XSF Discussion - 2014-03-20

Hey guys. I'm about to migrate this XMPP server to a new machine. Expect some downtime, and see you at the other side of the switch.

:D

Ah, it has.

awsnap. now that you rebooted the server, my admin rebooted the routers :(

Hurrah! http://logs.xmpp.org/xsf/

Thanks for your help, Zash!

yw :)

I think I reenabled logging in all MUCs as well.

Owners, would appreciate if you'd check as well.

heh

anyone heard of dwd recently?

intosi: the room being semi-anonymous is that a change?

Ge0rG, I have.

Ge0rG, I'm doing exciting MUC merging today, BTW.

dwd: that's very exciting indeed! My MUC contributor was eagerly awaiting news from you, and asked me every some days

in the meantime, I did some little fixes I actually wanted to be part of 0.8.7 but didn't have the time before the summit

there will be a new fix release soon

ralphm: not deliberately.

intosi: ok, because Gajim said that changed. I am not sure why this room would need to be semi-anonymous

I think it was before

FWIW, I do wonder if the XSF room ought not to be members only and non-anonymous, but that's not something we need discuss now.

dwd: my current opinion: no

dwd: i.e. for the members-only part.

Right. I'd prefer the room to be non-anonymous, you see, but I worry about that if it's not also members-only.

Switching off nginx on athena. It's mostly spiders now.

you worry too much

intosi, Spiders? Eeeek.

Yes. Some small, some huge ;)

I'm generally kind to all spiders, but no mercy today.

Is Tango still doing XMPP these days?

http://www.forbes.com/sites/parmyolson/2014/03/20/exclusive-alibaba-sinks-250-million-into-messaging-app-tango-valuing-it-at-more-than-1-billion/

I wonder if somebody will approach me to buy yax(.)im as well

Ge0rG: you think it is good enough? Honest question, I am not currently using it because it doesn't do MUC.

~$ nc -zv tango.me xmpp-client Connection to tango.me 5222 port [tcp/xmpp-client] succeeded!

Seems to be a HTTP server there

odd

they have not SRV records any way

ralphm: bug dwd about MUC :P

Ge0rG: dodging the question?

ralphm: seriously? I am using yaxim day-to-day for my mobile needs. Never needed MUC there, so I'm really fine with it. Good enough to be bought for millions? Surely not

When I'm mobile, I tend to need MUC more than 1:1.

FWIW.

I suspect it's a usage pattern thing.

Same.

+1

well, I've polished most of the issues that floated up with 0.8.7, will make 0.8.7b soon and then look into the MUC mess. I will do a call for beta testers here if you wish so

Ge0rG: I'd love to see a well-integrated client (UI wise), with MUC, that is as approachable as WhatsApp or the new Hangouts. Obviously with good battery life and all that.

Ge0rG: if yaxim can be that, more power to you

Swift for Android!

Kev: only if it is following the Android UI guidelines

ralphm: seems like I need to actually install WhatsApp and betray my friends, just to see how it does MUC

ralphm: Right. If we did Swift for Android, it's not clear if Qt for Android would suffice as 'good enough'.

If it was, getting it running shouldn't be /too/ hard. If it wasn't, that means essentially a port, and that's not trivial.

probably not, this is a generic problem

If only there was a straightforward way to implement the C++ interfaces in Java. As 'all' it needs is a new UI to port to other platforms.

The new Hangouts UI for Android is growing on me

it is pretty decent, especially now presence is more prominent (even if only boolean)

I only use Yaxim

I can't deny that there have been times I've wanted MUC (e.g. council meetings), but not often enough for me to switch to any of the alternatives (which have issues)

intosi, thanks for migrating Prosody over :)

It's been on my todo for a while to upgrade it

You're welcome :)

I didn't see any point in staying at 0.8

MattJ: MUC participants still are not kicked on restart :(

hm. if I unblock the Hangouts app on my Android, I will be still a lonesome guy hanging out

MattJ: feel free to check the config. There is a warning in the logs about a module I didn't yet bother looking at about mod_console or something like that. Trivial to fix, but someone has to do it ;)

mod_console was renamed to mod_admin_telnet, that's all

But yay: https://xmpp.net/result.php?id=23660

I know I will have regrets, but now I am here, installing hangouts.

Compare to https://xmpp.net/result.php?id=20537

any volunteers for a hangout?

Why is it not doing any DH?

intosi: What OS and OpenSSL versions is xmpp.net running on now?

Zash: Debian 7, openssl is stock deb7.

1.0.1e-2+deb7u4

But https://xmpp.net/result.php?id=23660#ciphers

Yup.

Did that require a newer LuaSec?

(that = ECDH)

No idea, actually ;)

I'm just glad all things run and seem to work ;)

IIRC you need LuaSec 0.5

These details can be fixed later.

Ah. 0.4.1-1

Installed lua-sec-prosody

Can this be reloaded without restarting Prosody?

No

Bummer, dude.

Generating dhparam can.

.

I would like to leave those details to someone of the Prosody team ;)

Awesome! https://xmpp.net/result.php?domain=5222.nl&type=client

I guess the observatory doesn't stop testing after it tries to determine encryption support, but doesn't rate ;)

(I reloaded the config very soon after initiating the test because I made a typo in the config)

Heh

It should stop testing when it can't determine support for any SSL or TLS version

But it will test all of them, even if the first results in "no starttls offered".

DANE \o/

Zash: yup ;)

I managed to convince Joker to add DNSSEC support for the .nl TLD a week or two ago.

Awesomeness

Didn't .nl have it since forever?

Or is Joker the registrar?

.nl had it forever.

Joker is the registrar I usually use.

.nl was one of the first TLDs that signed the zone, and certainly one of the domains with the highest percentage signed zones.

http://q.zash.se/4ea15828.txt

Hmm.

Any idea what's causing those cert validation errors?

My nearby pizza place with a webpage that looks designed in 1999 has DNSSEC. Cracks me up every time.

intosi: That's because I have an empty CA store.

In order to test DANE-only validation

Ah, so that is expected :)

In that case, w00t!

So, DANE-only test host at dane.zash.se

btw, what can I do if my domain reseller does not support / know about DNSSEC?

Inform them that you want it.

If they are nice, they will look at it.

you could try to run your own nameserver, if they allow for that

but really, either ask them nicely and frequently, or find another

Zash: is that zone signed? Or is that a server that will validate someone else's DNSSEC/DANE information?

right. I just can host my own DNS.

m&m: Both

But you need support from your registrar to have the DS records published in the TLD zone.

You cannot rely on people using dnssec lookaside.

xnyhps: https://xmpp.net/result.php?domain=dane.zash.se&type=server why so slow?

Altho, it requires DANE

and the test server might not have that

stpeter wanted to get the .im registrar to support DNSSEC... I wonder if anything happened there yet :>

Ge0rG: There was movement IIRC

I heard dwd has friends in high places in .im and is working on it.

Zash: ok, it's possible your DNS updates haven't propagated far enough for me yet

they've got to cross an ocean, some plains, and a start up a mountain to get to me (-:

m&m: What DNS updates exactly?

I updated DANE for that test host yesterday

simon: dwd first needs to fix yaxim MUC :D

and it can take up to 48 hours for those updates to widely propagate

I'm seeing them *now*

but I wasn't a few minutes ago

DNS doesn't propagate, it expires.

it's was an imperfect word choice (-:

I can recommend http://dnsviz.net/ for inspecting ipsec records.

Altho I have a 24 hour TTL :)

but I suspect that one or more of my upstream resolvers had already cached your zone

and not all resolvers unconditionally honor the TTL

Why would they have cached records about a test server?

I know of several that will not clear their caches for 48 hours, no exceptions

they cached records about your zone

do you really want to go down this rabbit hole? (-:

I fully regret ever starting to

.

let's just say that "zone transfer" doesn't always mean what you think

Zash: you have a not-small amount of additional info (-:

Zash: verse error Error: /opt/xmppoke/bin/xmppoke:3034: not-authorized: Your server's certificate is invalid, expired, or not trusted by dane.zash.se

Though I don't know why it gets that far, it should've closed the connection before that anyway.

simon: I think you're seeing a ISOC grant proposal in progress right now! (-:

Grmbl. unbound crashed, but OS X is keeping port 53 claimed.

xnyhps: are we seeing this https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/988513 ?

simon: "get prosody to do just about all of dane"?

I'm just observing what I'm seeing Zash et al hash out

No, I don't think xmpp.net uses forwarders.

I was complaining about my own machine (which was preventing me from accessing xmpp.net to fetch that log file for Zash)

m&m: yes. I'd like a bit of cross-platform-ness. So that we can at least build two competing[ly incorrect] DNSSEC systems.

emcho, what are jitsi's current noise cancellation capabilities? do you use an open lib for this? or is this included in the codecs?

is it safe to edit WordPress pages?

I'd like to update http://xmpp.org/participate/become-a-member/upnp-liaison-team/ when possible

stpeter: Should be, yes.

ok thanks

I might have a sponsor for a new machine, BTW

hrm

yes?

nevermind … I was getting gateway errors for the xeps, but a hard refresh seems to have fixed that

stpeter: interesting stuff. I read that our Secretary is supposed to write minutes for Board meetings.

Say, who is this Secretary?

Alex

ralphm, I'd hate to scare Alex away; he does enough as it is.

Oh, I forgot a smiley

ralphm: theoretically, I suppose, but I've never seen that happen (I don't remember if I did that back when I was secretary)

I'm happy for simon to produce minutes

stpeter, You probably di, but you were also probably Board Chair and Council Chair.

(And Editor, and Treasurer, and probably Secretary too)

Oh. Ha. Realised what I wrote there.

the circle is complete

If there is no immediate need, why not use standards@ for liason discussions, if any?

ralphm: because we're basically under NDA

dwd: I have never been Board chair :-)

or on the Board

at least we kept that separation

bbiab

Simon: https://www.zash.se/prosody-dane.html describes my setup

Zash: very nice.

very very nice!

is this the first working DANE setup in XMPP?

Probably

I feel a blog post coming up.

That's the validation part at least

https://github.com/shuque/tlsa_rdata seems easy to use

No idea why swede doesn't let you generate TLSA records from certificate files

ah, good old shuque, I haven't talked with him in ages

Now we just need DNSSEC deployed everywhere...

zash - which selectors do you recommend to use?

+1 on universal deployment

3 0 1

Other usages are either unsupported or messy or both

Pubkey selector requires a patch to LuaSec for extracting pubkeys

And you don't want the entire cert in the record, so sha256

https://github.com/xnyhps/luasec/commit/2dce1adc59a1bf820e71594c1ca3756a70fb9faa

Actually https://github.com/brunoos/luasec/pull/12

no more needing to run unboud?

You don't strictly need to run unbound, but there has to be a validating resolver somewhere

lua-/libunbound can do that itself if you don't set

so running my own bind 9.0 server with some sensible upstream resolvers would work?

*don't set resolvconf

I'm not familiar with bind much, but if that does DNSSEC then pointing prosody at that shoul dwork

Implement all the things in all the things!

Zash: EVP_PKEY_EC confuses me.

xnyhps: You're not alone. openssl/evp.h:#define EVP_PKEY_EC NID_X9_62_id_ecPublicKey

I hope that made you more confused

Or is an ECDSA key equivalent to an ECDH key?

they should be

This is the kind of thing I would ask you, xnyhps. :)

I understand DH and RSA, but DSA not at all.

Do you know of any ECDSA keys in the wild?

Ah, the DSA construction uses the same stuff as DH, so it makes sense.

right

IC

it's the same source input, just different operations

well, keying input

Zash: Google uses them, don't they?

"The connection is encrypted and authenticated using CHACHA20_POLY1305 and uses ECDHE_ECDSA as the key exchange mechanism."

(That was for encrypted.google.com in Chrome.)

http://q.zash.se/b80cfbb1.txt

EC public keys

Oh, the public key on the certificate doesn't even distinguish between whether it's for ECDSA or ECDH?

not the key

the key usage might

(assuming one looks at KeyUsage)

Ah, yeah. That google one from Zash's link has "Digital Signature", which would mean ECDSA.

that's the intended use, at least

according to the certificate

which makes sense for the PFS algorithms

I was wondering due to the difference in Au=ECDSA and Au=ECDH in openssl ciphers

Consistency? OpenSSL?

poppycock!

did smth change on the webservers regarding email sending? The wiki shows errors when sending out passwords resets

Error sending mail: Unknown error in PHP's mail() function.

The server was migrated this morning.

Email is one of the things that's not done yet.

ah, OK

Mail has been fixed on the new host.