this is roughly going to be my proposal for either extending XEP-0156 or making a new XEP, it supports secure delegation without DNSSEC, pinning public keys, encrypted-client-hello, additional connection methods like QUIC etc, the advice would be to grab this host-meta file first and if any of these methods exist (or a flag or something) to never do SRV/POSH/etc, thoughts/feedback/hate welcome:
https://github.com/moparisthebest/xmpp-proxy/blob/master/contrib/host-meta/xep-0156-proposed.json
gooyahas left
xnamedhas left
harry837374884has left
harry837374884has joined
neshtaxmpphas left
neshtaxmpphas joined
antranigvhas joined
adiaholichas joined
neshtaxmpphas left
neshtaxmpphas joined
uhoreghas left
homebeachhas left
Rixon 👁🗨has left
Matthewhas left
Half-Shothas left
Half-Shothas joined
Matthewhas joined
Rixon 👁🗨has joined
uhoreghas joined
homebeachhas joined
BASSGODhas left
adiaholichas left
adiaholichas joined
jcbrandhas left
antranigvhas left
rafasaurushas left
yushyinhas joined
rafasaurushas joined
adiaholichas left
neshtaxmpphas left
ti_gj06has joined
adiaholichas joined
yushyinhas left
BASSGODhas joined
adiaholichas left
neshtaxmpphas joined
neshtaxmpphas left
neshtaxmpphas joined
adiaholichas joined
yushyinhas joined
neshtaxmpphas left
yushyinhas left
վարյաhas left
adiaholichas left
neshtaxmpphas joined
adiaholichas joined
uhoreghas left
homebeachhas left
Rixon 👁🗨has left
Matthewhas left
Half-Shothas left
Half-Shothas joined
Matthewhas joined
Rixon 👁🗨has joined
uhoreghas joined
homebeachhas joined
neshtaxmpphas left
lskdjfhas left
adiaholichas left
pasdesushihas joined
adiaholichas joined
lskdjfhas joined
marc0shas left
marc0shas joined
norkkihas joined
norkkihas left
adiaholichas left
Danielhas left
Danielhas joined
Tobiashas joined
neshtaxmpphas joined
yushyinhas joined
adiaholichas joined
me9has joined
Tobiashas left
adiaholichas left
uhoreghas left
homebeachhas left
Rixon 👁🗨has left
Matthewhas left
Half-Shothas left
Half-Shothas joined
Matthewhas joined
Rixon 👁🗨has joined
uhoreghas joined
homebeachhas joined
rionhas left
Tobiashas joined
rionhas joined
վարյաhas joined
neshtaxmpphas left
lskdjfhas left
rubihas left
adiaholichas joined
fhtesthas joined
Tobiashas left
Tobiashas joined
me9has left
Ingolfhas joined
jcbrandhas joined
Menelhas joined
millesimushas left
jgarthas left
emushas joined
wurstsalathas joined
msavoritiashas joined
pasdesushihas left
fhtesthas left
mhhas left
xeckshas left
xeckshas joined
mhhas joined
վարյաhas left
վարյաhas joined
mjkhas joined
Ingolfhas left
MattJ
moparisthebest: looks good! My initial comments would be: I think a TTL would be better than "expires" - most people will not be dynamically generating these as they are served, and a TTL allows more reasonable caching without additional work.
MattJ
Also I'm unsure about allowing arbitrary ALPN strings here. I'd lean towards keeping those out of it and just making clear which of the standard strings should be used.
jonas’
+1 for ttl
yushyinhas left
yushyinhas joined
Alexhas joined
վարյաhas left
BASSGODhas left
ti_gj06has left
Menelhas left
moparisthebesthas left
mhhas left
adiaholichas left
Ingolfhas joined
վարյաhas joined
Danielhas left
adiaholichas joined
Danielhas joined
rubihas joined
mhhas joined
atomicwatchhas joined
վարյաhas left
վարյաhas joined
uhoreghas left
homebeachhas left
Half-Shothas left
Rixon 👁🗨has left
Matthewhas left
Half-Shothas joined
Matthewhas joined
Rixon 👁🗨has joined
uhoreghas joined
homebeachhas joined
millesimushas joined
mhhas left
վարյաhas left
mhhas joined
վարյաhas joined
Fishbowlerhas left
Fishbowlerhas joined
wladmishas joined
վարյաhas left
վարյաhas joined
restive_monkhas left
վարյաhas left
վարյաhas joined
Marandahas left
Mjolnir Archonhas left
brunrobehas left
Link Mauve
moparisthebest, do you plan on forking RFC6415 as well?
Link Mauve
Because while these extensions could be added to XRD just fine by using different namespaces, JRD doesn’t define extensibility at all.
վարյաhas left
վարյաhas joined
rafasaurushas left
brunrobehas joined
restive_monkhas joined
ti_gj06has joined
uhoreghas left
homebeachhas left
Half-Shothas left
Rixon 👁🗨has left
Matthewhas left
Fishbowlerhas left
Fishbowlerhas joined
uhoreghas joined
wladmishas left
Rixon 👁🗨has joined
Matthewhas joined
Half-Shothas joined
վարյաhas left
վարյաhas joined
homebeachhas joined
neshtaxmpphas joined
վարյաhas left
վարյաhas joined
Neustradamushas joined
wladmishas joined
Marandahas joined
Mjolnir Archonhas joined
վարյաhas left
վարյաhas joined
adiaholichas left
adiaholichas joined
վարյաhas left
վարյաhas joined
վարյաhas left
վարյաhas joined
վարյաhas left
վարյաhas joined
ti_gj06has left
adiaholichas left
adiaholichas joined
rionhas left
moparisthebesthas joined
adiaholichas left
Steve Killehas left
tykaynhas joined
adiaholichas joined
վարյաhas left
վարյաhas joined
Steve Killehas joined
Steve Killehas left
Steve Killehas joined
rafasaurushas joined
վարյաhas left
վարյաhas joined
վարյաhas left
վարյաhas joined
goffihas joined
moparisthebesthas left
debaclehas joined
վարյաhas left
վարյաhas joined
վարյաhas left
վարյաhas joined
pasdesushihas joined
ti_gj06has joined
վարյաhas left
վարյաhas joined
Titihas joined
mjk
> thoughts/feedback/hate welcome
I hate JSON.
Also, can my OCD suggest changing "ips" to "addrs" or something? If that's not in some spec already
mhhas left
Zash
I hate JSON _and_ HTTPS and *especially* the movement towards everything being HTTPS and JSON
MattJ
Zash, you could suggest putting this all in DNS instead, to which we can remind you that DNS is over HTTP these days ;)
mjk
Lesser of the evils, I guess? The alternative is no nice things, aiui
mjk
(Until dnssec becomes a thing)
Zash
I have DNSSEC. Your argument is invalid!
Zash
I also have a local recursive resolver, no HTTPS involved!!
Holger
Zash, you're just ahead of time, in 20 years everyone will hate it "I'd use Matrix just fine BUT WTF JSON?!".
Zash
That's the same as being 20 years behind? Dang time loops!
mjk
:)
tykaynhas left
mjk
_It's all happened before_
Holger
That's how IT works, no? "WTF STARTTLS?! Direct TLS on 5223 is the thing!"
վարյաhas left
վարյաhas joined
Zash
All this has happened before. All of it will happen again, and again, and again
emus
> Holger escribió:
> That's how IT works, no? "WTF STARTTLS?! Direct TLS on 5223 is the thing!"
I would like to laugh but I lack the knowledge 😅
Zash
Holger: Can't wait for "WTF TCP? Encrypted IP is the thing!"
Zash
Unfortunately I fear between here and there it'll be 20 layers of protocols
emus
🙁
mjk
Yea, encrypted IP over json over http/4 over udp
Zash
and http/4 will be over http/3 over quic over tls 1.3 over tls 1.2 over udp over ....
mjk
It's all over
mjk
all the way down
fhtesthas joined
mjk
emus: I think people used to hate on direct TLS before, just don't really recall why
mjk
Additional ports required? Routing is complicated?
southerntofu
can't wait for CJDNS over XMPP over DNS over HTTPS i guess
Zash
Additional ports or IPs required unless you implement SNI
Zash
SNI moves concepts around in the stack in an uncomfortable way
mjk
Ah, right, there once wasn't sni
Zash
And then ALPN makes it worse
Zash
In Prosody, this meant code that previously only needed to care about connections on ports now needs to know about application level concepts like virtualhosts
tykaynhas joined
mjk
But then mobile became a thing and suddenly everyone needs to connect over port 443 because stupid furewalls
Zash
That's not mobile
mjk
Web?
Zash
Yes. Because of web. That's why we can't have nice things!
mjk
The full circle
Zash
And because corporate firewalls blocking everything else for silly reasons, and people wanting to evade their corporate policies.
Zash
So now the port number has moved into TLS, and became an array of strings handled by OpenSSL. How does _that_ make you feel?
southerntofu
so how about building community networks to answer some of these needs?
mjk
Ironically, certain state-level firewalls started blocking quic over 443 and _only_ 443
southerntofu
Zash, i was doing SSLH some time ago... i much prefer having that standardized than relying on weird parsing rules :D
Rixon 👁🗨has left
Half-Shothas left
Matthewhas left
uhoreghas left
homebeachhas left
վարյաhas left
uhoreghas joined
Half-Shothas joined
Matthewhas joined
Rixon 👁🗨has joined
homebeachhas joined
վարյաhas joined
ti_gj06has left
Zash
If only we could have had a sane routable IPsec-ish thing.
Wojtekhas joined
southerntofu
though to be fair i i would much prefer a secure DNS (GNS maybe?) and/or crypto-secure routing (CJDNS/Tor)
millesimushas left
rafasaurushas left
mhhas joined
rafasaurushas joined
millesimushas joined
papatutuwawahas joined
gooyahas joined
վարյաhas left
MattJ
southerntofu, the point is that sslh shouldn't be necessary
TheCoffeMakerhas left
MattJ
Nor hacky parsing rules
southerntofu
thanks to ALPN or thanks to overzealous firewalls disappearing?
djorzhas joined
TheCoffeMakerhas joined
intosihas left
intosihas joined
MattJ
I read your message as "I like ALPN because it makes multiplexing multiple protocols on a single port easier", but multiplexing is only a response to stupid firewalls
southerntofu
ah yes it just made my life easier i'm not saying it's a good solution, "community networks" sounds much saner to me that working around filtered networks :p
MattJ
Zash's point is that the port number used to serve the purpose that ALPN now is
southerntofu
fair
վարյաhas joined
Zash
and if we wanted to secure that, putting the security between IP and TCP would have magic't everything, but we can't because middleboxxen
MattJ
Now we live in a world where we have wasted space in the IP packet because it will eventually be hard-coded to '443'
Zash
in the TCP*
Zash
IP doesn't have ports, only addreses
fhtesthas left
APachhas left
Wojtekhas left
southerntofu
who needs 50k ports when you have many more IPv6 on every ISP-provided subnets? /s
wladmishas left
wladmishas joined
Zash
YES, One IPv6 address per application!
Kev
Wouldn't it be better to always use just one hostname/IP, and to include what host and service you want in the TLS negotiation? You can do away with DNS completely that way, and we don't need to get DNSSEC universally deployed.
antranigvhas joined
Kev
So you always just connect to https://8.8.8.8 and you're done.
intosihas left
southerntofu
isn't that what SNI is about?
MattJ
Hello Cloudflare
jonas’
Hello Matt
jonas’
oh, we're not in the erlang movie? sorry.
Wojtekhas joined
atomicwatchhas left
pasdesushihas left
wladmishas left
wladmishas joined
antranigvhas left
intosihas joined
pasdesushihas joined
mjk
> So now the port number has moved into TLS, and became an array of strings handled by OpenSSL. How does _that_ make you feel?
It makes me sad... that I miss all the fun by not developing server software :p
mathieui
mjk: it is never too late
djorzhas left
Wojtekhas left
mjk
I dipped my toe once, actually. Though the effort back then was spent not on multiplexing services on one addr:port but on figuring out why a sync filesystem operation in an async callback deadlocked my server 🙄
moparisthebesthas joined
southerntofu
deadlocks are teh worst kind of locks
mjk
lol
southerntofu
doorlock? just pwn it in case of need. deadlock? you're screwed
TheCoffeMakerhas left
southerntofu
i'd much rather drill through doorlocks than debug deadlocks thank you very much :D
mjk
true
xnamedhas joined
mjk
the culprit turned out to be ~windows~ an alpha-quality library
TheCoffeMakerhas joined
southerntofualways happy to point the finger at windows, trying to hide all those NFS/SSHFS deadlocks under the carpet
mjk
aren't we all
southerntofu
(seriously though why are networked filesystems so bad? SFTP/SCP works fine but NFS/SSHFS using a desktop environment is teh worst when there's bad network conditions)
Link Mauve
southerntofu, this probably comes from the Unix abstraction of files, which defaults to blocking reads.
mjk
...and doing filesystem in the ui thread
Link Mauve
If the file system layer isn’t able to provide the data requested by the process, it will block the read() syscall.
southerntofu
soooo just try to get "random people" using network shares when it will freeze or otherwise hinder their file browsing experience
southerntofu
(last time i tried i learnt that it's perfectly reasonable for nautilus to become unresponsive even to SIGKILL when a networked file system has entered a weird state)
southerntofu
(i mean i find that curious but the non-technical user was (understandably) more than frustrated)
mjk
at least cifs driver has the option to error out instead of blocking on network problems :)
Link Mauve
Yes, being blocked in a syscall means the process won’t ever get scheduled, and thus can’t react to signals.
southerntofu
and won't ever return to life even when the network interruption was just a few seconds... great state of things! /s :D
djorzhas joined
Link Mauve
No, if the fs obtains the data, it should resume and finish the syscall.
southerntofu
that's a big "if" apparently...
Link Mauve
southerntofu, the issue here is applications’ assumption that reading a file will finish in reasonable time, and thus can avoid async by using blocking syscalls.
southerntofu
"should" <-- yes and we should have peace and prosperity for all on this planet, but well..
Link Mauve
southerntofu, if you encounter an issue in a driver, please file a bug against it.
antranigvhas joined
Link Mauve
Same for any other piece of software really. :)
southerntofu
i sure try! but i'm not always ready to spend hours trying to debug something, especially when it's not on my machine :P
mjk
and we all lived on topic ever after...
Link Mauve
Oops, sorry!
southerntofu
my bad
mjk
or my, we'll never know!
southerntofu
let's go back to extremely straightforward federation or whatever XSF stands for ;)
intosihas left
Rixon 👁🗨has left
Half-Shothas left
Matthewhas left
uhoreghas left
homebeachhas left
uhoreghas joined
Half-Shothas joined
Matthewhas joined
Rixon 👁🗨has joined
homebeachhas joined
antranigvhas left
djorzhas left
intosihas joined
adiaholichas left
adiaholichas joined
nuronhas left
atomicwatchhas joined
nuronhas joined
ti_gj06has joined
adiaholichas left
adiaholichas joined
djorzhas joined
fhtesthas joined
atomicwatchhas left
moparisthebesthas left
goffihas left
gooyahas left
gooyahas joined
Rixon 👁🗨has left
Half-Shothas left
Matthewhas left
uhoreghas left
homebeachhas left
djorzhas left
davidhas left
APachhas joined
atomicwatchhas joined
Calvinhas joined
uhoreghas joined
Half-Shothas joined
Matthewhas joined
homebeachhas joined
antranigvhas joined
florettahas joined
lskdjfhas joined
Fishbowlerhas left
Fishbowlerhas joined
Menelhas joined
adiaholichas left
fhtesthas left
Link Mauvehas left
Link Mauvehas joined
moparisthebesthas joined
papatutuwawahas left
Menelhas left
xeckshas left
djorzhas joined
xeckshas joined
Link Mauvehas left
Link Mauvehas joined
neshtaxmpphas left
neshtaxmpphas joined
Half-Shothas left
homebeachhas left
Matthewhas left
uhoreghas left
uhoreghas joined
Half-Shothas joined
Matthewhas joined
homebeachhas joined
moparisthebest
thanks for the feedback all, let me see if I can address it:
1. MattJ, jonas’ , I agree expires is strange, I didn't add that though, that's in the RFC, seems reasonable to add an xmpp-specific TTL to be used instead though...1
2. MattJ , https-svc has arbitrary alpn strings... I agree it's a bit strange in the context of xmpp because we are already saying it's directtls or quic outside of that, hmmmmm
3. Link Mauve , I mean xep-0156 "extended" the json format without forking RFC6415, seems fine to me?
4. mjk , Zash , well the alternative is https-svc DNS records, except they can only be used for https so we'd have to fork our own that then would never get widespread deployment enough to use them and also lack of DNSSEC, fwiw this makes me sad too
if I missed something please bring it up again...
xnamedhas left
iinkhas joined
Link Mauve
moparisthebest, XEP-0156 as it currently is doesn’t extend the RFC, it just describes two @rel values to mean BOSH and WebSocket endpoints respectively.
restive_monkhas left
iinkhas left
xnamedhas joined
moparisthebest
Link Mauve, RFC6415 says these two things about JRD:
> as extensibility is beyond the scope of this specification.
> The conversion of any other element is left undefined.
I don't interpret either one of those as "you can't add anything" do you?
վարյաhas left
վարյաhas joined
վարյաhas left
վարյաhas joined
iinkhas joined
Link Mauve
moparisthebest, given JSON has no concept of namespaces, I would be extremely wary of conflicts here.
moparisthebest
I don't think I care, why would anyone be trying to process a rel="..." it didn't understand ?
moparisthebest
every json deserializer I've seen explicitly ignores unknown fields for this reason right?
Link Mauve
Do they now?
moparisthebest
serde_json does
moparisthebest
fun fact, the XML in RFC6415 is actually invalid per the XSD, go ahead and try to validate it https://code.moparisthebest.com/moparisthebest/xmpp-proxy/src/branch/master/contrib/host-meta
moparisthebest
(could use github.com instead but it's down right now LOL)
karoshihas left
karoshihas joined
Link Mauve
You should poke people to create an errata.
restive_monkhas joined
BASSGODhas joined
xnamedhas left
xnamedhas joined
վարյաhas left
վարյաhas joined
adiaholichas joined
archas joined
arc
But isn't it more fun to leave it as it is?
moparisthebest
it's like an easter egg!
iinkhas left
iinkhas joined
florettahas left
iinkhas left
jgarthas joined
iinkhas joined
iinkhas left
adiaholichas left
վարյաhas left
adiaholichas joined
iinkhas joined
florettahas joined
iinkhas left
neshtaxmpphas left
neshtaxmpphas joined
iinkhas joined
Wojtekhas joined
iinkhas left
mdoschhas left
ti_gj06has left
arc
If you find it, you win a prize!
iinkhas joined
rafasaurushas left
millesimushas left
iinkhas left
iinkhas joined
archas left
archas joined
rafasaurushas joined
millesimushas joined
adiaholichas left
mdoschhas joined
archas left
archas joined
archas left
archas joined
adiaholichas joined
Titihas left
Titihas joined
Menelhas joined
adiaholichas left
archas left
archas joined
atomicwatchhas left
archas left
archas joined
վարյաhas joined
adiaholichas joined
Danielhas left
ti_gj06has joined
archas left
harry837374884has left
harry837374884has joined
archas joined
mjkhas left
mjkhas joined
archas left
archas joined
archas left
archas joined
archas left
archas joined
Half-Shothas left
homebeachhas left
Matthewhas left
uhoreghas left
uhoreghas joined
Half-Shothas joined
Matthewhas joined
homebeachhas joined
rafasaurushas left
վարյաhas left
iinkhas left
Danielhas joined
iinkhas joined
wgreenhousehas left
վարյաhas joined
Guus
I believe that Dave has encoded various invitations for drinks in XEPs.
Titihas left
rafasaurushas joined
adiaholichas left
Wojtekhas left
Wojtekhas joined
վարյաhas left
վարյաhas joined
rafasaurushas left
L29Ahhas left
adiaholichas joined
restive_monkhas left
wgreenhousehas joined
djorzhas left
alex11has joined
restive_monkhas joined
atomicwatchhas joined
wgreenhousehas left
djorzhas joined
rafasaurushas joined
Guushas left
Guushas joined
Titihas joined
adiaholichas left
archas left
archas joined
arc
That is a great rumor to spread
alex11has left
arc
People might actually read them!
APachhas left
archas left
archas joined
restive_monkhas left
krauqhas left
restive_monkhas joined
pasdesushihas left
krauqhas joined
adiaholichas joined
arc
Meeting time, who's here?
ralphm
Based in fact, I'm sure.
ralphmbangs gavel
ralphm
0. Welcome!
ralphm
Who do we have
arc
Here
ralphm
For some reason you feel closer this week :D
me9has joined
archas left
archas joined
jcbrand
Hi
adiaholichas left
arc
Its 10:00 a.m. this week, so I am more awake
archas left
ralphm
Nice
archas joined
ralphm
Any items for today?
archas left
archas joined
archas left
archas joined
arc
Not that I'm aware of
archas left
ralphm
The only thing that was raised to me was a message from emus about GSoC financials, but I don't think Board has to be involved and that he can do this directly with Peter.
archas joined
wgreenhousehas joined
MattJ
o/
archas left
archas joined
arc
I agree
ralphm
hey MattJ, you got anything?
archas left
MattJ
I don't think so, no
archas joined
ralphm
Easy peasy.
MattJ
(I mean, only covid... :) )
ralphm
Ow. Be well, sir!
ralphm
1. Date of Next
ralphm
+1W
ralphm
2. Close
ralphm
Thanks all!
MattJ
wfm, thanks!
ralphmbangs gavel
archas left
archas joined
ralphm
As you were!
archas left
archas joined
rafasaurushas left
rafasaurushas joined
millesimushas left
arc
Hey so does daylight savings happen in Europe next week?
adiaholichas joined
wgreenhousehas left
mjk
> thanks for the feedback all, let me see if I can address it:
> 1. MattJ, jonas’ , I agree expires is strange, I didn't add that though, that's in the RFC, seems reasonable to add an xmpp-specific TTL to be used instead though...1
> 2. MattJ , https-svc has arbitrary alpn strings... I agree it's a bit strange in the context of xmpp because we are already saying it's directtls or quic outside of that, hmmmmm
> 3. Link Mauve , I mean xep-0156 "extended" the json format without forking RFC6415, seems fine to me?
> 4. mjk , Zash , well the alternative is https-svc DNS records, except they can only be used for https so we'd have to fork our own that then would never get widespread deployment enough to use them and also lack of DNSSEC, fwiw t
> if I missed something please bring it up again...
✎
That should be clearly mentioned at the end of the meeting, if we're adjusting meeting time relative to UTC
mjk
moparisthebest:
> if I missed something please bring it up again...
The "ips" field! It lists IP addresses, not internet protocols! "addr(esse)s" plz :)
Titihas left
arc
Google calendar says time remains the same for next week
archas left
Half-Shothas left
homebeachhas left
Matthewhas left
uhoreghas left
uhoreghas joined
Half-Shothas joined
Matthewhas joined
homebeachhas joined
archas joined
moparisthebest
mjk: ah sorry thanks, https-svc has these too but calls them "ip4hint" and "ip6hint" ...
mjk
Hmm
debaclehas left
MattJ
I always find "address" to be ambiguous - does it accept an IP address, hostname? or both?
MattJ
We have a few of those "slots" in XEPs
emus
> ralphm escribió:
> The only thing that was raised to me was a message from emus about GSoC financials, but I don't think Board has to be involved and that he can do this directly with Peter.
I was still not able to find a working contact.
Thats a general issue with IDs in the wiki. foreigners seem to be blocked
ralphm
arc: indeed, DST change in Europe is on March 27 this year.
millesimushas joined
emus
Maybe someone can send him my a message and to contact me
ralphm
I sent you his e-mail address
L29Ahhas joined
rafasaurushas left
rafasaurushas joined
moparisthebest
mjk, https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-https-08.html#section-7.4 sorry it's "ipv4hint" and "ipv6hint"
moparisthebest
is there a reason to differentiate between v4 and v6 ? I'm wildly guessing they do in DNS because everything is binary and with a defined length, in json seems like you could just look at them
homebeachhas left
Matthewhas left
Half-Shothas left
uhoreghas left
uhoreghas joined
Half-Shothas joined
Matthewhas joined
homebeachhas joined
Kevhas left
Kevhas joined
millesimushas left
millesimushas joined
wgreenhousehas joined
djorzhas left
marc0shas left
marc0shas joined
lukasfhas left
adiaholichas left
emus
ralphm: thx
wgreenhousehas left
flowhas left
adiaholichas joined
flowhas joined
rionhas joined
Steve Killehas left
wgreenhousehas joined
Steve Killehas joined
L29Ahhas left
wgreenhousehas left
restive_monkhas left
harry837374884has left
goffihas joined
mjk
> in json seems like you could just look at them
Yeah, the mixed bag seemed fine to me as is
Kevhas left
Danielhas left
harry837374884has joined
Kevhas joined
Danielhas joined
mjk
MattJ:
> I always find "address" to be ambiguous - does it accept an IP address, hostname? or both?
To me, addresses, if referring to hostnames, are more of a user-facing term, whereas addresses at protocol level seem unambiguously referring to numeric things. But maybe just me ¯\_(ツ)_/¯
iinkhas left
Wojtekhas left
iinkhas joined
mjk
Anyway, "iphints" sounds more-or-less fine to me too :)
moparisthebest
Https-svc calls them hints because you might look up the domain name otherwise later and I'm explicitly not supporting that
iinkhas left
moparisthebest
Here it's "you should connect directly to these IPs and nothing else"
moparisthebest
Maybe "ipdemands" hehe
iinkhas joined
pasdesushihas joined
Paganinihas left
brunrobehas left
Mjolnir Archonhas left
Marandahas left
wgreenhousehas joined
Mjolnir Archonhas joined
Marandahas joined
brunrobehas joined
florettahas left
Paganinihas joined
jcbrandhas left
ti_gj06has left
wgreenhousehas left
archas left
archas joined
wgreenhousehas joined
harry837374884has left
harry837374884has joined
florettahas joined
atomicwatchhas left
atomicwatchhas joined
djorzhas joined
wgreenhousehas left
flowhas left
mjk
"ipaddrs" it is, and sorry for all the bikeshedding
moparisthebest
"connectables"
moparisthebest
make no one happy... :)
mjk
"endpoints", if we were to be deliberately ambiguous, but sound modern and jsony!
lukasfhas joined
L29Ahhas joined
wgreenhousehas joined
Ingolfhas left
restive_monkhas joined
wgreenhousehas left
Yagizahas left
wgreenhousehas joined
ti_gj06has joined
wladmishas left
wladmishas joined
restive_monkhas left
wgreenhousehas left
wgreenhousehas joined
wgreenhousehas left
wgreenhousehas joined
restive_monkhas joined
Titihas joined
wgreenhousehas left
restive_monkhas left
eevvoorhas left
eevvoorhas joined
wladmishas left
wladmishas joined
Kevhas left
qy
Say, mod_onions allows tor federation, but only for servers that enable it. Why not iterate that, and have a way to hop to a tor-enabled server and then on to the target?
L29Ahhas left
qy
Because:
> Come to think of it (from talking to wgreenhouse about briar earlier), if you just package prosody with mod_onions, tor, and a client, you got a free p2p chat app
Titihas left
Kevhas joined
beanhas joined
moparisthebest
MattJ, Zash how does that check incoming s2s? is https://hg.prosody.im/prosody-modules/file/824b0d7fa883/mod_onions/mod_onions.lua#l268 called? if so it's wrong :/
moparisthebest
qy, seamless secure federation between .onion servers and public net servers is an explicit near-future goal for xmpp-proxy, as well as documenting best practices for .onion federation which I don't think has been done before
qy
Neat
restive_monkhas joined
moparisthebest
both handling .onion JIDs and public servers with .onion endpoints in SRV or whatever, which... are subtely different
Sam
I've thought about writing an informational XEP about that a handful of times, but don't have enough experience with it. I'd love to see one written up.
moparisthebest
I don't know about anyone else but I can never work out the fine details until I write the code, so that has to come first for me :P
qy
I don't even know how this would theoretically work, but i'm sure it could
MattJ
moparisthebest, I've been assured by multiple people in the past that it's not wrong. But I've never used nor worked on that module.
moparisthebest
from what I've thought about so far, my plan is requiring all .onion domains to have a TLS certificate, *any* TLS certificate (ignore names, expiration date, everything), when connecting *to* one (as a client, or s2s-out), just accept it if you are connecting to a .onion
the tricky part is s2s *in*, where you get handed a cert and told an .onion is connected to you, my proposal there is to make an *outgoing* connection to the .onion, and trust the certificate only if the incoming one is exactly the same as the one you got making the outgoing connection
MattJ
Looks like it hasn't changed at all for years
moparisthebest
MattJ, that's fine for outgoing, but is it ran for incoming?
moparisthebest
incoming as in sasl external authentication
guus.der.kinderenhas joined
wgreenhousehas joined
MattJ
It would apply to both, unless there's a reason it doesn't
MattJ
Not a helpful statement, I know
Danielhas left
moparisthebest
if so, that means anyone can connect to a prosody server with that loaded, present *any* certificate, claim to be from "bob.onion" and start spamming your users
MattJ
That's how it would read, yes
moparisthebest
you'd never get responses back I guess, unless you could trick it into bidi
mjk
Seems so, yes, unless there's some other check that the connection is coming from localhost
djorzhas left
moparisthebest
that sounds like an awesome spam tool :D
moparisthebest
anyone have a public server with that loaded that wants to give me permission to poke at it ? :)
Tobiashas left
Zash
Hello, I just came by to say: You got it all wrong. Now back to watching comedy! Bye
Tobiashas joined
mjk
> some other check that the connection is coming from localhost
Wait no, that's stupid too. With all the nginxes and sslhes
moparisthebest
well, good :)
qy
> moparisthebest wrote:
> from what I've thought about so far, my plan is requiring all .onion domains to have a TLS certificate, *any* TLS certificate (ignore names, expiration date, everything), when connecting *to* one (as a client, or s2s-out), just accept it if you are connecting to a .onion
> the tricky part is s2s *in*, where you get handed a cert and told an .onion is connected to you, my proposal there is to make an *outgoing* connection to the .onion, and trust the certificate only if the incoming one is exactly the same as the one you got making the outgoing connection
So really, just shifting from name-based routing to cryptokey routing
վարյաhas left
վարյաhas joined
qy
> Zash wrote:
> Hello, I just came by to say: You got it all wrong. Now back to watching comedy! Bye
Thanks fermat
alacerhas joined
wgreenhousehas left
moparisthebest
qy, I mean it's still name-based, you just need TLS to validate incoming connections
moparisthebest
.onion only provides authenticity when you are connecting *to* it
qy
Right, yeah
jcbrandhas joined
mjk
If only Tor provided a virtual interface where incoming onion connections would be coming from something like 10.x.x.x, and the reverse lookup would yield the onion name...
qy
Why specifically TLS, though? Any asymmetric key would do, a TLS tunnel is superfluous over tor
qy
mjk: That is doable actually
qy
TRANSPort
moparisthebest
qy, "when you have a hammer everything looks like a nail"
mjk
qy: it is, just not the default conf
qy
Lol
BASSGODhas left
moparisthebest
mjk, qy, tor doesn't even have a concept of "making an outgoing connection from a .onion domain" does it?
qy
Not as i'm aware
iinkhas left
mjk
Hmm right
moparisthebest
another secure thing to do would be to do dialback over tor
moparisthebest
but... who wants to do that
mjkgoes back to the drawing board
moparisthebest
I feel like the already documented "same cert" hack is the best+easiest, and works with anything that provides outgoing-authenticity, onionv2, onvionv3, i2p, what else?
qy
In my mind anyway, the hard part is clearnet->onion routing. A fresh prosody knows nothing about remote servers that can marshall over to tor, until an incoming connection _from_ tor
qy
So without mod_onions you can't make that iteration
Sam
Was this for onion->onion S2S connections? I wonder if you could just use onion service client authorization and tell the XMPP server to use the same keypair as the service. You'd then validate that they match the descriptor of the onion service when you connect to it (or if you've already connected to it and it's dialing you back), no TLS certs involved?
Titihas joined
moparisthebest
near-term xmpp-proxy will have a config box for you to put the socks5 server+port of your local tor daemon
moparisthebest
future xmpp-proxy will (optionally) bundle tor's new rust library and just handle it itself
moparisthebest
tor is being rewritten in rust with the explicit goal of being an easily embeddable library, it just isn't there yet
iinkhas joined
qy
Well that would simplify a lot, just shove tor into prosody :p
moparisthebest
"problem solved" :)
qy
_dusts hands_
wgreenhousehas joined
Danielhas joined
mjk
Are there Rust libraries for generating Lua bindings? :3
moparisthebest
all bindings are C, you can generate C libraries from Rust, and use them from Lua
Link Mauve
mjk, yes, see the mlua crate for instance.
mjk
Can't rust expose 'extern "C"' functions?
moparisthebest
yes that's what I mean
mjk
Aha
mjk
Then I'm content
Kevhas left
Zash
(So FTR: `return true` just means "validation has completed", but it doesn't record the certificate validation results, so they stay unknown and it'll probably go do Dialback)
Kevhas joined
Link Mauve
mlua is more pleasant to use than the C Lua API though.
moparisthebest
Zash, ah right!, no session.secure = true, thanks!
BASSGODhas joined
moparisthebest
so prosody mod_onions requires dialback then
Zash
Rather it's _not_ setting the certificate chain and identity validation properties like https://hg.prosody.im/trunk/file/0.12.0/plugins/mod_s2s_auth_certs.lua
mjk
> mlua is more pleasant to use than the C Lua API though.
Anything is more pleasant than keeping half the stack in your head..
ti_gj06has left
MattJ
Pushed a comment to mod_onions, thanks Zash
Ingolfhas joined
MattJ
I know this isn't the first time you've explained it, but hopefully now it can be the last ;)
moparisthebest
haha thanks :) mini heart attack averted
ti_gj06has joined
wgreenhousehas left
archas left
archas joined
archas left
archas joined
L29Ahhas joined
jcbrandhas left
wgreenhousehas joined
lukasfhas left
archas left
archas joined
archas left
archas joined
lukasfhas joined
wgreenhousehas left
wladmishas left
wladmishas joined
L29Ahhas left
me9has left
guus.der.kinderenhas left
djorzhas joined
վարյաhas left
wgreenhousehas joined
druthidhas left
druthidhas joined
վարյաhas joined
restive_monkhas left
wgreenhousehas left
BASSGODhas left
iink@xmpp.ishas joined
wgreenhousehas joined
iink@xmpp.ishas left
Titihas left
goffihas left
BASSGODhas joined
L29Ahhas joined
wgreenhousehas left
BASSGODhas left
BASSGODhas joined
alacerhas left
iinkhas left
msavoritiashas left
emus
A new post on GSoC to promote our ideas again:
https://fosstodon.org/@xmpp/107974022090404224
https://twitter.com/xmpp/status/1504571740650934283