Ge0rGFortunately, MUC is easy to implement. https://wiki.xmpp.org/web/XEP-Remarks/XEP-0045:_Multi-User_Chat#Matching_Your_Reflected_Message
Martinhas joined
uchas joined
ralphmhas left
Alexhas joined
goffiDo we have any XEP/way to do item ordering beside using a specific element (e.g. <order>123</order>) and a MAM query?
goffiI don't think so, but just in case I've missed something
lskdjfhas joined
ralphmhas joined
Martinhas left
Martinhas joined
uchas joined
sonnyhas joined
jubalhhas left
suzyohas joined
blablahas left
Martinhas left
jubalhhas joined
jubalhhas left
jubalhhas joined
Martinhas joined
blablahas left
ralphmhas left
jubalhhas joined
jubalhhas joined
ralphmhas left
uchas joined
uchas joined
blablahas joined
moparisthebesthas joined
jubalhhas left
uchas joined
uchas joined
Guushas left
Guushas left
Alexhas left
jerehas joined
uchas joined
nycohas left
ralphmhas joined
vanitasvitaehas left
uchas joined
remkohas joined
jubalhhas joined
nycohas left
vanitasvitaehas joined
jubalhhas left
uchas joined
lskdjfhas joined
lskdjfhas joined
ralphmhas joined
uchas joined
Dave Cridlandhas left
ralphmhas left
zinidhas left
la|r|mahas joined
SaltyBoneshas joined
ralphmhas left
suzyohas joined
Martinhas left
lumihas joined
boothj5has joined
Alexhas joined
efrithas left
boothj5has left
remkohas left
jerehas joined
lumihas left
ralphmhas left
lskdjfhas joined
moparisthebesthas joined
remkohas joined
hanneshas joined
moparisthebesthas joined
remkohas left
lskdjfhas joined
remkohas joined
jonaswhas left
Martinhas joined
sonnyhas joined
brahas left
brahas joined
mimi89999has joined
ralphmhas joined
sonnyhas joined
tuxhas left
Alexhas left
Alexhas joined
Martinhas left
moparisthebesthas left
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas left
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
Tobiashas joined
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas left
sonnyhas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
Tobiashas joined
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas left
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas joined
Martinhas left
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas left
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas left
brahas left
brahas joined
Martinhas joined
blablahas joined
jjrhhas left
moparisthebesthas left
moparisthebesthas left
moparisthebesthas left
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas left
moparisthebesthas left
moparisthebesthas left
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas left
moparisthebesthas joined
moparisthebesthas joined
moparisthebesthas left
moparisthebesthas left
moparisthebesthas left
zinidhas left
jjrhhas left
SaltyBonesSo, why is it that a group chat with jabber doesn't give me the messages that I missed when I come back online?
SaltyBonesIt seems there are some related mechanisms in place.
MattJThere are two mechanisms for that
SaltyBonesAnd of course for some sorts of chat rooms in doesn't really make sense...
moparisthebestSaltyBones: it does if mam is enabled on the muc
jonaswmoparisthebest, and the client supports it.
SaltyBones*and you don't want crypto*
jonaswthat’s false
moparisthebestSaltyBones: nope works fine with crypto
jonaswOMEMO should work fine with archives
SaltyBonesThat's what I heard. :)
jerehas joined
jonaswOTR won’t
moparisthebestAlso pgp
jonaswgpg too, yes
moparisthebestOtr doesn't work in mucs at all
SaltyBonesjonasw, but then the archive will contain the decrypted messages or something, right?
moparisthebestNo
jonaswSaltyBones, no
SaltyBonesHm.
SaltyBonesSo what you're saying is: Everything should totally work. :)
jonaswiff both client and server support MAM
moparisthebestand it's enabled on the muc
SaltyBonesI am currently trying to figure that out.
SaltyBonesBut neither gajim nor conversations seem to be very helpful. :)
zinidAnd what about forward secrecy?
SaltyBoneszinid, probably broken, cannot imagine any other way
moparisthebestno, that depends on encryption method
moparisthebestnone with pgp, works as expected with omemo
SaltyBonesare there any clients that can display if a muc has mam or is that serverside info only?
moparisthebestthat is, each device can decrypt each message exactly once
moparisthebestclients know, not sure if any display
zinidHow will you decode a message from archive encrypted with forward secrecy?
moparisthebest(they have to know to know whether they can mam query or not)
SaltyBoneswait is mam not the same as server side history?
moparisthebestas MattJ said there are 2 methods so depending what you mean probably not
moparisthebestyou want mam though, the other isn't guaranteed to be complete
SaltyBonesthere are two MAMs?
jjrhhas left
Ge0rGwho wants forward secrecy anyway?
Ge0rGit's even worse than cryptographic deniability.
moparisthebestdissidents so I hear
suzyohas joined
SaltyBonesGe0rG, almost nobody but a lot of people want it on principle, including me. :)
moparisthebestforward secrecy is actually useful unlike deniability imho
Ge0rGSaltyBones: a lot of people have no clue.
MattJSaltyBones, method #1 is a simple cache of recent messages in the room. The MUC tends to send it to you by default, though clients can (and do) filter it
moparisthebestpoint being it works fine with muc + mam
moparisthebestGe0rG, clearly written by NSA plant
MattJSaltyBones, it's almost universal, but doesn't actually need client support - the recent messages are always just sent to you (most servers default to 20 or so)
SaltyBonesGe0rG, I would agree if I thought that one of them was good enough.
moparisthebests/NSA/GOV_OF_YOUR_CHOICE_HERE/
MattJSaltyBones, which is enough to get some context on an ongoing conversation
SaltyBonesMattJ, yeah, that mechanism is pretty obvious in gajim...
Ge0rGOMEMO is bad because you can't bind a cryptographic identity to a JID in any strong way.
MattJSaltyBones, there's a second method (MAM), which requires explicit client and server (i.e. MUC server) support, and supports fine-grained sync, ensuring that you can achieve a full sync of all messages that happened while you were out of the room
jonaswMattJ, unless the server keeps CSN and other useless things in the history ;-)
MattJOne client's useless is another client's treasure
SaltyBonesGe0rG, I think that article is mostly crap but I would be interested in discussing. ;)
jjrhhas left
moparisthebest> Ge0rG: OMEMO is bad because you can't bind a cryptographic identity to a JID in any strong way.
moparisthebestuh and what ways do allow you to do that?
moparisthebestI think, none actually
Ge0rGmoparisthebest: things like TOX, where your ID is your public key
moparisthebestthat's fine if you are talking about an entirely different protocol
ZashSomething something triangle
moparisthebestthat eats battery and is unsuitable for mobile
SaltyBonesIBE requires a trusted third party which I find generally undesirable
Ge0rGZash: something something blockchain
SaltyBonesBLOCKCHAIN!
SaltyBonesThe funny thing is, blockchain derivates are actually usefull for PKI
moparisthebestI can feel my synergies aligning already, lets get an IPO and some angel funding asap
SaltyBonesHm...I am totally in the mood for discussing everything but I have to get some more work done. :/
jjrhhas left
zinidmoparisthebest: I think it's possible to avoid battery consumption with help from very simple relays
moparisthebestlet me fix that title s/The Creator of Signal Has a Plan to Fix Cryptocurrency/The Creator of Signal Has a Plan to Finish Construction of His Money Fort/
lskdjfhas left
SaltyBonescryptocurrencies are bullshit :p
zinidmoparisthebest: but I'm told he is a hero, you're just jealous
lskdjfhas left
lskdjfhas left
lskdjfhas left
suzyohas joined
lskdjfhas left
Ge0rGmoparisthebest, SaltyBones: seriously though: OMEMO is attempting to work around the problem that JIDs are not cryptographic entities, and there will never be a perfect alignment of them.
Ge0rGif you want E2EE without meta data leaks, XMPP is not the right tool. Have a look at something like https://briarproject.org/ instead.
Ge0rGIf you want XMPP, just give up hiding your metadata and accept reality.
Ge0rGAnd once you've realized that, the added benefit of E2EE is minuscule.
valohas joined
SaltyBonesThe benefit of e2e is miniscule when there is metadata leakage?
SaltyBonesI completely disagree. :)
lskdjfhas left
ralphmhas left
zinidhas left
jubalhhas joined
jonaswI’d argue that the benefit of e2ee should be miniscule since ideally we had friends&family servers exclusively
MattJAgreed
MattJI don't think it's completely pointless in any scenario, but trusted servers buys you a whole lot more
SaltyBonesThat's an interesting point...
SouLThis will not be the case, at least in a not-soon future D:
MattJOn the other hand some people really value anonymity, which goes in completely the other direction - we should just have an internet full of servers, random JIDs and use E2EE for identity proof and encryption
SaltyBonesGiven that most murders are committed by spouses or whatever maybe friends and family servers should be less trusted. :)
Ge0rGSaltyBones: so if I know my wife's password and lock screen pattern, she's still safe, right?
SaltyBonesIt's not a good idea to argue against securing one part of a system because another part of the system might be insecure. If your wife has an affair maybe she will change her lock screen pattern...
vanitasvitaehas joined
Ge0rGSaltyBones: in that case I can beat her up. (playing the devil's advocate here, obviously)
Ge0rGSaltyBones: also I can still see which JIDs are on her roster.
Ge0rG"So, who is sexy_patrick69@swissjabber.li?"
SaltyBonesCome on, these are all incredibly weak arguments that you can immediately invalidate by yourself.
ralphmhas joined
SaltyBonesThis is not a useful discussion. :)
SaltyBonesHow do you know you have to beat her up? Just because she changed her lock screen?
Ge0rGSaltyBones: sure
SaltyBonesMaybe the guy she s seeing is a colleague from work and it s perfectly normal for them to talk
Ge0rGSaltyBones: how much do you know about abusive partners?
SaltyBonesAbusive partners are not the only adversaries and abusive partners probably also come in all sorts of degrees
Ge0rGSaltyBones: so you don't even know the attacker model you want protection from?
SaltyBonesI trust my co-admin not to read my messages I still prefer that he simply cannot when I use omemo
boothj5has joined
SouLSaltyBones, yeah, I agree.
SouLEven if I don't use OMEMO myself
SaltyBonesI have a sufficiently good idea of my attacker model but it's not formally defined ;)
Ge0rGSaltyBones: I don't say that E2EE is generally bad. I merely say that it has a cost attached, and that cost is inability to restore archives, various synchronisation problems (why can't I receive messages) and multi-client woes.
Ge0rGSaltyBones: so for the general audience, OMEMO does more harm than good.
SaltyBonesand I also like that even if my server gets owned I can still send account data and scans of legal documents to people without worrying where they might end up
Ge0rGAnd I even haven't started to talk about the two incompatible flavors of OMEMO.
SaltyBonesGe0rG, oh I completely agree that omemo isn't great but omemo is an implementation of e2e not the definition.
vanitasvitaehas left
vanitasvitaehas left
SaltyBonesActually, gpg probably has much better usability whilst also protecting against the attacker model we just discussed
Ge0rGSaltyBones: don't even get me started about the usability of GPG
SaltyBones:D
SamWhited"gpg probably has much better usability" is not something anyone has ever said with a straight face before :)
SaltyBonesonly people who haven't tried ;D
Ge0rGSaltyBones: so you haven't tried? Noted.
Ge0rG"But I want OMEMO in the browser, and I want to access my archive!"
SaltyBonesNo, GPG is death by key management...
Ge0rGSaltyBones: OMEMO is also death by key management..
Ge0rGor death by `adb backup`, which is even worse.
SaltyBonesGe0rG, signal however, is not
SaltyBonesand actually omemo works okay
SaltyBonesyou have to consider that even if you don't ever validate anything it still protects agains passive adversaries
ralphmhas joined
vanitasvitaehas joined
Ge0rGSaltyBones: against passive adversaries who have admin access to your server and want to know more than just your metadata.
Ge0rGand then it's just a command or two to add another key to your identity.
uchas joined
SaltyBonesYes, and a warning will pop-up that you can chose to not ignore and also they cannot read the history...
Ge0rGMy problem really is that with OMEMO, you have 3+x identities: your JID, your username, and a number of device keys.✎
SaltyBonesAnd that's total shit, I agree.
Ge0rGMy problem really is that with OMEMO, you have 3+x identities: your JID, your display name, and a number of device keys. ✏
Ge0rGand those aren't linked in any cryptographically significant way.
SaltyBonesActually, I don't care much about JID and username...but there should only be one key
SaltyBonesHm..what kind of linking are you thinking about?
MattJOne key => key management becomes a real pain
MattJIn the real world, people lose their phones
ZashOne key per what?
Ge0rGMattJ: yeah, but what about key cross-signing. If I buy a new device before the previous one is broken, I sign my new key with the old one and my friends auto-trust it
SaltyBonesyeah, that
MattJif
lumihas joined
Ge0rGIs the JID encoded in the public key cert?
Ge0rGor can I use the same OMEMO key on different JIDs?
ZashWhat we need is more X.509!
Ge0rGwhat's my identity? The JID or the pubkey?
SaltyBonesZash, wait here I'll get my pitch fork.
MattJOn the one hand you're talking about making XMPP easier to use. On the other hand you're talking about asking family members to perform key cross-signing
ZashWhat is identity?
MattJYour identity is the JID, simple
vanitasvitaehas left
vanitasvitaehas left
MattJSo just keep it that way
SaltyBonesgngngngn
SaltyBoneswhat
SaltyBonesstop
SaltyBonesthe identity is the key!
SaltyBones:)
Ge0rGMattJ: "scan your old device with your new device to auto-configure your jabbers"
MattJGe0rG, the old device is broken, stolen or lost
HolgerGe0rG: I do WHAT?!
HolgerGe0rG: Can't we just use WhatsApp please?! That just works!!!
SaltyBonesYeah, or just get a pop-up: "You want to add a new device. Please confirm!" on the old phone
Ge0rGSaltyBones: yeah
MattJ90% of the phone upgrades in my family have been in response to breakage, loss or theft - not planned upgrades
jubalhhas joined
SaltyBonesMattJ, that's fine then just let them also create a new key....
Ge0rGMattJ: now we are back to the attacker model. Are we talking about trust-by-default in the general population or about secure messaging for dissidents?
MattJI'm talking about the general population
vanitasvitaehas joined
Ge0rG"Where's my chat history???"
MattJNiche markets will help themselves, they always do
Ge0rGE2EE just doesn't work for family chats.
ZashTrust in the server, the server is good.
suzyohas left
Ge0rGthat's the next thing. The server can completely strip out the OMEMO identification on your comms. What then?
vanitasvitaehas left
vanitasvitaehas left
MattJUse a different server and/or don't communicate
MattJThis is not a novel problem
MattJRouters can (and in some cases do) drop TLS handshake packets
Ge0rGYes, but OMEMO isn't mandatory on XMPP :P
jonaswGe0rG, e2ee seems to work for whatsapp tohugh
SaltyBonesAnd signal
SaltyBonesand for my bloody family even omemo works ;)
HolgerBecause no verification. And no PEP!
SaltyBonesof course I just tell them to shut up when they complain ;)
vanitasvitaehas joined
Kevjonasw: "works" is relative, though.
jonaswKev, inhowfar?
SaltyBonesHolger, PEP?
KevIn as much as the whatsapp multiaccount story is far worse than XMPP's, and I hate losing messages, and etc.
HolgerSaltyBones: Well OMEMO uses PEP for distribution of pubkeys, and that keeps falling apart.
pep.https://www.reddit.com/r/whatsapp/comments/68sgmx/google_drive_backup_encrypted/dh1w7j3/ "This is where you are wrong"
ralphmhas joined
Zash-xkcd 538
Guushas left
pep.heh, I had never seen the alt comment
ZashBunneh: Meh
ZashWhere is your wrench now?
lovetoxhas left
Guushas left
Alexhas joined
hanneshas left
hanneshas joined
leonardbadihas joined
lskdjfhas joined
leonardbadihas left
lskdjfhas joined
suzyohas left
suzyohas joined
mimi89999has joined
sezuanhas joined
ralphmhas joined
waqashas joined
waqashas left
sezuanhas left
sezuanhas joined
waqashas joined
goffihas left
suzyohas joined
lskdjfhas joined
blablahas left
Dave Cridlandhas left
Dave Cridlandhas left
jjrhhas left
ralphmhas joined
jjrhhas left
valohas left
valohas joined
ralphmhas joined
moparisthebesteven in the case of trusted servers, I guess all servers are secure and all software well configured? that's not exactly the impression I get
moparisthebestmy xmpp server is in a closet in my house that I'm pretty confident is physically secure, and I like to consider myself competent enough security-wise that no one can hack in, but everyone makes mistakes, and no doubt some software has bugs
moparisthebeste2e protects against that too
moparisthebesteven just the passive BTBV variants
ralphmhas joined
HolgerEww all your stanzas pass through a closet?
moparisthebestthey do :)
HolgerOh the dictionary says "closet" != "toilet".
HolgerAh the dictionary says there's both meanings :-)
HolgerThe German "Klosett" is always a toilet.
moparisthebesthmm never heard of that meaning, language, fun stuff
moparisthebestI mean where you'd normally hang clothes in a bedroom :)
HolgerThat's ok then :-)
jjrhhas left
moparisthebestthough, an xmpp server inside a toilet would be EXTRA physically secure
moparisthebestI mean, you can grab it, if you want to, be my guest
zinidmoparisthebest, secure enough if you have no friends
jjrhhas left
jjrhhas left
lumihas left
lumihas joined
moparisthebestI just got around to reading your "Please Stop Writing Secure Message Tools" blog thing Ge0rG https://dymaxion.org/essays/pleasestop.html
moparisthebestbut it seems like, don't write them unless they check all these boxes
moparisthebestand xmpp checks every single box
moparisthebestexcept it could maybe deal with a little less metadata, but even then, it's scattered all over vs in one silo
lovetoxhas joined
ralphmhas joined
Zashsomething something threat model
lskdjfhas left
moparisthebestthat crap where if the NSA isn't after you you don't need encryption is just that, crap, everyone needs privacy
lskdjfhas left
moparisthebestand if it's a little less user friendly than not encrypted, work on that, see letsencrypt for example
zinidmoparisthebest, do those people dumping their lives in instagram need privacy too?
zinidprivacy is a broad term
moparisthebestsure, you choose what you want public or not
lskdjfhas left
pep.zinid, maybe they live double lives, and one of them is protecting the other by sending crap on instagram!!
zinidwho knows
Dave Cridlandhas left
jubalhhas joined
Holgermoparisthebest: If someone says he doesn't like Bananas that's crap, everyone does!
jubalhhas joined
jubalhhas joined
Dave Cridlandhas left
Dave Cridlandhas joined
moparisthebestthat would be a preference vs a statement of fact I guess
HolgerSure sure.
zinid"everyone needs privacy" sounds like a statement of fact ;)
zinidthe problem is in definition of privacy
moparisthebestit's identical to the TLS vs plaintext debate honestly
moparisthebestand that seems fairly settled nowadays that everything needs to be TLS doesn't it?
HolgerIt's not identical in the case of TLS for c2s.
moparisthebesta valid argument is/was that TLS is harder than plaintext, has useability problems etc etc
HolgerAt least not when using PLAIN SASL.
zinidmoparisthebest, TLS is slow shit, I use plain http wherever possible
moparisthebesthaha but you are wrong
moparisthebestTLS is faster in many cases nowadays
ZashIt's not "everyone needs privacy", it's
> No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
ZashIt's a human right. Whatever the of privacy is.✎
zinidmoparisthebest, sure, you know better
ZashIt's a human right. Whatever the definition of privacy is. ✏
lskdjfhas left
moparisthebestzinid, don't take my word for it https://www.troyhunt.com/i-wanna-go-fast-https-massive-speed-advantage/ https://istlsfastyet.com/
moparisthebestplain http today is slower than https, there is no debate about it
zinidthat's why I use http on some sites, I'm just blind and cannot see how https is much faster
ralphmhas joined
Zashbut is it fast enough to counteract the ever increasing bloat?
lskdjfhas left
Zash... no, it just encourages more bloat
blablahas left
Zashcan't have fast things
moparisthebestsays a guy who enjoys shuffling XML streams around... :)
Zashpretty sure my messages aren't in the order of megabytes
Guushas left
SamWhitedneither are my webpages; they're still ~20% faster if I'm using TLS.
waqasI've been browsing with JS disabled, or selectively first-party-only enabled, and it has been a pretty great experience.
zinidmy 1-hour poezio's XML log is 300kb, horrible bloat
SamWhitedOh, TLS won't speed anything up on XMPP, but it's not slow either. Basicaly negligable.
zinidand here come servers where you need twice RAM to support TLS connections
SamWhitedYou really don't
SamWhitedMachines are optimized for it these days; TLS's extra resource use is basically negligable unless you have a much bigger server than I think you do.
moparisthebesteven google, which has servers way bigger than any xmpp deployment, says it's essentially no overhead
zinidever tried to connect 1M of XMPP sessions?
moparisthebestand that was years ago
zinidwith TLS or without
moparisthebestTLS
ZashYou are both wrong. More than negligable, but not double memory consumption.
ZashTLS handshakes are quite the CPU hog too.
zinidmoparisthebest, because HTTP doesn't have long-lived connections
moparisthebestthe long lived part really is 0 overhead
zinidyeah, sure ;)
moparisthebestany overhead is just on setup, so from that perspective, http over TLS is more overhead than xmpp over TLS
moparisthebestand since https isn't a problem, xmpps certainly isn't
zinideven nginx author says it's about 50k-100k overhead per connection
moparisthebestzinid, I mean you were right in 2005 for sure, maybe even 2008 or whatever, whenever aes-ni became a thing
ralphmhas joined
zinidthere is a recent issue in our bugtracker where a guy complaining about huge memory consumption when TLS is enabled
zinid30Gb overhead
zinidon 1M connections
zinidbut, possible, 30Gb is nothing for google
moparisthebestis that a public bugtracker? sounds interesting
zinidsure
zinidit's on github issues, but I'm too lazy to find it, anyway, Holger will not let me lie, he laughed at the issue too ;)
Guushas left
SamWhitedWhat's the total memory usage?
moparisthebestiirc when google forced https for gmail the usage increase was like 1.2% and that was pre-http2
moparisthebestcan't actually find that right now...
zinidSamWhited, 70Gb or so, I don't remember actually
moparisthebesthow much memory does the rest of a connection take?
moparisthebestwhat % is 50kb
zinidit's highly depends on usage, roster size and so on
zinid*it
SamWhitedThat does seem high; 50k of overhead per connection is much more than I've ever seen; not sure what that could be.
moparisthebestif a non-tls session takes 1mb of ram and tls adds 50kb, that's 0.09% increase?
zinidI think he counted wrong, I'm trying to calculate now and I get numbers far above 90Gb if I do 2Mx50kb
moparisthebestyea that's true
zinidanyway, 50-100kb is a typical overhead I see in stress tests, so...
Zashhttps://www.zash.se/prosody-graphs.html .... is that like 15kb/conn for tls? I might have forgotten how to read those graphs
ZashDat CPU usage tho
moparisthebestbut really the % matters, if that's only a 0.09% increase well...
zinidmoparisthebest, that's not 0.09% increase, in production we offload TLS because huge RAM machines are expensive, so we split the RAM between the machines
HolgerFirst random Google hit:
> OpenSSL tends to allocate about 50KB of memory for each connection.
https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
zinidwhy would we do this crazy shit if there was negligible overhead?
ZashSomething something release buffers?
moparisthebesthow much do you allocate for a regular XMPP connection though is what I'm wondering
zinidZash, the option is set
moparisthebestmy hunch is it's so much more than 50kb that 50kb is negligble
HolgerIsn't that option for freeing memory on *idle* connections?
jubalhhas joined
jubalhhas joined
jubalhhas joined
zinidmoparisthebest, for empty roster c2s it's no more than 50kb in fact
Holgermoparisthebest: On the two servers I'm involved with it's about 300k, but those are with all bells and whistles enabled (MAM and whatnot), so it's probably less elsewhere.
zinidIt's really hard to say, because there is a crazy garbage collector in Erlang doing some weird shit
lskdjfhas left
zinidnot to mention how great openssl is when you try to connect 2M :)
zinidyou need to patch it, or else it will spend most of the time in locks on a machine with a lot of CPUs