-
Guus
When reading https://xmpp.org/extensions/xep-0178.html#s2s I am surprised that there is no mention of Server1 validating the certificate of Server2. Am I misreading or misunderstanding things? RFC 6120 13.7.2 seems to suggest that this is a MUST.
-
Zash
Orthogonal from EXTERNAL I suppose
-
Guus
What do you mean?
-
Zash
EXTERNAL is about authenticating with a client certificate.
-
Zash
Uh, "server1" and "server2" is confusing.
-
Guus
Server1 is the initiator.
-
Zash
EXTERNAL implies server2 validates the client certificate sent by server1. The validation in the other direction is not part of EXTERNAL, so I guess it's left out here.
-
Zash
RFC 6120 wording on the matter still applies, right? MUST validate the certificate, but there's no negotiation involved. You're supposed to just abort the connection if it doesn't validate, altho Prosody will send a stream error with the reason before it closes the connection.
-
Guus
Although it's not part of the SASL authentication bit, leaving out that validation probably makes it really easy to miss that, if someone is following a 'best practices' document.
-
Zash
True
-
Zash
What does 178 add over just reading the RFC?
-
Guus
"Best Practices" suggests that there are other approaches to doing SASL EXTERNAL?
-
Zash
Are there?
-
Guus
I made my last comment a question, as I am not sure if that's the case.
-
Zash
Is it not something of a relic from the times when Dialback was the only thing used?
-
ralphm
SASL EXTERNAL basically means: anything goes. If you can authentication based on the phase of the moon, you could. XEP-0178 explains that you can use the TLS certificate as a means to derive authentication.✎ -
ralphm
SASL EXTERNAL basically means: anything goes. If you can authenticate based on the phase of the moon, you could. XEP-0178 explains that you can use the TLS certificate as a means to derive authentication. ✏
-
Zash
Well, sure, you could authenticate with "your IP address looks cool" ala SMTP and SPF
-
Zash
Guus, you don't happen to be interested in authoring an informational XEP on modern mutual authentication for s2s? :)
-
ralphm
Oh nice
-
Zash
(please don't actually implement SPF for XMPP)
-
Guus
Zash, indeed, I don't happen to be interested. :)
-
Zash
Aaaw
-
Zash
Something something Direct TLS, SASL EXTERNAL, mTLS, XEP-0288
-
singpolyma
SPF would work better for XMPP than it does for SMTP, since we don't do relaying or bouncing
-
singpolyma
But probably not r good idea still
-
Zash
One step down from Dialback?
-
singpolyma
Yeah
-
Zash
Note to self: Do not give bad ideas as examples, people keep deploying them.
-
singpolyma
Dialback can't really be beat
-
Zash
Because it works without certificates, in the horrible world where everything is behind seven layers of reverse proxies?
-
singpolyma
Because it's vulnerable only to BGP type spoofing (assuming DNSSEC obvz) and verifies bidirectional connectivity
-
singpolyma
I guess strictly speaking dialback+DANE would be even better
-
ralphm
:sob:
-
Zash
Can haz DANCE?