-
intosi
Hey guys. I'm about to migrate this XMPP server to a new machine. Expect some downtime, and see you at the other side of the switch.
-
Zash
:D
-
intosi
Ah, it has.
-
Ge0rG
awsnap. now that you rebooted the server, my admin rebooted the routers :(
-
intosi
Hurrah! http://logs.xmpp.org/xsf/
-
intosi
Thanks for your help, Zash!
-
Zash
yw :)
-
intosi
I think I reenabled logging in all MUCs as well.
-
intosi
Owners, would appreciate if you'd check as well.
-
intosi
heh
-
Ge0rG
anyone heard of dwd recently?
-
ralphm
intosi: the room being semi-anonymous is that a change?
-
dwd
Ge0rG, I have.
-
dwd
Ge0rG, I'm doing exciting MUC merging today, BTW.
-
Ge0rG
dwd: that's very exciting indeed! My MUC contributor was eagerly awaiting news from you, and asked me every some days
-
Ge0rG
in the meantime, I did some little fixes I actually wanted to be part of 0.8.7 but didn't have the time before the summit
-
Ge0rG
there will be a new fix release soon
-
intosi
ralphm: not deliberately.
-
ralphm
intosi: ok, because Gajim said that changed. I am not sure why this room would need to be semi-anonymous
-
Zash
I think it was before
- intosi checks old config
-
dwd
FWIW, I do wonder if the XSF room ought not to be members only and non-anonymous, but that's not something we need discuss now.
-
ralphm
dwd: my current opinion: no
-
ralphm
dwd: i.e. for the members-only part.
-
dwd
Right. I'd prefer the room to be non-anonymous, you see, but I worry about that if it's not also members-only.
-
intosi
Switching off nginx on athena. It's mostly spiders now.
-
ralphm
you worry too much
-
dwd
intosi, Spiders? Eeeek.
-
intosi
Yes. Some small, some huge ;)
-
intosi
I'm generally kind to all spiders, but no mercy today.
-
ralphm
Is Tango still doing XMPP these days?
-
ralphm
http://www.forbes.com/sites/parmyolson/2014/03/20/exclusive-alibaba-sinks-250-million-into-messaging-app-tango-valuing-it-at-more-than-1-billion/
-
Ge0rG
I wonder if somebody will approach me to buy yax(.)im as well
-
ralphm
Ge0rG: you think it is good enough? Honest question, I am not currently using it because it doesn't do MUC.
-
Zash
~$ nc -zv tango.me xmpp-client Connection to tango.me 5222 port [tcp/xmpp-client] succeeded!
-
Zash
Seems to be a HTTP server there
-
ralphm
odd
-
ralphm
they have not SRV records any way
-
Ge0rG
ralphm: bug dwd about MUC :P
-
ralphm
Ge0rG: dodging the question?
-
Ge0rG
ralphm: seriously? I am using yaxim day-to-day for my mobile needs. Never needed MUC there, so I'm really fine with it. Good enough to be bought for millions? Surely not
-
Kev
When I'm mobile, I tend to need MUC more than 1:1.
-
Kev
FWIW.
-
Kev
I suspect it's a usage pattern thing.
-
intosi
Same.
-
ralphm
+1
-
Ge0rG
well, I've polished most of the issues that floated up with 0.8.7, will make 0.8.7b soon and then look into the MUC mess. I will do a call for beta testers here if you wish so
-
ralphm
Ge0rG: I'd love to see a well-integrated client (UI wise), with MUC, that is as approachable as WhatsApp or the new Hangouts. Obviously with good battery life and all that.
-
ralphm
Ge0rG: if yaxim can be that, more power to you
-
Kev
Swift for Android!
-
ralphm
Kev: only if it is following the Android UI guidelines
-
Ge0rG
ralphm: seems like I need to actually install WhatsApp and betray my friends, just to see how it does MUC
-
Kev
ralphm: Right. If we did Swift for Android, it's not clear if Qt for Android would suffice as 'good enough'.
-
Kev
If it was, getting it running shouldn't be /too/ hard. If it wasn't, that means essentially a port, and that's not trivial.
-
ralphm
probably not, this is a generic problem
-
Kev
If only there was a straightforward way to implement the C++ interfaces in Java. As 'all' it needs is a new UI to port to other platforms.
-
ralphm
The new Hangouts UI for Android is growing on me
-
ralphm
it is pretty decent, especially now presence is more prominent (even if only boolean)
-
MattJ
I only use Yaxim
-
MattJ
I can't deny that there have been times I've wanted MUC (e.g. council meetings), but not often enough for me to switch to any of the alternatives (which have issues)
-
MattJ
intosi, thanks for migrating Prosody over :)
-
MattJ
It's been on my todo for a while to upgrade it
-
intosi
You're welcome :)
-
intosi
I didn't see any point in staying at 0.8
-
Ge0rG
MattJ: MUC participants still are not kicked on restart :(
-
Ge0rG
hm. if I unblock the Hangouts app on my Android, I will be still a lonesome guy hanging out
-
intosi
MattJ: feel free to check the config. There is a warning in the logs about a module I didn't yet bother looking at about mod_console or something like that. Trivial to fix, but someone has to do it ;)
-
MattJ
mod_console was renamed to mod_admin_telnet, that's all
-
intosi
But yay: https://xmpp.net/result.php?id=23660
-
Ge0rG
I know I will have regrets, but now I am here, installing hangouts.
-
intosi
Compare to https://xmpp.net/result.php?id=20537
-
Ge0rG
any volunteers for a hangout?
-
Zash
Why is it not doing any DH?
-
Zash
intosi: What OS and OpenSSL versions is xmpp.net running on now?
-
intosi
Zash: Debian 7, openssl is stock deb7.
-
intosi
1.0.1e-2+deb7u4
-
Zash
But https://xmpp.net/result.php?id=23660#ciphers
-
intosi
Yup.
-
Zash
Did that require a newer LuaSec?
-
Zash
(that = ECDH)
-
intosi
No idea, actually ;)
-
intosi
I'm just glad all things run and seem to work ;)
-
xnyhps
IIRC you need LuaSec 0.5
-
intosi
These details can be fixed later.
-
intosi
Ah. 0.4.1-1
-
intosi
Installed lua-sec-prosody
-
intosi
Can this be reloaded without restarting Prosody?
-
Zash
No
-
intosi
Bummer, dude.
-
xnyhps
Generating dhparam can.
-
Zash
.
-
intosi
I would like to leave those details to someone of the Prosody team ;)
-
intosi
Awesome! https://xmpp.net/result.php?domain=5222.nl&type=client
-
intosi
I guess the observatory doesn't stop testing after it tries to determine encryption support, but doesn't rate ;)
-
intosi
(I reloaded the config very soon after initiating the test because I made a typo in the config)
-
xnyhps
Heh
-
xnyhps
It should stop testing when it can't determine support for any SSL or TLS version
-
xnyhps
But it will test all of them, even if the first results in "no starttls offered".
-
Zash
DANE \o/
-
intosi
Zash: yup ;)
-
intosi
I managed to convince Joker to add DNSSEC support for the .nl TLD a week or two ago.
-
Zash
Awesomeness
-
Zash
Didn't .nl have it since forever?
-
Zash
Or is Joker the registrar?
-
intosi
.nl had it forever.
-
intosi
Joker is the registrar I usually use.
-
intosi
.nl was one of the first TLDs that signed the zone, and certainly one of the domains with the highest percentage signed zones.
-
Zash
http://q.zash.se/4ea15828.txt
-
intosi
Hmm.
-
intosi
Any idea what's causing those cert validation errors?
-
xnyhps
My nearby pizza place with a webpage that looks designed in 1999 has DNSSEC. Cracks me up every time.
-
Zash
intosi: That's because I have an empty CA store.
-
Zash
In order to test DANE-only validation
-
intosi
Ah, so that is expected :)
-
intosi
In that case, w00t!
-
Zash
So, DANE-only test host at dane.zash.se
-
Ge0rG
btw, what can I do if my domain reseller does not support / know about DNSSEC?
-
intosi
Inform them that you want it.
-
intosi
If they are nice, they will look at it.
-
m&m
you could try to run your own nameserver, if they allow for that
-
m&m
but really, either ask them nicely and frequently, or find another
-
m&m
Zash: is that zone signed? Or is that a server that will validate someone else's DNSSEC/DANE information?
- m&m is trying to figure out if a middlebox is interfering, or there aren't any signed records
-
Ge0rG
right. I just can host my own DNS.
-
Zash
m&m: Both
-
intosi
But you need support from your registrar to have the DS records published in the TLD zone.
-
intosi
You cannot rely on people using dnssec lookaside.
-
Zash
xnyhps: https://xmpp.net/result.php?domain=dane.zash.se&type=server why so slow?
-
Zash
Altho, it requires DANE
-
Zash
and the test server might not have that
-
Ge0rG
stpeter wanted to get the .im registrar to support DNSSEC... I wonder if anything happened there yet :>
-
Zash
Ge0rG: There was movement IIRC
-
simon
I heard dwd has friends in high places in .im and is working on it.
-
m&m
Zash: ok, it's possible your DNS updates haven't propagated far enough for me yet
-
m&m
they've got to cross an ocean, some plains, and a start up a mountain to get to me (-:
-
Zash
m&m: What DNS updates exactly?
-
Zash
I updated DANE for that test host yesterday
-
Ge0rG
simon: dwd first needs to fix yaxim MUC :D
-
m&m
and it can take up to 48 hours for those updates to widely propagate
-
m&m
I'm seeing them *now*
-
m&m
but I wasn't a few minutes ago
-
Zash
DNS doesn't propagate, it expires.
-
m&m
it's was an imperfect word choice (-:
-
simon
I can recommend http://dnsviz.net/ for inspecting ipsec records.
-
Zash
Altho I have a 24 hour TTL :)
-
m&m
but I suspect that one or more of my upstream resolvers had already cached your zone
-
m&m
and not all resolvers unconditionally honor the TTL
-
Zash
Why would they have cached records about a test server?
-
m&m
I know of several that will not clear their caches for 48 hours, no exceptions
-
m&m
they cached records about your zone
-
m&m
do you really want to go down this rabbit hole? (-:
-
m&m
I fully regret ever starting to
-
Zash
.
-
m&m
let's just say that "zone transfer" doesn't always mean what you think
-
m&m
Zash: you have a not-small amount of additional info (-:
-
xnyhps
Zash: verse error Error: /opt/xmppoke/bin/xmppoke:3034: not-authorized: Your server's certificate is invalid, expired, or not trusted by dane.zash.se
-
xnyhps
Though I don't know why it gets that far, it should've closed the connection before that anyway.
-
m&m
simon: I think you're seeing a ISOC grant proposal in progress right now! (-:
-
xnyhps
Grmbl. unbound crashed, but OS X is keeping port 53 claimed.
- simon grabs a pen and paper. More details please m&m. "Proposal to fix permissions in xmppoke"?
-
simon
xnyhps: are we seeing this https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/988513 ?
-
m&m
simon: "get prosody to do just about all of dane"?
-
m&m
I'm just observing what I'm seeing Zash et al hash out
-
xnyhps
No, I don't think xmpp.net uses forwarders.
-
xnyhps
I was complaining about my own machine (which was preventing me from accessing xmpp.net to fetch that log file for Zash)
-
simon
m&m: yes. I'd like a bit of cross-platform-ness. So that we can at least build two competing[ly incorrect] DNSSEC systems.
-
Tobias
emcho, what are jitsi's current noise cancellation capabilities? do you use an open lib for this? or is this included in the codecs?
-
stpeter
is it safe to edit WordPress pages?
-
stpeter
I'd like to update http://xmpp.org/participate/become-a-member/upnp-liaison-team/ when possible
-
Kev
stpeter: Should be, yes.
-
stpeter
ok thanks
-
stpeter
I might have a sponsor for a new machine, BTW
- stpeter makes some edits to http://xmpp.org/about-xmpp/xsf/xsf-people/ while he's at it
-
m&m
hrm
-
stpeter
yes?
-
m&m
nevermind … I was getting gateway errors for the xeps, but a hard refresh seems to have fixed that
-
ralphm
stpeter: interesting stuff. I read that our Secretary is supposed to write minutes for Board meetings.
-
Zash
Say, who is this Secretary?
-
ralphm
Alex
-
dwd
ralphm, I'd hate to scare Alex away; he does enough as it is.
-
ralphm
Oh, I forgot a smiley
-
stpeter
ralphm: theoretically, I suppose, but I've never seen that happen (I don't remember if I did that back when I was secretary)
-
ralphm
I'm happy for simon to produce minutes
-
dwd
stpeter, You probably di, but you were also probably Board Chair and Council Chair.
-
dwd
(And Editor, and Treasurer, and probably Secretary too)
-
dwd
Oh. Ha. Realised what I wrote there.
-
m&m
the circle is complete
-
ralphm
If there is no immediate need, why not use standards@ for liason discussions, if any?
-
stpeter
ralphm: because we're basically under NDA
-
stpeter
dwd: I have never been Board chair :-)
-
stpeter
or on the Board
-
stpeter
at least we kept that separation
-
stpeter
bbiab
-
Zash
Simon: https://www.zash.se/prosody-dane.html describes my setup
-
Simon
Zash: very nice.
-
Simon
very very nice!
-
Simon
is this the first working DANE setup in XMPP?
-
Zash
Probably
-
Simon
I feel a blog post coming up.
-
Zash
That's the validation part at least
-
Zash
https://github.com/shuque/tlsa_rdata seems easy to use
-
Zash
No idea why swede doesn't let you generate TLSA records from certificate files
-
stpeter
ah, good old shuque, I haven't talked with him in ages
-
Zash
Now we just need DNSSEC deployed everywhere...
-
Simon
zash - which selectors do you recommend to use?
-
Simon
+1 on universal deployment
-
Zash
3 0 1
-
Zash
Other usages are either unsupported or messy or both
-
Zash
Pubkey selector requires a patch to LuaSec for extracting pubkeys
-
Zash
And you don't want the entire cert in the record, so sha256
-
xnyhps
https://github.com/xnyhps/luasec/commit/2dce1adc59a1bf820e71594c1ca3756a70fb9faa
-
Zash
Actually https://github.com/brunoos/luasec/pull/12
-
Simon
no more needing to run unboud?
-
Zash
You don't strictly need to run unbound, but there has to be a validating resolver somewhere
-
Zash
lua-/libunbound can do that itself if you don't set
-
Simon
so running my own bind 9.0 server with some sensible upstream resolvers would work?
-
Zash
*don't set resolvconf
-
Zash
I'm not familiar with bind much, but if that does DNSSEC then pointing prosody at that shoul dwork
- m&m wants draft-ietf-precis-nickname implemented everywhere
-
Zash
Implement all the things in all the things!
-
xnyhps
Zash: EVP_PKEY_EC confuses me.
-
Zash
xnyhps: You're not alone. openssl/evp.h:#define EVP_PKEY_EC NID_X9_62_id_ecPublicKey
-
Zash
I hope that made you more confused
-
xnyhps
Or is an ECDSA key equivalent to an ECDH key?
-
m&m
they should be
-
Zash
This is the kind of thing I would ask you, xnyhps. :)
-
xnyhps
I understand DH and RSA, but DSA not at all.
-
Zash
Do you know of any ECDSA keys in the wild?
-
xnyhps
Ah, the DSA construction uses the same stuff as DH, so it makes sense.
-
m&m
right
-
Zash
IC
-
m&m
it's the same source input, just different operations
-
m&m
well, keying input
-
xnyhps
Zash: Google uses them, don't they?
-
xnyhps
"The connection is encrypted and authenticated using CHACHA20_POLY1305 and uses ECDHE_ECDSA as the key exchange mechanism."
-
xnyhps
(That was for encrypted.google.com in Chrome.)
- xnyhps wonders whether there are certificates with ECDH public keys out there.
-
Zash
http://q.zash.se/b80cfbb1.txt
-
m&m
EC public keys
-
xnyhps
Oh, the public key on the certificate doesn't even distinguish between whether it's for ECDSA or ECDH?
-
m&m
not the key
-
m&m
the key usage might
-
m&m
(assuming one looks at KeyUsage)
-
xnyhps
Ah, yeah. That google one from Zash's link has "Digital Signature", which would mean ECDSA.
-
m&m
that's the intended use, at least
-
m&m
according to the certificate
-
m&m
which makes sense for the PFS algorithms
-
xnyhps
I was wondering due to the difference in Au=ECDSA and Au=ECDH in openssl ciphers
-
MattJ
Consistency? OpenSSL?
-
m&m
poppycock!
-
Alex
did smth change on the webservers regarding email sending? The wiki shows errors when sending out passwords resets
-
Alex
Error sending mail: Unknown error in PHP's mail() function.
-
Kev
The server was migrated this morning.
-
Kev
Email is one of the things that's not done yet.
-
Alex
ah, OK
-
intosi
Mail has been fixed on the new host.