-
Ge0rG
Link Mauve: sorry for blaming you yesterday. You were not at fault. It was an obscure bug in smack3's handling of unknown stanzas.
-
Link Mauve
Ge0rG, no problem. ^^
-
Link Mauve
I was surprised because I wrote these modules very defensively.
-
Ge0rG
Who could have expected that `parseIQ()` returns the parsed IQ for most cases, except for a GET or SET with unknown payload, where it just injects a not-implemented response and returns null.
-
jonasw
s/smacks3/smacks4/?
-
Ge0rG
no idea how smack4 does it
-
flow
Smack 3 has no support for stream management, I assume we are talking about a patch someone put on top of a Smack 3 codebase
-
Ge0rG
flow: yes, a patch that's using Connection.addPacketListener() to keep track of stanzas.
-
flow
Ge0rG, let me know if you ever want to switch to a recent release of smack and need help
-
jonasw
I think both of that is the case :)
-
Ge0rG
flow: I'm grateful that you took the time to integrate smack4 back then, and I'm sorry that it happened on an oldish branch and I never managed to forward-port it.
-
Ge0rG
flow: I really want to switch to most recent smack4, and I don't have illusions about the required effort.
-
Guus
o/
-
jonasw
Guus ^_^
-
MattJ
\o
-
Guus
I'd like to do some interop testing
- jonasw can offer a client
-
Guus
does someone has a server available that does S2S over DirectTLS?
- jonasw canโt offer that
- Guus is sad
-
jonasw
metre might be able to do such a thing
-
Holger
Guus: conversations.im
-
jonasw
.oO(S2S over DirectX)✎ -
jonasw
.oO(S2S over DirectPlay) ✏
-
Guus
snap out of it! ๐
-
Guus
thanks Holger
-
Ge0rG
Guus: I have mod_net_multiplex loaded on xmpp.yaxim.org:443, but IIRC not in the SRV records.
-
Guus
Thanks Ge0rG. I was just checking for SRV records on conversations.im ๐
-
Holger
Ge0rG: That way you can do TLS-on-connect for s2s connections?
-
Ge0rG
Holger: I hope so
-
jonasw
itym you wish
-
Ge0rG
Somebody could attempt an s2s handshake there.
-
MattJ
I don't see why it wouldn't work
-
jonasw
if I only knew the xmlstream namespace by heart
-
Holger
MattJ: Well it won't teach Prosody to do XMPPS for outgoing connections, will it?
-
MattJ
No, not for outgoing
-
Holger
MattJ: For incoming connections, EXTERNAL auth and/or Dialback will be fine?
-
MattJ
Yes?
-
Holger
Nice :-)
-
jonasw
Ge0rG, appears to work
-
jonasw
SENT: <stream:stream xmlns='jabber:server' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' to='yax.im'> RECV: <?xml version='1.0'?><stream:stream xmlns:db='jabber:server:dialback' xmlns:stream='http://etherx.jabber.org/streams' xml:lang='en' from='yax.im' id='b63d1089-0aa0-4bd4-b5b4-4deb3efe83e2' to='' version='1.0' xmlns='jabber:server'><stream:features><dialback xmlns='urn:xmpp:features:dialback'/></stream:features> SENT: <stream:error><undefined-condition xmlns='urn:ietf:params:xml:ns:xmpp-streams'/><text xmlns='urn:ietf:params:xml:ns:xmpp-streams'>no</text></stream:error> RECV: </stream:stream>
-
jonasw
even without xml header :-X
-
MattJ
The XML header isn't mandatory
-
Dave Cridland
Guus, dave.cridland.net should have XEP-0368 on inbound and outbound, and use the right SRV records.
-
Guus
Dave, excellent, as you might be the one reviewing this new Openfire code ๐
-
Dave Cridland
Guus, If you want to set up your own test, then it's just Metre, and I can help you figure out a config file to let you ping Metre on its own.
-
Guus
Thanks, maybe later Dave. Right now, I'd like to see if I can test this without adding another new component to the mix
-
Guus
also, crappy camping wifi /me raises fist
-
Guus
Dave, we miss you in open_chat, by the way
-
MattJ
Pft, I just got back from a camping trip with no wifi and no phone signal
-
Guus
"In my day, we rocket-jumped to school and back!"
-
Guus
well, failure on both ends ๐
-
Guus
but I'm still using a self-signed cert, that probably doesn't help
- Guus does the Let'sEncrypt dance
-
Guus
right, using a proper certificate made all the difference. I think that directTLS from Openfire to dave.cridland.net and conversations.im is now working.
-
Guus
If someone would be willing to shoot some (direct TLS) s2s tests at goodbytes.nl, I'd be grateful.
-
Dave Cridland
Guus, It looks like movim.eu is also using XEP-0368 - unless I can't read my own logs.
-
Guus
No SRV record found for: _xmpps-server._tcp.movim.eu.
-
Dave Cridland
Guus, Yeah, but it seems to use it to me. Maybe.
-
Guus
that's entirely possible
-
Guus
for the record, I've disabled the lookup of _xmpp-server on goodbytes.nl, to force _xmpps-server lookups for the purpose of this test.
-
Dave Cridland
Guus, I found one tricky bit was to combine the two SRV lookups into a single one for the purposes of the SRV selection algorithm neatly.
-
intosi
Guus: why is it offering starttls when you connect on port 5270?
-
Guus
Dave, why not do two SRV lookups and combine the results manually?
-
Guus
intosi: because the code is a mess and I didn't add a proper condition there, most likely.
-
intosi
Fair enough.
-
Guus
Openfire's S2S code is using the pre-Java NIO blocking way of doing things. We've ment to replace it ages ago, but it continues to survive. Now this is bolted on
-
Guus
it's not pretty...
-
intosi
Old code doing things that aren't pretty, a fate not unique to your code ;)
-
Guus
I think I fixed it. I'll redeploy
-
intosi
Grand :)
-
Guus
intosi, mind trying again?
-
Guus
linkmauve, Openfire thinks it's funny that your cert chain contains multiple certs with identical IssuerDN's
-
intosi
Looks good to me, thanks!
-
Link Mauve
Guus, check.messaging.one too.
-
Guus
thanks guys
-
Guus
Link Mauve, I _think_ that the reason for Openfire to complain about this is that it tries to recreate the chain (matching subject and issuer of individual chains). That works around a problem where chains were provided out of order, iirc.
-
Guus
it now picked the last cert in the chain, as that's typically the EE cert.
-
Link Mauve
Oh, my renew script uses cat twice; why?!
-
Ge0rG
two cats are better than one
-
Guus
two cats is obviou...whathesaid
-
Link Mauve
Guus, better now?
-
Guus
Link Mauve, yes it stopped warning me.
-
Guus
I think we did StartTLS and not DirectTLS, by the way
-
Guus
_xmpps-server._tcp.linkmauve.fr does not seem to exist.
-
Link Mauve
Yes, indeed.
-
Link Mauve
I donโt do legacy TLS on this server.
-
Guus
ok, but that's what I was testing in the first place ๐
-
Ge0rG
"legacy TLS"? What's that now?
-
Guus
Yeah, Openfire sadly refers to direct tls as 'legacy' in various places too ๐
-
Guus
I think we even have an issue for that, to change that into 'direct'.
-
Ge0rG
because it was used on port 5223 for clients before starttls became a thing
-
Guus
stems from the introduction of StartTLS that was considered the new holy grale, replacing everything else...
-
Ge0rG
Yeah. We were naive back then.
-
Holger
Guus: > using a proper certificate made all the difference. I think that directTLS from Openfire to dave.cridland.net and conversations.im is now working. conversations.im should also accept Dialback auth, by the way.
-
MattJ
And we're not now
-
Holger
๐
-
Guus
Holger: I was forcing direct TLS
-
Holger
Guus: Shouldn't Dialback auth work with direct TLS?
-
Guus
Holger, yes, but with direct TLS, you didn't like my self-signed cert, I think. Didn't even get to start dialback
-
Holger
Hmm, maybe something wrong on our side. I'll check.
-
Guus
if somethings wrong, it's probably on this side ๐
-
Holger
But I remember at least one versions of Openfire and ejabberd not being big friends when it came to Dialback auth in the past.
-
Holger
Forgot the details, and whether the issue was resolved at some point.
-
Guus
Holger, that's probably many moons ago.
-
Holger
*at least old versions
-
Holger
Guus: Yeah may well have been fixed long ago.
-
Guus
Holger: if you do find new issues, please let me know
-
Holger
Will do.
-
Holger
Dave Cridland: > but it seems to use it to me. Yes all recent ejabberds will attempt direct TLS if DNS tells them to do that.
-
Guus
Holger: do you prefer that over StartTLS, or do you adhere to prio / weight of SRV records?
-
Holger
We adhere to the prio/weight, I think the XEP tells you to.
-
Holger
> Both 'xmpp-' and 'xmpps-' records SHOULD be treated as the same record with regard to connection order as specified by RFC 2782 [3], in that all priorities and weights are mixed.
-
Holger
> This enables the server operator to decide if they would rather clients connect with STARTTLS or direct TLS. However, clients MAY choose to prefer one type of connection over the other.
-
Holger
But you're not a client! ;-)
-
Guus
exactly.
-
Guus
'peer' ๐
-
Guus
just wondering. So it's a coincidence that you did directtls with dave
-
Guus
assuming he has both SRV records, I didn't check.
-
Holger
Ah he has both, but both with the same prio/weight.
-
Holger
Just checked, in that case (same prio/weight) we prefer direct TLS indeed.
-
Guus
why? shouldn't you do 50/50?
-
daniel
Faster
-
daniel
It's arguably better and if the admin didn't set a preference (which I would respect) I'd prefer direct
-
Guus
sure, but still - if the SRV records are set up with the same prio/weight, shouldn't the connection attempts be distributed evenly?
-
daniel
According to the xep which says combine the two the answer is yes
-
daniel
But I don't agree
-
SamWhited
(I am also still against that wording and think it makes no sense to combine the two)
-
daniel
I mean honering the prio makes sense
-
daniel
But honering the weight doesn't
-
Guus
I'm not sure it'd be a good idea to deviate from standard SRV semantics, if we use them.
-
daniel
Weight is load management. And why would you manage load between direct and start
-
Guus
sure, but then instruct/suggest to admins to use different prio's
-
Guus
(or: don't combine the two, sure)
-
Holger
Guus: Yes, strictly speaking you're right of course.
-
Guus
Holger, I don't think I am. They're different SRV records. It's only because the XEP tells us to combine them, ...
-
Guus
(records for different services, I mean)
-
jonasw
Guus, there is no such thing as "standard SRV semantics" when mixing two types of SRV records
-
jonasw
thatโs an invention of XEP-0368
-
Guus
jonasw, that's pretty much what I just typed ๐
-
Holger
Yes I mean you're right that it goes against the XEP words to prefer one type.
-
Guus
or intended to, at least
-
jonasw
what
-
jonasw
I am not sure whether my client has shown your messages before it has shown mine
-
jonasw
*shrug*
-
Holger
jonasw: The XEP tells you to mix the records as if both were of the same type, and to then apply standard SRV semantics.
-
Guus
jonasw: just nod and agree with me that I was wrong ๐
-
jonasw
Iโll just walk away and water the plants instead! ha!
-
Guus
jonasw, how often did we ask you to not water the plastic plants?!
-
jonasw
Guus, those ainโt plastic!
-
jonasw
https://uc.xmpp.zombofant.net/1af3e64c-98e4-4f39-b92b-df826fe9a97a/IMG_20180723_170548.jpg
-
daniel
2 megabytes? I hope those will be some nice plants
-
daniel
Once I've finished downloading that in like half an hour
-
jonasw
daniel, https://uc.xmpp.zombofant.net/b607154c-4bec-495e-a513-3a3521a2b192/foo.jpg is that helpful? :)
-
jonasw
if we had SIMS deployment, I couldโve uploaded multiple versions (or have my server rewrite that)
-
Dave Cridland
Holger, If the prio/weight is the same, what does it mean to "prefer" one? You bias the weight, or are you using weight like priority?
-
Holger
Dave Cridland: No I meant if there's an _xmpp-server. and an _xmpps-server. record and both have the same prio and the same weight (like you have for your server), we'll prefer the _xmpps-server. record. While the XEP tells us not to do this but to choose one at random instead.
-
Dave Cridland
So what do you do if the _xmpp-server has weight 4, and the xmpps_server has weight 5?
-
Dave Cridland
Do you not choose one at random then?
-
Holger
Then we do :-)
-
jonasw
hm
-
jonasw
thatโs a very weird corner case youโre constructing there
-
Dave Cridland
Holger, What, so you're literally special-casing equal-wieght?
-
Holger
Oh! Ignore me.
-
jonasw
I wouldโve understood if you preferred direct TLS on equal prio, but ... special casing equal weight is weird
-
Holger
Well don't ignore me :-)
-
Dave Cridland
(FWIW, I could totaqlly go along with that when all weights are zero)
-
Holger
Dave Cridland: Yes exactly. _xmpps-server is only preferred if the weithts are zero.
-
Holger
Sorry.
-
Dave Cridland
Holger, Ah! OK, that makes sense - you're faced with something illegal so you take a policy view.
-
jonasw
refresh my memory, why is it illegal?
-
Dave Cridland
jonasw, Because you're meant to randomly select a specific record ( weight / [total weights] ) of the time.
-
jonasw
yes
-
Dave Cridland
jonasw, If all weights are zero, then you're picking each record 0/0 of the time.
-
Dave Cridland
jonasw, However, a weight *can* (and should, maybe) be zero if it is the only one - and that might occur by accident if there's only one *each* of _xmpp-server and _xmpps-server.
-
jonasw
hm
-
jonasw
the text in RFC 2782 (DNS-SRV) actually tells you how to deal with (even multiple) records of weight zero, even in presence of records which have non-zero weight
-
Holger
> So it's a coincidence that you did directtls with dave So turns out the answer is "yes", after all.
-
Dave Cridland
jonasw, Yes, indeed. So "illegal" is an incorrect assertion. But still, Holger's "if everything is weight zero, do TLS" is fine.
-
jonasw
but DNS-SRV allows for "additional weighting information"
-
jonasw
in which case everything said there about how weights are used is irrelevant it seems
-
Dave Cridland
Well. XEP-0368 says (I paraphrase) combine all the SRVs and then do RFC 2782.
-
Guus
Dave, I've got that XEP-0368 PR up for you to review, btw ๐
-
Guus
still trying to lure you back in...
-
Dave Cridland
Guus, Yeah, I might even get to that.
-
Dave Cridland
Guus, Doing it now in fact.
-
Guus
\o/
-
Guus
(maybe have tissues ready for the occasional wiping of tears)