-
Kev
Emus: Sure.
-
emus
Thanks!
-
moparisthebest
Tigase on top of things, fixed their _xmppconnect usage already
-
Wojtek
well, not exactly - we ran into some obstacles that needs more polishing but yeah, _xmppconnect will be gone
-
moparisthebest
+1
-
moparisthebest
Prosody and ejabberd have updated their docs removing suggestions of _xmppconnect
-
Link Mauve
Would it make sense to extend MUC to advertise the last time it has seen a given participant?
-
Link Mauve
I was thinking about doing so for members-only MUCs, where clients are starting to display members instead of participants.
-
Link Mauve
But if someone hasn’t been seen in days/weeks/months, it might make sense to warn other participants, or something.
-
moparisthebest
mellium is fixed https://mellium.im/cve/cve-2022-24968/
-
Sam
Yup, big 🤦 on that one (since ours wasn't a default tls library thing, I explicitly set the server name and still set it to the wrong host), thanks for the report.
-
moparisthebest
so you're still using _xmppconnect, just in a secure but less-compatible way
-
moparisthebest
no problem there as long as your fallback-to-next-method code is solid :)
-
moparisthebest
hmm wait Sam don't you also get websocket endpoints with json+host-meta ? those you'd want to validate against the other hostname
-
Sam
Yah, this was just the quickest way to fix the issue and was what was intended originally I suspect anyways. Nobody is using this code, so now that the quick fix is out we can work on just stripping out the txt stuff
-
moparisthebest
(not a *security* problem, just a, likely to not successfully connect to valid websocket endpoints problem)
-
moparisthebest
fair
-
Sam
Hmm, could be, I thought I did this the right way (TXT record changes only) but this code isn't well tested
-
Sam
Oh I see, yah, this is probably still wrong, but "not working" == "secure" so whatever, still patched!
-
Sam
If we obsolete XEP-0156 is the bosh lookup web host metadata documented anywhere? I know you mentioned that the WebSocket one is duplicated in the RFC, but would we also be deprecating BOSH lookup entirely?
-
Zash
ProtoXEP-XXXX: XEP-0156: The Good Parts
-
moparisthebest
yea, both you and Sonny (in the PR) mentioned that, I think that's ok too
-
moparisthebest
slapping obsolete and some warnings on it was the quickest thing I could do so late in my evening :)
-
Link Mauve
Speaking of which, https://github.com/iNPUTmice/caas/pull/111 might help some server admins not being stupid.
-
moparisthebest
yes, even the RFC states https-only
-
moparisthebest
Daniel, merge plz ^ :D
-
Zash
Wait what
-
Sam
I'd be very curious how many of the servers being tested are actually doing that
-
Link Mauve
Let’s see how many drop afterwards.
-
Link Mauve
I’d be interested to know why this check fails on JabberFR, despite our web clients working properly.
-
moparisthebest
are they using _xmppconnect ? :/
-
Link Mauve
A web client can’t.
-
moparisthebest
https://github.com/xmppjs/xmpp.js/issues/933 begs to differ
-
Link Mauve
Wat, how?
-
moparisthebest
tigase's web client does too, and https://github.com/poVoq/converse_wp/issues/2
-
Zash
node.js ?
-
Link Mauve
Ah yeah, that’s for node.
-
Zash
or DoH?
-
Link Mauve
You had me worried for a minute.
-
Link Mauve
moparisthebest, that’s PHP, also irrelevant.
-
moparisthebest
well, my point is a web client can have a server-side component do DNS lookups for them, and that's a thing that happens
-
moparisthebest
don't know if *your* web client does, but...
-
Link Mauve
Why would you do such a thing? D:
-
moparisthebest
cross-domain problems ?
-
moparisthebest
though I guess those would usually forbid the websocket too so, idk
-
Zash
aaaaaaaactually, websockets are backwards so they work by default
-
Zash
because CORS wasn't complicated enough
-
moparisthebest
ah ok, makes sense
- moparisthebest crawls back in my non-web hole
-
Sam
huh, I don't know if this code was ever working. The URLs it checks for the host meta stuff don't appear to have a scheme.
-
moparisthebest
Sam, I still never figured out why I couldn't find the string "xmppconnect" in your mellium codebase, then I gave up :D
-
Sam
Yah, that too. I swear I'd tested this with the host-meta stuff at least though. Oh well, no idea, it all needs to be rewritten probably.
-
Sam
I did a big refactor of this a while back, maybe I broke it then.
-
moparisthebest
speaking of, I ended up writing those full integration tests we talked of a few weeks back https://github.com/moparisthebest/xmpp-proxy/tree/master/integration
-
moparisthebest
each folder has configs for bind9, a few prosody's, and a few xmpp-proxy's, and the bash script starts a podman network and all the containers and runs scansion through them, works surprisingly well
-
Sam
oh nice, I'll have to look through this. One of the problems with this websocket package is that, even though it has integration tests, I can't do anything with DNS so maybe this is something I should have looked into doing
-
moparisthebest
yep, when all your code relies on DNS and certificate validation it's really hard to write helpful unit tests, this gave me some confidence to change things :)
-
moparisthebest
guess I'll be adding a few nginx's now for serving host-meta....
-
Link Mauve
Andrzej, I just received a “401 - auth: You must authorize session first.” from your in-room JID, were you doing anything special?
-
Sam
moparisthebest: for spinning up something fast I'm a big fan of "python -m http.server", although I have no idea if you can do TLS with it.
-
moparisthebest
I'll probably still use nginx because of "the beast you know" thing :)
-
Sam
Actually, looking at my code I don't think I even need to do integration tests. It's not strictly a unit test, but I might as well just spin up the http server in process (ie. with Go's net/http) and then just do the lookup against localhost and see if it connects, then see if it tries to connect to the "xmpp server" that's just a tcp listener on a different port that I threw in the fake host meta file.