XSF Discussion - 2014-03-20

  1. bear has left

  2. bear has joined

  3. xnyhps has left

  4. dezant has left

  5. stpeter has joined

  6. dezant has joined

  7. Alex has joined

  8. m&m has joined

  9. Alex has left

  10. m&m has left

  11. m&m has joined

  12. m&m has left

  13. m&m has joined

  14. Tobias has left

  15. Lance has left

  16. m&m has left

  17. Lance has joined

  18. Lance has left

  19. stpeter has left

  20. bear has left

  21. emcho has joined

  22. emcho has left

  23. emcho has joined

  24. emcho has left

  25. emcho has joined

  26. emcho has left

  27. emcho has joined

  28. emcho has left

  29. emcho has joined

  30. emcho has left

  31. emcho has joined

  32. Lance has joined

  33. Simon has joined

  34. Lance has joined

  35. Lance has joined

  36. Tobias has left

  37. Lance has joined

  38. emcho has left

  39. emcho has joined

  40. Santiago26 has joined

  41. Link Mauve has joined

  42. Simon has left

  43. Santiago26 has left

  44. Santiago26 has joined

  45. Ash has joined

  46. Lance has joined

  47. Ash has left

  48. Ash has joined

  49. Lance has joined

  50. Ash has left

  51. Ash has joined

  52. Santiago26 has left

  53. simon has joined

  54. dwd has joined

  55. Santiago26 has joined

  56. Zash has joined

  57. winfried has joined

  58. Tobias has joined

  59. Lloyd has joined

  60. Ash has left

  61. Ash has joined

  62. intosi

    Hey guys. I'm about to migrate this XMPP server to a new machine. Expect some downtime, and see you at the other side of the switch.

  63. Zash


  64. intosi

    Ah, it has.

  65. Lance has joined

  66. Ge0rG has joined

  67. Ge0rG

    awsnap. now that you rebooted the server, my admin rebooted the routers :(

  68. intosi

    Hurrah! http://logs.xmpp.org/xsf/

  69. intosi

    Thanks for your help, Zash!

  70. Zash

    yw :)

  71. intosi

    I think I reenabled logging in all MUCs as well.

  72. Lance has joined

  73. intosi

    Owners, would appreciate if you'd check as well.

  74. intopsi has joined

  75. intopsi has left

  76. intosi


  77. intosi has left

  78. intosi has joined

  79. Kev has joined

  80. Ash has joined

  81. Ge0rG

    anyone heard of dwd recently?

  82. Ash has left

  83. Ash has joined

  84. martin.hewitt@surevine.com has joined

  85. ralphm

    intosi: the room being semi-anonymous is that a change?

  86. dwd

    Ge0rG, I have.

  87. dwd

    Ge0rG, I'm doing exciting MUC merging today, BTW.

  88. Ge0rG

    dwd: that's very exciting indeed! My MUC contributor was eagerly awaiting news from you, and asked me every some days

  89. Ge0rG

    in the meantime, I did some little fixes I actually wanted to be part of 0.8.7 but didn't have the time before the summit

  90. Ge0rG

    there will be a new fix release soon

  91. intosi

    ralphm: not deliberately.

  92. ralphm

    intosi: ok, because Gajim said that changed. I am not sure why this room would need to be semi-anonymous

  93. Zash

    I think it was before

  94. intosi checks old config

  95. dwd

    FWIW, I do wonder if the XSF room ought not to be members only and non-anonymous, but that's not something we need discuss now.

  96. ralphm

    dwd: my current opinion: no

  97. ralphm

    dwd: i.e. for the members-only part.

  98. Lloyd has joined

  99. dwd

    Right. I'd prefer the room to be non-anonymous, you see, but I worry about that if it's not also members-only.

  100. intosi

    Switching off nginx on athena. It's mostly spiders now.

  101. ralphm

    you worry too much

  102. dwd

    intosi, Spiders? Eeeek.

  103. intosi

    Yes. Some small, some huge ;)

  104. intosi

    I'm generally kind to all spiders, but no mercy today.

  105. simon has joined

  106. ralphm

    Is Tango still doing XMPP these days?

  107. Lance has joined

  108. ralphm


  109. Ge0rG

    I wonder if somebody will approach me to buy yax(.)im as well

  110. ralphm

    Ge0rG: you think it is good enough? Honest question, I am not currently using it because it doesn't do MUC.

  111. Zash

    ~$ nc -zv tango.me xmpp-client Connection to tango.me 5222 port [tcp/xmpp-client] succeeded!

  112. Zash

    Seems to be a HTTP server there

  113. ralphm


  114. ralphm

    they have not SRV records any way

  115. Ge0rG

    ralphm: bug dwd about MUC :P

  116. ralphm

    Ge0rG: dodging the question?

  117. Ge0rG

    ralphm: seriously? I am using yaxim day-to-day for my mobile needs. Never needed MUC there, so I'm really fine with it. Good enough to be bought for millions? Surely not

  118. Kev

    When I'm mobile, I tend to need MUC more than 1:1.

  119. Kev


  120. Kev

    I suspect it's a usage pattern thing.

  121. intosi


  122. ralphm


  123. Ge0rG

    well, I've polished most of the issues that floated up with 0.8.7, will make 0.8.7b soon and then look into the MUC mess. I will do a call for beta testers here if you wish so

  124. ralphm

    Ge0rG: I'd love to see a well-integrated client (UI wise), with MUC, that is as approachable as WhatsApp or the new Hangouts. Obviously with good battery life and all that.

  125. ralphm

    Ge0rG: if yaxim can be that, more power to you

  126. Kev

    Swift for Android!

  127. ralphm

    Kev: only if it is following the Android UI guidelines

  128. Ge0rG

    ralphm: seems like I need to actually install WhatsApp and betray my friends, just to see how it does MUC

  129. Kev

    ralphm: Right. If we did Swift for Android, it's not clear if Qt for Android would suffice as 'good enough'.

  130. Kev

    If it was, getting it running shouldn't be /too/ hard. If it wasn't, that means essentially a port, and that's not trivial.

  131. ralphm

    probably not, this is a generic problem

  132. Kev

    If only there was a straightforward way to implement the C++ interfaces in Java. As 'all' it needs is a new UI to port to other platforms.

  133. ralphm

    The new Hangouts UI for Android is growing on me

  134. ralphm

    it is pretty decent, especially now presence is more prominent (even if only boolean)

  135. Lance has joined

  136. Lance has left

  137. MattJ has joined

  138. MattJ

    I only use Yaxim

  139. MattJ

    I can't deny that there have been times I've wanted MUC (e.g. council meetings), but not often enough for me to switch to any of the alternatives (which have issues)

  140. MattJ

    intosi, thanks for migrating Prosody over :)

  141. MattJ

    It's been on my todo for a while to upgrade it

  142. intosi

    You're welcome :)

  143. intosi

    I didn't see any point in staying at 0.8

  144. Ge0rG

    MattJ: MUC participants still are not kicked on restart :(

  145. Tobias has joined

  146. Ge0rG

    hm. if I unblock the Hangouts app on my Android, I will be still a lonesome guy hanging out

  147. intosi

    MattJ: feel free to check the config. There is a warning in the logs about a module I didn't yet bother looking at about mod_console or something like that. Trivial to fix, but someone has to do it ;)

  148. MattJ

    mod_console was renamed to mod_admin_telnet, that's all

  149. intosi

    But yay: https://xmpp.net/result.php?id=23660

  150. Ge0rG

    I know I will have regrets, but now I am here, installing hangouts.

  151. intosi

    Compare to https://xmpp.net/result.php?id=20537

  152. Lloyd has left

  153. Ash has left

  154. Ge0rG

    any volunteers for a hangout?

  155. Zash

    Why is it not doing any DH?

  156. Zash

    intosi: What OS and OpenSSL versions is xmpp.net running on now?

  157. intosi

    Zash: Debian 7, openssl is stock deb7.

  158. intosi


  159. Ash has joined

  160. Zash

    But https://xmpp.net/result.php?id=23660#ciphers

  161. intosi


  162. Zash

    Did that require a newer LuaSec?

  163. Zash

    (that = ECDH)

  164. intosi

    No idea, actually ;)

  165. intosi

    I'm just glad all things run and seem to work ;)

  166. xnyhps

    IIRC you need LuaSec 0.5

  167. intosi

    These details can be fixed later.

  168. intosi

    Ah. 0.4.1-1

  169. emcho has joined

  170. intosi

    Installed lua-sec-prosody

  171. intosi

    Can this be reloaded without restarting Prosody?

  172. Zash


  173. intosi

    Bummer, dude.

  174. xnyhps

    Generating dhparam can.

  175. emcho has left

  176. Zash


  177. emcho has joined

  178. Lance has joined

  179. intosi

    I would like to leave those details to someone of the Prosody team ;)

  180. Lloyd has joined

  181. intosi

    Awesome! https://xmpp.net/result.php?domain=5222.nl&type=client

  182. intosi

    I guess the observatory doesn't stop testing after it tries to determine encryption support, but doesn't rate ;)

  183. intosi

    (I reloaded the config very soon after initiating the test because I made a typo in the config)

  184. xnyhps


  185. xnyhps

    It should stop testing when it can't determine support for any SSL or TLS version

  186. xnyhps

    But it will test all of them, even if the first results in "no starttls offered".

  187. Zash

    DANE \o/

  188. intosi

    Zash: yup ;)

  189. intosi

    I managed to convince Joker to add DNSSEC support for the .nl TLD a week or two ago.

  190. Zash


  191. Zash

    Didn't .nl have it since forever?

  192. Zash

    Or is Joker the registrar?

  193. intosi

    .nl had it forever.

  194. intosi

    Joker is the registrar I usually use.

  195. intosi

    .nl was one of the first TLDs that signed the zone, and certainly one of the domains with the highest percentage signed zones.

  196. Zash


  197. intosi


  198. intosi

    Any idea what's causing those cert validation errors?

  199. xnyhps

    My nearby pizza place with a webpage that looks designed in 1999 has DNSSEC. Cracks me up every time.

  200. Zash

    intosi: That's because I have an empty CA store.

  201. Zash

    In order to test DANE-only validation

  202. intosi

    Ah, so that is expected :)

  203. intosi

    In that case, w00t!

  204. m&m has joined

  205. Zash

    So, DANE-only test host at dane.zash.se

  206. Ge0rG

    btw, what can I do if my domain reseller does not support / know about DNSSEC?

  207. intosi

    Inform them that you want it.

  208. intosi

    If they are nice, they will look at it.

  209. m&m

    you could try to run your own nameserver, if they allow for that

  210. m&m

    but really, either ask them nicely and frequently, or find another

  211. m&m

    Zash: is that zone signed? Or is that a server that will validate someone else's DNSSEC/DANE information?

  212. m&m is trying to figure out if a middlebox is interfering, or there aren't any signed records

  213. Ge0rG

    right. I just can host my own DNS.

  214. Zash

    m&m: Both

  215. intosi

    But you need support from your registrar to have the DS records published in the TLD zone.

  216. intosi

    You cannot rely on people using dnssec lookaside.

  217. Zash

    xnyhps: https://xmpp.net/result.php?domain=dane.zash.se&type=server why so slow?

  218. Zash

    Altho, it requires DANE

  219. Zash

    and the test server might not have that

  220. Ge0rG

    stpeter wanted to get the .im registrar to support DNSSEC... I wonder if anything happened there yet :>

  221. Zash

    Ge0rG: There was movement IIRC

  222. simon

    I heard dwd has friends in high places in .im and is working on it.

  223. m&m

    Zash: ok, it's possible your DNS updates haven't propagated far enough for me yet

  224. m&m

    they've got to cross an ocean, some plains, and a start up a mountain to get to me (-:

  225. Zash

    m&m: What DNS updates exactly?

  226. Zash

    I updated DANE for that test host yesterday

  227. Ge0rG

    simon: dwd first needs to fix yaxim MUC :D

  228. m&m

    and it can take up to 48 hours for those updates to widely propagate

  229. m&m

    I'm seeing them *now*

  230. m&m

    but I wasn't a few minutes ago

  231. Zash

    DNS doesn't propagate, it expires.

  232. Ash has left

  233. m&m

    it's was an imperfect word choice (-:

  234. Ash has joined

  235. simon

    I can recommend http://dnsviz.net/ for inspecting ipsec records.

  236. Zash

    Altho I have a 24 hour TTL :)

  237. m&m

    but I suspect that one or more of my upstream resolvers had already cached your zone

  238. Ash has left

  239. Ash has joined

  240. m&m

    and not all resolvers unconditionally honor the TTL

  241. Zash

    Why would they have cached records about a test server?

  242. m&m

    I know of several that will not clear their caches for 48 hours, no exceptions

  243. m&m

    they cached records about your zone

  244. m&m

    do you really want to go down this rabbit hole? (-:

  245. m&m

    I fully regret ever starting to

  246. Zash


  247. m&m

    let's just say that "zone transfer" doesn't always mean what you think

  248. m&m

    Zash: you have a not-small amount of additional info (-:

  249. xnyhps

    Zash: verse error Error: /opt/xmppoke/bin/xmppoke:3034: not-authorized: Your server's certificate is invalid, expired, or not trusted by dane.zash.se

  250. xnyhps

    Though I don't know why it gets that far, it should've closed the connection before that anyway.

  251. m&m

    simon: I think you're seeing a ISOC grant proposal in progress right now! (-:

  252. xnyhps

    Grmbl. unbound crashed, but OS X is keeping port 53 claimed.

  253. simon grabs a pen and paper. More details please m&m. "Proposal to fix permissions in xmppoke"?

  254. simon

    xnyhps: are we seeing this https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/988513 ?

  255. m&m

    simon: "get prosody to do just about all of dane"?

  256. m&m

    I'm just observing what I'm seeing Zash et al hash out

  257. xnyhps

    No, I don't think xmpp.net uses forwarders.

  258. xnyhps

    I was complaining about my own machine (which was preventing me from accessing xmpp.net to fetch that log file for Zash)

  259. simon

    m&m: yes. I'd like a bit of cross-platform-ness. So that we can at least build two competing[ly incorrect] DNSSEC systems.

  260. Lance has joined

  261. Zash has left

  262. Lance has joined

  263. Santiago26 has left

  264. stpeter has joined

  265. dezant has joined

  266. Tobias

    emcho, what are jitsi's current noise cancellation capabilities? do you use an open lib for this? or is this included in the codecs?

  267. Santiago26 has joined

  268. stpeter

    is it safe to edit WordPress pages?

  269. stpeter

    I'd like to update http://xmpp.org/participate/become-a-member/upnp-liaison-team/ when possible

  270. Kev

    stpeter: Should be, yes.

  271. Santiago26 has left

  272. stpeter

    ok thanks

  273. stpeter

    I might have a sponsor for a new machine, BTW

  274. Zash has joined

  275. Ash has left

  276. Ash has joined

  277. Lance has joined

  278. Ash has left

  279. simon has left

  280. simon has joined

  281. Lance has left

  282. Ash has joined

  283. Santiago26 has joined

  284. stpeter makes some edits to http://xmpp.org/about-xmpp/xsf/xsf-people/ while he's at it

  285. m&m


  286. stpeter


  287. m&m

    nevermind … I was getting gateway errors for the xeps, but a hard refresh seems to have fixed that

  288. Santiago26 has left

  289. ralphm

    stpeter: interesting stuff. I read that our Secretary is supposed to write minutes for Board meetings.

  290. Zash

    Say, who is this Secretary?

  291. xnyhps has left

  292. ralphm


  293. dwd

    ralphm, I'd hate to scare Alex away; he does enough as it is.

  294. ralphm

    Oh, I forgot a smiley

  295. stpeter

    ralphm: theoretically, I suppose, but I've never seen that happen (I don't remember if I did that back when I was secretary)

  296. ralphm

    I'm happy for simon to produce minutes

  297. dwd

    stpeter, You probably di, but you were also probably Board Chair and Council Chair.

  298. dwd

    (And Editor, and Treasurer, and probably Secretary too)

  299. dwd

    Oh. Ha. Realised what I wrote there.

  300. m&m

    the circle is complete

  301. ralphm

    If there is no immediate need, why not use standards@ for liason discussions, if any?

  302. xnyhps has left

  303. xnyhps has left

  304. xnyhps has joined

  305. stpeter

    ralphm: because we're basically under NDA

  306. stpeter

    dwd: I have never been Board chair :-)

  307. stpeter

    or on the Board

  308. stpeter

    at least we kept that separation

  309. stpeter


  310. xnyhps has left

  311. Lloyd has left

  312. Lloyd has joined

  313. Tobias has joined

  314. Lloyd has left

  315. emcho has left

  316. emcho has joined

  317. Santiago26 has joined

  318. emcho has left

  319. Ash has left

  320. Santiago26 has left

  321. Ash has left

  322. Simon has joined

  323. martin.hewitt@surevine.com has left

  324. Neustradamus has joined

  325. dwd has joined

  326. Lance has joined

  327. fippo has joined

  328. fippo has left

  329. fippo has joined

  330. xnyhps has left

  331. Jef has joined

  332. xnyhps has joined

  333. Santiago26 has joined

  334. Santiago26 has left

  335. Alex has joined

  336. Santiago26 has joined

  337. Santiago26 has left

  338. Santiago26 has joined

  339. Simon has left

  340. Simon has joined

  341. dezant has left

  342. martin.hewitt@surevine.com has joined

  343. Lance has joined

  344. dezant has joined

  345. Zash

    Simon: https://www.zash.se/prosody-dane.html describes my setup

  346. Simon

    Zash: very nice.

  347. Simon

    very very nice!

  348. Simon

    is this the first working DANE setup in XMPP?

  349. Zash


  350. Simon

    I feel a blog post coming up.

  351. martin.hewitt@surevine.com has left

  352. Zash

    That's the validation part at least

  353. Zash

    https://github.com/shuque/tlsa_rdata seems easy to use

  354. Zash

    No idea why swede doesn't let you generate TLSA records from certificate files

  355. stpeter

    ah, good old shuque, I haven't talked with him in ages

  356. Zash

    Now we just need DNSSEC deployed everywhere...

  357. Simon

    zash - which selectors do you recommend to use?

  358. Simon

    +1 on universal deployment

  359. Zash

    3 0 1

  360. Zash

    Other usages are either unsupported or messy or both

  361. Zash

    Pubkey selector requires a patch to LuaSec for extracting pubkeys

  362. Zash

    And you don't want the entire cert in the record, so sha256

  363. xnyhps


  364. Zash

    Actually https://github.com/brunoos/luasec/pull/12

  365. Simon

    no more needing to run unboud?

  366. Zash

    You don't strictly need to run unbound, but there has to be a validating resolver somewhere

  367. Zash

    lua-/libunbound can do that itself if you don't set

  368. Simon

    so running my own bind 9.0 server with some sensible upstream resolvers would work?

  369. Zash

    *don't set resolvconf

  370. Zash

    I'm not familiar with bind much, but if that does DNSSEC then pointing prosody at that shoul dwork

  371. m&m wants draft-ietf-precis-nickname implemented everywhere

  372. Zash

    Implement all the things in all the things!

  373. xnyhps

    Zash: EVP_PKEY_EC confuses me.

  374. Zash

    xnyhps: You're not alone. openssl/evp.h:#define EVP_PKEY_EC NID_X9_62_id_ecPublicKey

  375. Zash

    I hope that made you more confused

  376. xnyhps

    Or is an ECDSA key equivalent to an ECDH key?

  377. m&m

    they should be

  378. Zash

    This is the kind of thing I would ask you, xnyhps. :)

  379. xnyhps

    I understand DH and RSA, but DSA not at all.

  380. Zash

    Do you know of any ECDSA keys in the wild?

  381. xnyhps

    Ah, the DSA construction uses the same stuff as DH, so it makes sense.

  382. m&m


  383. Zash


  384. m&m

    it's the same source input, just different operations

  385. m&m

    well, keying input

  386. xnyhps

    Zash: Google uses them, don't they?

  387. xnyhps

    "The connection is encrypted and authenticated using CHACHA20_POLY1305 and uses ECDHE_ECDSA as the key exchange mechanism."

  388. xnyhps

    (That was for encrypted.google.com in Chrome.)

  389. xnyhps wonders whether there are certificates with ECDH public keys out there.

  390. Zash


  391. m&m

    EC public keys

  392. xnyhps

    Oh, the public key on the certificate doesn't even distinguish between whether it's for ECDSA or ECDH?

  393. m&m

    not the key

  394. m&m

    the key usage might

  395. m&m

    (assuming one looks at KeyUsage)

  396. Lance has joined

  397. xnyhps

    Ah, yeah. That google one from Zash's link has "Digital Signature", which would mean ECDSA.

  398. Santiago26 has left

  399. m&m

    that's the intended use, at least

  400. m&m

    according to the certificate

  401. m&m

    which makes sense for the PFS algorithms

  402. Zash has left

  403. emcho has joined

  404. xnyhps

    I was wondering due to the difference in Au=ECDSA and Au=ECDH in openssl ciphers

  405. MattJ

    Consistency? OpenSSL?

  406. m&m


  407. martin.hewitt@surevine.com has joined

  408. Lance has joined

  409. Lance has joined

  410. martin.hewitt@surevine.com has left

  411. Santiago26 has joined

  412. Santiago26 has left

  413. martin.hewitt@surevine.com has joined

  414. martin.hewitt@surevine.com has left

  415. martin.hewitt@surevine.com has joined

  416. Lance has joined

  417. Simon has left

  418. emcho has left

  419. Alex

    did smth change on the webservers regarding email sending? The wiki shows errors when sending out passwords resets

  420. Alex

    Error sending mail: Unknown error in PHP's mail() function.

  421. Lance has joined

  422. Kev

    The server was migrated this morning.

  423. Kev

    Email is one of the things that's not done yet.

  424. Alex

    ah, OK

  425. stpeter has left

  426. martin.hewitt@surevine.com has left

  427. Santiago26 has joined

  428. Simon has joined

  429. Santiago26 has left

  430. martin.hewitt@surevine.com has joined

  431. martin.hewitt@surevine.com has left

  432. martin.hewitt@surevine.com has joined

  433. martin.hewitt@surevine.com has left

  434. Santiago26 has joined

  435. Santiago26 has left

  436. Alex has left

  437. Lance has left

  438. Tobias has joined

  439. dezant has left

  440. dezant has joined

  441. martin.hewitt@surevine.com has joined

  442. intosi

    Mail has been fixed on the new host.

  443. Simon has left

  444. ralphm has left

  445. martin.hewitt@surevine.com has left

  446. m&m has left

  447. Santiago26 has joined

  448. Santiago26 has left