XSF Discussion - 2020-09-21

  1. jonas’

    Daniel, hey, how about integrating `curl -XPOST -H 'Content-Type: application/json' -d'{"target": "$domain"}' https://observe.jabber.network/api/v1/check/xmpps-client` in the XEP-0368 tester of compliance.c.im to avoid false-positives? AFAICT it currently only tests the existence of SRV records, not whether they actually work correctly.

  2. jonas’

    if you don’t want to third-party this, I can also provide you with a configsnippet for https://github.com/horazont/xmpp-blackbox-exporter to have it more local to the compliance tester.

  3. Daniel

    It half assed tries to open a stream

  4. Daniel

    But I'll keep that in mind / take a look when I have more time at my hands

  5. Daniel

    People messed up their sslh Configs. So we do enough connecting to make sure we don't Connect to http or ssh

  6. jonas’

    I’ve seen a few who claimed to got a green tickmark, but in fact pointed the xmpps records at the normal starttls port

  7. jonas’

    without any multiplexing

  8. jonas’

    (at least openssl s_client failed with "wrong version number", which usually indicates plaintext)

  9. Daniel

    Mhh dunno. I've seen the opposite as well. Where people complained that the evil compliance tester doesn't give them green even though they set up records (and pointed them to 5222)

  10. Daniel

    But I'm not ruling out bugs. Like I said the stream start check is very rudimentary

  11. Daniel

    Maybe PM me credentials to a server in question and I can check

  12. jonas’

    I don’t have credentials for any, but you shouldn’t need credentials for that type of test?

  13. Daniel

    Yes. But I can't run tests individually

  14. jonas’

    hm, I’ll ask them to ask you then

  15. jonas’

    because I can’t pass on that info, it’s an o.j.n request

  16. Daniel

    At least not w/o touching code for which I don't have time currently

  17. jonas’

    can you send me a JID to pass on to them?

  18. jonas’

    Daniel, sorry for the noise, I confused two domains.

  19. Daniel

    The client connection looks fine. The server connection might not be

  20. jonas’

    yeah, that one is good

  21. jonas’

    the other one is not, but the other one also didn’t claim 100% green on the c.c.im tool yet