XSF Discussion - 2022-02-11

Emus: Sure.

Thanks!

Tigase on top of things, fixed their _xmppconnect usage already

well, not exactly - we ran into some obstacles that needs more polishing but yeah, _xmppconnect will be gone

+1

Prosody and ejabberd have updated their docs removing suggestions of _xmppconnect

Would it make sense to extend MUC to advertise the last time it has seen a given participant?

I was thinking about doing so for members-only MUCs, where clients are starting to display members instead of participants.

But if someone hasn’t been seen in days/weeks/months, it might make sense to warn other participants, or something.

mellium is fixed https://mellium.im/cve/cve-2022-24968/

Yup, big 🤦 on that one (since ours wasn't a default tls library thing, I explicitly set the server name and still set it to the wrong host), thanks for the report.

so you're still using _xmppconnect, just in a secure but less-compatible way

no problem there as long as your fallback-to-next-method code is solid :)

hmm wait Sam don't you also get websocket endpoints with json+host-meta ? those you'd want to validate against the other hostname

Yah, this was just the quickest way to fix the issue and was what was intended originally I suspect anyways. Nobody is using this code, so now that the quick fix is out we can work on just stripping out the txt stuff

(not a *security* problem, just a, likely to not successfully connect to valid websocket endpoints problem)

fair

Hmm, could be, I thought I did this the right way (TXT record changes only) but this code isn't well tested

Oh I see, yah, this is probably still wrong, but "not working" == "secure" so whatever, still patched!

If we obsolete XEP-0156 is the bosh lookup web host metadata documented anywhere? I know you mentioned that the WebSocket one is duplicated in the RFC, but would we also be deprecating BOSH lookup entirely?

ProtoXEP-XXXX: XEP-0156: The Good Parts

yea, both you and Sonny (in the PR) mentioned that, I think that's ok too

slapping obsolete and some warnings on it was the quickest thing I could do so late in my evening :)

Speaking of which, https://github.com/iNPUTmice/caas/pull/111 might help some server admins not being stupid.

yes, even the RFC states https-only

Daniel, merge plz ^ :D

Wait what

I'd be very curious how many of the servers being tested are actually doing that

Let’s see how many drop afterwards.

I’d be interested to know why this check fails on JabberFR, despite our web clients working properly.

are they using _xmppconnect ? :/

A web client can’t.

https://github.com/xmppjs/xmpp.js/issues/933 begs to differ

Wat, how?

tigase's web client does too, and https://github.com/poVoq/converse_wp/issues/2

node.js ?

Ah yeah, that’s for node.

or DoH?

You had me worried for a minute.

moparisthebest, that’s PHP, also irrelevant.

well, my point is a web client can have a server-side component do DNS lookups for them, and that's a thing that happens

don't know if *your* web client does, but...

Why would you do such a thing? D:

cross-domain problems ?

though I guess those would usually forbid the websocket too so, idk

aaaaaaaactually, websockets are backwards so they work by default

because CORS wasn't complicated enough

ah ok, makes sense

huh, I don't know if this code was ever working. The URLs it checks for the host meta stuff don't appear to have a scheme.

Sam, I still never figured out why I couldn't find the string "xmppconnect" in your mellium codebase, then I gave up :D

Yah, that too. I swear I'd tested this with the host-meta stuff at least though. Oh well, no idea, it all needs to be rewritten probably.

I did a big refactor of this a while back, maybe I broke it then.

speaking of, I ended up writing those full integration tests we talked of a few weeks back https://github.com/moparisthebest/xmpp-proxy/tree/master/integration

each folder has configs for bind9, a few prosody's, and a few xmpp-proxy's, and the bash script starts a podman network and all the containers and runs scansion through them, works surprisingly well

oh nice, I'll have to look through this. One of the problems with this websocket package is that, even though it has integration tests, I can't do anything with DNS so maybe this is something I should have looked into doing

yep, when all your code relies on DNS and certificate validation it's really hard to write helpful unit tests, this gave me some confidence to change things :)

guess I'll be adding a few nginx's now for serving host-meta....

Andrzej, I just received a “401 - auth: You must authorize session first.” from your in-room JID, were you doing anything special?

moparisthebest: for spinning up something fast I'm a big fan of "python -m http.server", although I have no idea if you can do TLS with it.

I'll probably still use nginx because of "the beast you know" thing :)

Actually, looking at my code I don't think I even need to do integration tests. It's not strictly a unit test, but I might as well just spin up the http server in process (ie. with Go's net/http) and then just do the lookup against localhost and see if it connects, then see if it tries to connect to the "xmpp server" that's just a tcp listener on a different port that I threw in the fake host meta file.