jonas’(or, could have. I scale them down on ingestion) ✏
jonas’Syndace, actually, how about implementing FSE as JET-encrypted IBB?
SyndaceI don't XMPP, what is IBB xD Heard of JET at least
Syndace"sessions" looks like it's synchronous/requires both parties to be online
jonas’that’s gonna be a deal-breaker
jonas’would’ve been fun tho
jonas’so you need to either specify some kind of chunking (then the question: how to deal with missing chunks? see the vulnerabilities in IP fragmentation implementations to get an idea of why this question is important and non-trivial) or set an upper limit which is sane
Syndacechunking is a big nope from my side
Syndaceso much complexity for such an edge case
lovetoxxmpp.net server test is soooooo slow
Syndaceservers are already encouraged to do stanza-too-big stuff
jonas’Syndace, so we end up with Path-MTU discovery in XMPP :D
jonas’it is amazing how problems replicate on each layer of the stack
lovetoxit cant even take my request to check a new server
moparisthebestI'm about 98% sure all clients would crash and burn if a server sent them too big of a stanza
jonas’when I started aioxmpp, I asked, and people told me to trust the server on that one.
jonas’and I think that’s a sane way to look at it
jonas’obviously it shouldn’t allow you to RCE, and you may handle it more gracefully than OOMing, but what are you gonna do?
moparisthebest*maybe*, but RFC-wise does anything really stop a server from just streaming stanzas around?
SyndaceI'm not sure that's on us to solve
Link Mauvelovetox, it throttles a lot in order not to take down any server, no matter how underpowered it is.
moparisthebestonce you have who the stanza is addressed to, you don't really *need* to buffer it in memory anymore as a server right?
moparisthebestjust read a bit and send it right out the other end
jonas’moparisthebest, you still need to do buffering to synchronise when multiple entities want to same to the same entity at the same time
moparisthebestI suspect no servers in the wild are written this way, but they could be
jonas’you also have to reject stanzas which are invalid XML
jonas’(as per a MUST in RFC 6120)
jonas’so you have to at least de- and re-serialise them
moparisthebesthmm, well that does imply buffering entire stanzas then
jonas’(of course, you can do this by simply streaming SAX events around, no need to build the full tree)
jonas’ah yeah, you have to at least keep a copy
lovetoxdamn xmpp.net server test cant do direct tls test ..
lovetoxcan somebody test direct tls on movim.eu
lovetoxit does send invalid tls handshake for me, and i want to find out if thats my lib or a problem on the server
moparisthebestdoes it listen on 443? if so you can test the TLS bit with ssllabs.com
lovetoxthats the address
jonas’2020/03/10 18:58:09 failed to probe c2s to xmpp:movim.eu: tls: first record does not look like a TLS handshake
jonas’my blackbox exporter agrees
jonas’openssl s_client agrees, too: 139993024365760:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
jonas’yeah, that’s plain XMPP
moparisthebestyou can also do https://nl.movim.eu:5223/
jonas’sending anything with ncat gives me a not-well-formed XMPP steram error
jonas’do http:// instead
moparisthebestwon't let me, HSTS ?
jonas’then use ncat :)
moparisthebestbut yes, mostly that works too :)
jonas’it’s a plaintext XMPP port, not direct TLS
moparisthebestyep that record is wrong, dino will likely fail to connect ever too
moparisthebest(yet another reason TCP connect success should NOT be a criteria for not falling back to next SRV record)
lovetoxyes moparisthebest a user reported this today
lovetoxand now he cant connect, because i dont try the others ^
moparisthebestwho's responsible for movim.eu ? edhelas ?
lovetoxyeah i notified him
lovetoxbut see moparisthebest nobody would find that error
lovetoxits a thin line to walk
moparisthebestwell, user would probably have preferred to just be connected though
lovetoxyou dont want to shadow all errors, and you dont want to make your users mad
moparisthebestyou could maybe report connection errors anyway?
lovetoxyes, i agree in this case user wants to connect and does not care
moparisthebest"hey we failed to connect to X so now we are connecting to Y" or something
moparisthebestyou won't hear any "UX is easy" arguments from me :)
jonas’lovetox, it’s the operators responsibility to monitor
jonas’the tools are there
moparisthebest10 day TTL on that SRV record, so the fix needs to be make that a direct TLS port, not remove the SRV
jonas’the first error I showed you is from a tool to monitor c2s/s2s connectivity on both direct TLS and STARTTLS. it can even do XMPP pings if you give it credentials. it’ll also check whether expected SASL mechanisms are there.
jonas’maybe I should take the search.jabber.network domain corpus and scan all the SRV endpoints and notify operators about failures.
jonas’or at least the corpus of domains affiliated with the top 100 or so rooms
moparisthebestI was going to say, a tool is good, but you need another off-network server to be able to run it on for it to be real useful most of the time, not all admins have that I guess
jonas’moparisthebest, not really
jonas’most of the time, failures discovered by monitoring from the outside are not something you can fix either way
moparisthebestif you only have 1 server, running the tool and xmpp server on the same machine isn't ideal
jonas’it’s not ideal, but it would definitely have caught this problem
moparisthebestcertainly better than *nothing*, and yes
jonas’it will also catch the issue when the server runs OOM
jonas’it will catch most of the things you can fix locally
jonas’it won’t catch when the entire box goes down, but chances are you’ll notice that either way
jonas’(and you can ping-probe the up-ness of the box cheaply from the outside)
jonas’also, maybe I should start offering XMPP probes to others. it’s cheap for me to do, sending emails on problems is cheap too
moparisthebeston my giant todo list is still such a tool/service but also checking things like "is alpn required" and such
jonas’moparisthebest, feel free to include basic checks in this: https://github.com/horazont/prometheus-xmpp-blackbox-exporter
moparisthebest"is SNI required" as well, similar to ssllabs
jonas’"is X required" kind of stuff isn’t interesting for continuous monitoring though
moparisthebestyep I agree, it's pretty helpful when setting up though
jonas’extending/rewriting xmpp.net would be the target for this type of efforts
jonas’> I honestly don’t
see the point in proving to the other side that you can do regular expressions on the user input.
jonas’> I honestly don’t see the point in proving to the other side that you can do regular expressions on the user input.