-
singpolyma
Is Egypt known to block XMPP? While my dad was there lots of stuff seemed blocked on web and xmpp didn't work, and I see they at least used to block signal
-
manday
Why does an XMPP server need a DNS resolver? I'm wondering because 85% of the dependencies of prosody are perl packages to build libunbound; does prosody really need that?
-
Zash
XMPP uses SRV records extensively, which isn't always supported by OS native APIs. Prosody also wants async and DNSSEC support.
-
manday
Thanks Zash
-
MattJ
It's worth pointing out that libunbound is optional (but our "internal" implementation may be less robust and does not support DNSSEC), and that you seem to be talking about build-time dependencies of a dependency, perl is not a direct or indirect runtime dependency of Prosody
-
Zash
We also need all these from Lua, which Prosody is written in. Prior to writing a Lua binding to libunbound, the available options were basically zero unless we'd drop some requirements.
-
MattJ
IIRC the openssl build system also depends on perl and is much worse :)
-
manday
of course yes. in any event as far as dependencies go I'm just pissed at perl (again) for pulling in what looks like an entire webserver suite for it's XML-Parser package alone... I totally agree that libunbound looks correct as a dep of prosody!
-
Zash
Building Prosody requires building a C compiler, which requires a C compiler ;)
-
MSavoritias fae.ve
or you bootstrap the whole thing with guix and then its scheme all the way down :P
-
MSavoritias fae.ve
that is how prosody is build on guix i bet
-
manday
naive q, is dnssec actually important for normal use?
-
Menel
No
-
Menel
Basically everything will work without support too.
-
manday
isnt authenticity guaranteed if a server can sign its traffic with the correct domaon name?
-
Menel
It is authenticated with valid certificates. DANE is currently only a dream for something better.
-
Zash
DNSSEC is important for my continued motivation
-
manday
huh on ill read up on dsne ty
-
singpolyma
manday: it really depends what you're doing and what your threat model is
-
singpolyma
There are several reasons why dnssec might be important. but indeed just like TLS it is not essential for basic operation
-
MSavoritias fae.ve
i mean isnt TLS basically essential if you want to federate at all in the xmpp network?
-
MSavoritias fae.ve
theoretically its not of course. xmpp can be completely unencrypted
-
Zash
TLS has been mandatory since 2014
-
singpolyma
MSavoritias fae.ve: most servers require it these days yes. But depending how old you are one might consider this recent
-
MSavoritias fae.ve
heh fair
-
singpolyma
So yes mandatory DANE checking for s2s is "a dream" but in the way that mandatory TLS was in 2006
-
Zash
Just like with TLS pre-2014, you can enable DANE and it'll work with anyone who set it up. (Read: me, singpolyma, and maybe 5 others ποΈ)
-
singpolyma
83 hosts at least according to certwatch
-
Zash
Neat
-
manday
but tls alone *should* be enough to protect against mitm, right?
-
manday
dnssec is not needed for that
-
singpolyma
No, because you need to know the certificate is valid somehow
-
Menel
If the attacker can forge the dns you get, then they can mitm it.✎ -
singpolyma
See eg jabber.ru mitm incident
-
manday
But isn't the TLS certificate signed by the parent CA?
-
Menel
If the attacker has control over the dns, then they can mitm it. https://notes.valdikss.org.ru/jabber.ru-mitm/ ✏
-
manday
So you know that the server you are talking to really *is* certified to be server XYZ?
-
Menel
https://notes.valdikss.org.ru/jabber.ru-mitm/ The attacker got valid letsencrypt certs by controlling the ip See the small abbr on top
-
Menel
_generally_ valid certs are quite good yes.
-
Menel
_often_ good enough
-
singpolyma
The CA process these days is "do the sit in the path to the ip address advertised by dns?" So any mitm can get a valid cert
-
singpolyma
Sorry, any mitm if the server. Not an mitm of your client✎ -
singpolyma
Sorry, any mitm of the server. Not an mitm of your client ✏
-
singpolyma
So the CA system as used protects one half of the attack surface
-
Zash
Fun fact: The rules for CAs are made by the CAs and the web browser vendors. _We_ here, or email, or other TLS stakeholders have very little say.
-
singpolyma
(modulo old cas which do things by hand and may be social engineered)
-
manday
Hm okay, how disappointing
-
manday
Didn't know that's the way things are
-
Zash
The 'HTTP-01' ACME challenge method looks a lot like trust-on-first-use, recorded in a file and signed by the CA
-
singpolyma
It's probably an improvement in how they used to be, where it was always done manually and could be social engineered
-
singpolyma
Now it's almost always automated
-
Zash
CAs use DNS before they give you a certificate. DNSSEC can help secure some bits there, which is nice.
-
singpolyma
There's a whole bunch of possible mitigations, but for many things and especially for xmpp s2s specifically, DANE is the gold standard
-
Zash
E.g. when they fetch TXT or CAA records
-
manday
Zash I'm still trying to wrap my head around the unbound dependency of prosody (and the lua bindings). Why is it that prosody itself has to be concerned with DNSSEC? I've read that normally to use DNSSEC you have the program just use normal DNS lookup to a local, secure DNS server (like unbound; I guess) - why is it not done that way in prosody?
-
Arne-BrΓΌn
> Is Egypt known to block XMPP? While my dad was there lots of stuff seemed blocked on web and xmpp didn't work, and I see they at least used to block signal Did you see I added a setting to enforce DANE connections in monocles chat singpolyma ? ↺
-
manday
(i.e. anyone wanting to assert authenticity of DNS will use a regular DNS lookup, e.g. libc, and the system admin will guarantee that the result is secured by running a DNSSEC server locally)
-
moparisthebest
> Is Egypt known to block XMPP? While my dad was there lots of stuff seemed blocked on web and xmpp didn't work, and I see they at least used to block signal singpolyma: does the XMPP server support direct TLS on port 443 ↺
-
moparisthebest
manday: this might help https://wiki.xmpp.org/web/The_Knight
-
moparisthebest
Yes all systems should hopefully be set up to reject bad DNSSEC signed records, the problem for prosody or anything using Dane comes from the fact that without special DNS tools you can't tell the difference between "valid because it's signed with DNSSEC" vs "valid because DNSSEC isn't enabled on the domain"
-
manday
uhm... wouldn't the (local) resolver figure out the difference?
-
manday
I don't understand what prosody can possibly achieve by meddling with DNSSEC directly (and thereby accepting or rejecting) than just let the local DNS server accept or reject as is right
-
manday
(i can't say I've grasped DNSSEC I admit, as I just learned TLS can't be trusted because certs are being given away to malicious parties, how does the same not apply to breaking the chain of trust in DNSSEC, ... meh)
-
moparisthebest
> uhm... wouldn't the (local) resolver figure out the difference? manday: yes, but prosody needs to know the difference because it affects how TLS certificates are authenticated (read the wiki I linked and ask if you need more clarification) ↺
-
manday
I actually read the story of the knight but what you refer to must have eluded me, I'll read more carefully again ;)
-
manday
in effect though, I deduce from your statement that libc's resolver is unfit for DNSSEC and needs a better API... (?)
-
Zash
> Zash I'm still trying to wrap my head around the unbound dependency of prosody (and the lua bindings). Why is it that prosody itself has to be concerned with DNSSEC? I've read that normally to use DNSSEC you have the program just use normal DNS lookup to a local, secure DNS server (like unbound; I guess) - why is it not done that way in prosody? By validating in the process itself there's no room for anything inbetween to flip the single bit that says an anwer is secure. ↺
-
Zash
manday, and the primary reason is to have async DNS support that supports SRV records. By using libunbound, we can concentrate on developing an XMPP server instead of having to also develop a stub DNS resolver (which you can still use if you don't want to use libunbound)
-
moparisthebest
> in effect though, I deduce from your statement that libc's resolver is unfit for DNSSEC and needs a better API... (?) manday: I mean... Yes? Or no depending on if your application cares π in TLS using applications, DNSSEC status changes the way TLS is validated, so those need them for ssh/ping the current API is fine ↺
-
manday
so basically some minimal info would have to be added to addrinfo in https://man7.org/linux/man-pages/man3/getaddrinfo.3.html to make libc sufficient? is there a pr for that?
-
Zash
Does it support SRV records? Does it support async queries?
-
Zash
Those are the hard requirements.
-
manday
no zach your points nonwithstandinf
-
Zash
DNSSEC is a nice-to-have
-
manday
asynch however i dont see the problem, thats something an app can do and wouldnt require an entire resolver builtin
-
moparisthebest
It's ok all apps will have their own DNS resolver soon because https mandates it now
-
moparisthebest
http3 specifically
-
manday
π―
-
MSavoritias fae.ve
also everybody uses browers or browser containers now which also have their own resolvers pretty much
-
MSavoritias fae.ve
libc things are obsolete for a while
-
moparisthebest
Browsers have had their own for... Probably a decade at least
-
MSavoritias fae.ve
yep
-
singpolyma
>> Is Egypt known to block XMPP? While my dad was there lots of stuff seemed blocked on web and xmpp didn't work, and I see they at least used to block signal > Did you see I added a setting to enforce DANE connections in monocles chat singpolyma ? Arne-BrΓΌn: that's great! I have it on my list to add such an option soon as well ↺
-
manday
none of them dep on unbound though so i didnt notice π
-
singpolyma
> Yes all systems should hopefully be set up to reject bad DNSSEC signed records, the problem for prosody or anything using Dane comes from the fact that without special DNS tools you can't tell the difference between "valid because it's signed with DNSSEC" vs "valid because DNSSEC isn't enabled on the domain" Well, you can if you trust the resolver (eg it is in localhost) by checking the ad flag ↺
-
moparisthebest
>> Yes all systems should hopefully be set up to reject bad DNSSEC signed records, the problem for prosody or anything using Dane comes from the fact that without special DNS tools you can't tell the difference between "valid because it's signed with DNSSEC" vs "valid because DNSSEC isn't enabled on the domain" > Well, you can if you trust the resolver (eg it is in localhost) by checking the ad flag Which you need special support for, getaddrinfo isn't enough, and we are back at square 1 π ↺
-
singpolyma
Oh sure, getaddrinfo doesn't return the flags AFAIK
-
moparisthebest
>> Is Egypt known to block XMPP? While my dad was there lots of stuff seemed blocked on web and xmpp didn't work, and I see they at least used to block signal > singpolyma: does the XMPP server support direct TLS on port 443 singpolyma: so? π ↺
-
manday
i mean it's prolly a good thing that we are moving away from libc resolver - a chance for one kitchen sink fewer in libc, right? π
-
singpolyma
moparisthebest: since they were blocking most 443 traffic as well I'm not sure that would have helped. But definitely not relevant to my question π
-
moparisthebest
singpolyma: I think it is relevant? I'm wondering if they were blocking/filtering TLS on port 443 or not, and if so, in what way?
-
moparisthebest
"are they blocking XMPP" isn't that helpful "how are they blocking XMPP" is what we need to know for how to work around
-
singpolyma
Need to know if there's anything to work around first though
-
moparisthebest
sure
-
moparisthebest
But knowing that the server supported TLS on 443, if the client still couldn't connect, would indicate either srv is blocked or they are filtering TLS on 443
-
singpolyma
Well we know they're not filtering *all* TLS on 443 at least since any (but not all) webpages work
-
dwd
> I actually read the story of the knight but what you refer to must have eluded me, I'll read more carefully again ;) Ah, the Knight is still around. Poor chap. You may prefer RFC 6125, but the short version is that DNSSEC allows us to gather more than one domain name to match against the Subject of the certificate (either by Subject CommonName, or better, by an explicit SAN). Additionally, we can look up TLSA records, use DANE, and potentially ignore bits of PKIX, potentially even all of it.
-
Zash
One of these days, RFC 7250
-
moparisthebest
The sad irony is DNSSEC let's us validate a cert against more than one domain, but SNI only allows us to ask for a cert matching 1 domain, so... gotta guess or try multiple times π±
-
moparisthebest
dwd: for the record I always thought the knight story was perfect and frankly the best way I've ever seen this mess explained to date <3
-
singpolyma
> The sad irony is DNSSEC let's us validate a cert against more than one domain, but SNI only allows us to ask for a cert matching 1 domain, so... gotta guess or try multiple times π± Luckily in practise we always know exactly what domain is in the jid anyway ↺
-
dwd
> The sad irony is DNSSEC let's us validate a cert against more than one domain, but SNI only allows us to ask for a cert matching 1 domain, so... gotta guess or try multiple times π± SNI also only says what domain the client wants, not what domain the server should expect. Some of Metre's use cases are quite tricky due to that on '368
-
singpolyma
Once you use DANE SNI becomes borderline meaningless anyway since your certs don't need to have any particular names in them.
-
Zash
and with RFC 7250 you hos✎ -
Zash
and with RFC 7250 you don't even need the certificate container! ✏
-
singpolyma
https://mov.im/stickers/miho/e599dca3de182a821ef2e92234fb2bfca04a325e.png
-
moparisthebest
> Once you use DANE SNI becomes borderline meaningless anyway since your certs don't need to have any particular names in them. Only if all your clients support Dane though, in the meantime you have to hand them the cert they ask for with sni ↺
-
singpolyma
I'm not usually thinking if clients when I talk about certs, but sure either way we support pkix fallback yes. And SNI works the same there as it always did
-
Zash
I enjoyed reading these words: https://lobste.rs/s/ymxynk/calling_time_on_dnssec#c_hfqngl
-
singpolyma
I liked that comment but also enjoyed that they misremembered the name as xmpp.ru
-
moparisthebest
> I'm not usually thinking if clients when I talk about certs, but sure either way we support pkix fallback yes. And SNI works the same there as it always did singpolyma: no it can't, say with DNSSEC you will accept a cert for bob.com or srv1.xmpphost.net, you have to ask for one with SNI and you don't know which they have, if you ask for bob.com and they send you a cert only valid for alice.com you really have to ask again using srv1.xmpphost.net because they might have that instead ↺
-
singpolyma
With dnssec+DANE I will accept for *any* name not just those two
-
Zash
Accepting any name and asking for a particular name with SNI are separate things
-
singpolyma
Right. So ask for the correct name (bob.com) and that's it. I'm not going to enumerate every possible name just because I accept them all
-
moparisthebest
Ok so take what I said above, and replace "they send you a cert only valid for alice.com" with "they send you a cert who's key doesn't match what DANE says", it's the same problem, you still have to ask up to twice
-
moparisthebest
You have to
-
moparisthebest
You don't know how the server was configured
-
singpolyma
No I don't. And anyone who does is doing it wrong
-
singpolyma
Ask for bob.com
-
singpolyma
If the server doesn't give you the right cert the server is broken
-
Zash
The SRV target scenario doesn't happen because that wouldn't work with legacy PKIX clients
-
singpolyma
Exactly
-
singpolyma
We're only using SNI for fallback
-
singpolyma
So use what works with the fallback case
-
Zash
So no hosting delegatio✎ -
Zash
So no hosting delegatio n ✏
-
Zash
So no hosting delegation ✏
-
singpolyma
Not in a pkix world no
-
singpolyma
In a Dane only world sure, it'll just work
-
Zash
singpolyma, have you been following the dance wg (client-dane) btw? I'm subscribed to the mailing list but haven't hade the energy to do anything but read
-
singpolyma
No. Some new disaster we need to watch out for?
-
Zash
Not sure if any of the now discussed problems were in scope
-
singpolyma
My main concern is s2s since clients we could do by tofu or all kinds of other stuff if we really had to
-
Zash
Nah, because DANE only authenticates the client side, DANCE is about authenticating clients, I was under the impression this included server "clients" in order to bring non-hacky mutual authentication.✎ -
Zash
Nah, because DANE only authenticates the server side, DANCE is about authenticating clients, I was under the impression this included server "clients" in order to bring non-hacky mutual authentication. ✏
-
singpolyma
Instead of the check-back thing you do now?
-
singpolyma
That could be nice if it turns out good
-
singpolyma
Though check-back seems fine
-
singpolyma
Who are they even working on it for? What protocol has use for this?
-
Zash
Too sleepy to go check now, only bit I remember is a location for a single set of TLSA records so you don't have to go chase SRV first
-
Zash
But there was also stuff for IoT clients.
-
Zash
Might have been some TLS extension, unless I misremember, which could be useful in a decade when openssl might have support for it
-
Zash
If the connecting party could just include its own signed DNSSEC chain in the handshake to authenticate its own ~client certificate~ public key, It Would Be Nice
-
singpolyma
So long as people don't have to go change all their dns records again, I'm in
-
Zash
You could go add `_xmpp-server.example.com IN CNAME _5269._tcp.example.com` for a tiny speed boost with some Prosody trunk
-
Zash
or add that name to your TLSA automation
-
moparisthebest
singpolyma: Sounds like you are saying servers and clients have to do 1 thing in a CA world (current world) and a totally different thing in a DANE world, with no way to migrate between the two then?
-
singpolyma
moparisthebest: no. I'm saying it's exactly the same for both
-
singpolyma
Unless they want to do something Dane can do that pkix can't do
-
Zash
It'd be nice if there was a DANE-SNI TLS extension for saying "Hey I know DANE and I expect you to show me some credential matching this [TLSA record OR hostname]"
-
moparisthebest
singpolyma: Could you name one server that you can configure to serve multiple certs with SNI where you can configure it to hand out the cert only valid for srv1.xmpphost.com when SNI contains bob.com ? I'm not aware of any
-
singpolyma
Oh indeed. Sending SNI of a cert hash or something would be Neat but not useful in a dual with pkix world
-
singpolyma
moparisthebest: yes. Prosody
-
singpolyma
I mean, don't do that it's silly. But you can easily
-
moparisthebest
How? I'm 90% sure you can't
-
Zash
If you specify certs manually nobody should anymore, you can make it send any certificates you want at any time.✎ -
Zash
If you specify certs manually likenobody should anymore, you can make it send any certificates you want at any time. ✏
-
Zash
If you specify certs manually like nobody should anymore, you can make it send any certificates you want at any time. ✏
-
singpolyma
Yup
-
singpolyma
Which is all I ever do anyway since it's easier on my brain than copying all certs into prosody's magic store thing
-
Zash
You may need a recent Prosody for SNI stuff to be non-automatic tho
-
Zash
singpolyma, if you spent a decade watching everyone use the manual settings to shoot themselves in the foot, because they read a guide written by someone who shot themselves in the foot without noticing, you'd appreciate the magic too
-
singpolyma
Zash: i believe you. I have to config certs for all my other services anyway and my certs all live in a single folder already because that's where my acme puts them, so it just makes sense to me to config them in the server config like anything else. I appreciate that the feature is useful to others and that's fine
-
Zash
If it works for you (and you don't have holes in your feet) then carry on :)
- singpolyma checks feed for holes
- singpolyma checks feet for holes