. m&m

    it's was an imperfect word choice (-:

  144. simon

    I can recommend http://dnsviz.net/ for inspecting ipsec records.

  145. Zash

    Altho I have a 24 hour TTL :)

  146. m&m

    but I suspect that one or more of my upstream resolvers had already cached your zone

  147. m&m

    and not all resolvers unconditionally honor the TTL

  148. Zash

    Why would they have cached records about a test server?

  149. m&m

    I know of several that will not clear their caches for 48 hours, no exceptions

  150. m&m

    they cached records about your zone

  151. m&m

    do you really want to go down this rabbit hole? (-:

  152. m&m

    I fully regret ever starting to

  153. Zash


  154. m&m

    let's just say that "zone transfer" doesn't always mean what you think

  155. m&m

    Zash: you have a not-small amount of additional info (-:

  156. xnyhps

    Zash: verse error Error: /opt/xmppoke/bin/xmppoke:3034: not-authorized: Your server's certificate is invalid, expired, or not trusted by dane.zash.se

  157. xnyhps

    Though I don't know why it gets that far, it should've closed the connection before that anyway.

  158. m&m

    simon: I think you're seeing a ISOC grant proposal in progress right now! (-:

  159. xnyhps

    Grmbl. unbound crashed, but OS X is keeping port 53 claimed.

  160. simon grabs a pen and paper. More details please m&m. "Proposal to fix permissions in xmppoke"?

  161. simon

    xnyhps: are we seeing this https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/988513 ?

  162. m&m

    simon: "get prosody to do just about all of dane"?

  163. m&m

    I'm just observing what I'm seeing Zash et al hash out

  164. xnyhps

    No, I don't think xmpp.net uses forwarders.

  165. xnyhps

    I was complaining about my own machine (which was preventing me from accessing xmpp.net to fetch that log file for Zash)

  166. simon

    m&m: yes. I'd like a bit of cross-platform-ness. So that we can at least build two competing[ly incorrect] DNSSEC systems.

  167. Tobias

    emcho, what are jitsi's current noise cancellation capabilities? do you use an open lib for this? or is this included in the codecs?

  168. stpeter

    is it safe to edit WordPress pages?

  169. stpeter

    I'd like to update http://xmpp.org/participate/become-a-member/upnp-liaison-team/ when possible

  170. Kev

    stpeter: Should be, yes.

  171. stpeter

    ok thanks

  172. stpeter

    I might have a sponsor for a new machine, BTW

  173. stpeter makes some edits to http://xmpp.org/about-xmpp/xsf/xsf-people/ while he's at it

  174. m&m


  175. stpeter


  176. m&m

    nevermind … I was getting gateway errors for the xeps, but a hard refresh seems to have fixed that

  177. ralphm

    stpeter: interesting stuff. I read that our Secretary is supposed to write minutes for Board meetings.

  178. Zash

    Say, who is this Secretary?

  179. ralphm


  180. dwd

    ralphm, I'd hate to scare Alex away; he does enough as it is.

  181. ralphm

    Oh, I forgot a smiley

  182. stpeter

    ralphm: theoretically, I suppose, but I've never seen that happen (I don't remember if I did that back when I was secretary)

  183. ralphm

    I'm happy for simon to produce minutes

  184. dwd

    stpeter, You probably di, but you were also probably Board Chair and Council Chair.

  185. dwd

    (And Editor, and Treasurer, and probably Secretary too)

  186. dwd

    Oh. Ha. Realised what I wrote there.

  187. m&m

    the circle is complete

  188. ralphm

    If there is no immediate need, why not use standards@ for liason discussions, if any?

  189. stpeter

    ralphm: because we're basically under NDA

  190. stpeter

    dwd: I have never been Board chair :-)

  191. stpeter

    or on the Board

  192. stpeter

    at least we kept that separation

  193. stpeter


  194. Zash

    Simon: https://www.zash.se/prosody-dane.html describes my setup

  195. Simon

    Zash: very nice.

  196. Simon

    very very nice!

  197. Simon

    is this the first working DANE setup in XMPP?

  198. Zash


  199. Simon

    I feel a blog post coming up.

  200. Zash

    That's the validation part at least

  201. Zash

    https://github.com/shuque/tlsa_rdata seems easy to use

  202. Zash

    No idea why swede doesn't let you generate TLSA records from certificate files

  203. stpeter

    ah, good old shuque, I haven't talked with him in ages

  204. Zash

    Now we just need DNSSEC deployed everywhere...

  205. Simon

    zash - which selectors do you recommend to use?

  206. Simon

    +1 on universal deployment

  207. Zash

    3 0 1

  208. Zash

    Other usages are either unsupported or messy or both

  209. Zash

    Pubkey selector requires a patch to LuaSec for extracting pubkeys

  210. Zash

    And you don't want the entire cert in the record, so sha256

  211. xnyhps


  212. Zash

    Actually https://github.com/brunoos/luasec/pull/12

  213. Simon

    no more needing to run unboud?

  214. Zash

    You don't strictly need to run unbound, but there has to be a validating resolver somewhere

  215. Zash

    lua-/libunbound can do that itself if you don't set

  216. Simon

    so running my own bind 9.0 server with some sensible upstream resolvers would work?

  217. Zash

    *don't set resolvconf

  218. Zash

    I'm not familiar with bind much, but if that does DNSSEC then pointing prosody at that shoul dwork

  219. m&m wants draft-ietf-precis-nickname implemented everywhere

  220. Zash

    Implement all the things in all the things!

  221. xnyhps

    Zash: EVP_PKEY_EC confuses me.

  222. Zash

    xnyhps: You're not alone. openssl/evp.h:#define EVP_PKEY_EC NID_X9_62_id_ecPublicKey

  223. Zash

    I hope that made you more confused

  224. xnyhps

    Or is an ECDSA key equivalent to an ECDH key?

  225. m&m

    they should be

  226. Zash

    This is the kind of thing I would ask you, xnyhps. :)

  227. xnyhps

    I understand DH and RSA, but DSA not at all.

  228. Zash

    Do you know of any ECDSA keys in the wild?

  229. xnyhps

    Ah, the DSA construction uses the same stuff as DH, so it makes sense.

  230. m&m


  231. Zash


  232. m&m

    it's the same source input, just different operations

  233. m&m

    well, keying input

  234. xnyhps

    Zash: Google uses them, don't they?

  235. xnyhps

    "The connection is encrypted and authenticated using CHACHA20_POLY1305 and uses ECDHE_ECDSA as the key exchange mechanism."

  236. xnyhps

    (That was for encrypted.google.com in Chrome.)

  237. xnyhps wonders whether there are certificates with ECDH public keys out there.

  238. Zash


  239. m&m

    EC public keys

  240. xnyhps

    Oh, the public key on the certificate doesn't even distinguish between whether it's for ECDSA or ECDH?

  241. m&m

    not the key

  242. m&m

    the key usage might

  243. m&m

    (assuming one looks at KeyUsage)

  244. xnyhps

    Ah, yeah. That google one from Zash's link has "Digital Signature", which would mean ECDSA.

  245. m&m

    that's the intended use, at least

  246. m&m

    according to the certificate

  247. m&m

    which makes sense for the PFS algorithms

  248. xnyhps

    I was wondering due to the difference in Au=ECDSA and Au=ECDH in openssl ciphers

  249. MattJ

    Consistency? OpenSSL?

  250. m&m


  251. Alex

    did smth change on the webservers regarding email sending? The wiki shows errors when sending out passwords resets

  252. Alex

    Error sending mail: Unknown error in PHP's mail() function.

  253. Kev

    The server was migrated this morning.

  254. Kev

    Email is one of the things that's not done yet.

  255. Alex

    ah, OK

  256. intosi

    Mail has been fixed on the new host.