XSF Discussion - 2024-05-31


  1. singpolyma

    Is Egypt known to block XMPP? While my dad was there lots of stuff seemed blocked on web and xmpp didn't work, and I see they at least used to block signal

  2. manday

    Why does an XMPP server need a DNS resolver? I'm wondering because 85% of the dependencies of prosody are perl packages to build libunbound; does prosody really need that?

  3. Zash

    XMPP uses SRV records extensively, which isn't always supported by OS native APIs. Prosody also wants async and DNSSEC support.

  4. manday

    Thanks Zash

  5. MattJ

    It's worth pointing out that libunbound is optional (but our "internal" implementation may be less robust and does not support DNSSEC), and that you seem to be talking about build-time dependencies of a dependency, perl is not a direct or indirect runtime dependency of Prosody

  6. Zash

    We also need all these from Lua, which Prosody is written in. Prior to writing a Lua binding to libunbound, the available options were basically zero unless we'd drop some requirements.

  7. MattJ

    IIRC the openssl build system also depends on perl and is much worse :)

  8. manday

    of course yes. in any event as far as dependencies go I'm just pissed at perl (again) for pulling in what looks like an entire webserver suite for it's XML-Parser package alone... I totally agree that libunbound looks correct as a dep of prosody!

  9. Zash

    Building Prosody requires building a C compiler, which requires a C compiler ;)

  10. MSavoritias fae.ve

    or you bootstrap the whole thing with guix and then its scheme all the way down :P

  11. MSavoritias fae.ve

    that is how prosody is build on guix i bet

  12. manday

    naive q, is dnssec actually important for normal use?

  13. Menel

    No

  14. Menel

    Basically everything will work without support too.

  15. manday

    isnt authenticity guaranteed if a server can sign its traffic with the correct domaon name?

  16. Menel

    It is authenticated with valid certificates. DANE is currently only a dream for something better.

  17. Zash

    DNSSEC is important for my continued motivation

  18. manday

    huh on ill read up on dsne ty

  19. singpolyma

    manday: it really depends what you're doing and what your threat model is

  20. singpolyma

    There are several reasons why dnssec might be important. but indeed just like TLS it is not essential for basic operation

  21. MSavoritias fae.ve

    i mean isnt TLS basically essential if you want to federate at all in the xmpp network?

  22. MSavoritias fae.ve

    theoretically its not of course. xmpp can be completely unencrypted

  23. Zash

    TLS has been mandatory since 2014

  24. singpolyma

    MSavoritias fae.ve: most servers require it these days yes. But depending how old you are one might consider this recent

  25. MSavoritias fae.ve

    heh fair

  26. singpolyma

    So yes mandatory DANE checking for s2s is "a dream" but in the way that mandatory TLS was in 2006

  27. Zash

    Just like with TLS pre-2014, you can enable DANE and it'll work with anyone who set it up. (Read: me, singpolyma, and maybe 5 others 😁️)

  28. singpolyma

    83 hosts at least according to certwatch

  29. Zash

    Neat

  30. manday

    but tls alone *should* be enough to protect against mitm, right?

  31. manday

    dnssec is not needed for that

  32. singpolyma

    No, because you need to know the certificate is valid somehow

  33. Menel

    If the attacker can forge the dns you get, then they can mitm it.

  34. singpolyma

    See eg jabber.ru mitm incident

  35. manday

    But isn't the TLS certificate signed by the parent CA?

  36. Menel

    If the attacker has control over the dns, then they can mitm it. https://notes.valdikss.org.ru/jabber.ru-mitm/

  37. manday

    So you know that the server you are talking to really *is* certified to be server XYZ?

  38. Menel

    https://notes.valdikss.org.ru/jabber.ru-mitm/ The attacker got valid letsencrypt certs by controlling the ip See the small abbr on top

  39. Menel

    _generally_ valid certs are quite good yes.

  40. Menel

    _often_ good enough

  41. singpolyma

    The CA process these days is "do the sit in the path to the ip address advertised by dns?" So any mitm can get a valid cert

  42. singpolyma

    Sorry, any mitm if the server. Not an mitm of your client

  43. singpolyma

    Sorry, any mitm of the server. Not an mitm of your client

  44. singpolyma

    So the CA system as used protects one half of the attack surface

  45. Zash

    Fun fact: The rules for CAs are made by the CAs and the web browser vendors. _We_ here, or email, or other TLS stakeholders have very little say.

  46. singpolyma

    (modulo old cas which do things by hand and may be social engineered)

  47. manday

    Hm okay, how disappointing

  48. manday

    Didn't know that's the way things are

  49. Zash

    The 'HTTP-01' ACME challenge method looks a lot like trust-on-first-use, recorded in a file and signed by the CA

  50. singpolyma

    It's probably an improvement in how they used to be, where it was always done manually and could be social engineered

  51. singpolyma

    Now it's almost always automated

  52. Zash

    CAs use DNS before they give you a certificate. DNSSEC can help secure some bits there, which is nice.

  53. singpolyma

    There's a whole bunch of possible mitigations, but for many things and especially for xmpp s2s specifically, DANE is the gold standard

  54. Zash

    E.g. when they fetch TXT or CAA records

  55. manday

    Zash I'm still trying to wrap my head around the unbound dependency of prosody (and the lua bindings). Why is it that prosody itself has to be concerned with DNSSEC? I've read that normally to use DNSSEC you have the program just use normal DNS lookup to a local, secure DNS server (like unbound; I guess) - why is it not done that way in prosody?

  56. Arne-BrΓΌn

    > Is Egypt known to block XMPP? While my dad was there lots of stuff seemed blocked on web and xmpp didn't work, and I see they at least used to block signal Did you see I added a setting to enforce DANE connections in monocles chat singpolyma ?

  57. manday

    (i.e. anyone wanting to assert authenticity of DNS will use a regular DNS lookup, e.g. libc, and the system admin will guarantee that the result is secured by running a DNSSEC server locally)

  58. moparisthebest

    > Is Egypt known to block XMPP? While my dad was there lots of stuff seemed blocked on web and xmpp didn't work, and I see they at least used to block signal singpolyma: does the XMPP server support direct TLS on port 443

  59. moparisthebest

    manday: this might help https://wiki.xmpp.org/web/The_Knight

  60. moparisthebest

    Yes all systems should hopefully be set up to reject bad DNSSEC signed records, the problem for prosody or anything using Dane comes from the fact that without special DNS tools you can't tell the difference between "valid because it's signed with DNSSEC" vs "valid because DNSSEC isn't enabled on the domain"

  61. manday

    uhm... wouldn't the (local) resolver figure out the difference?

  62. manday

    I don't understand what prosody can possibly achieve by meddling with DNSSEC directly (and thereby accepting or rejecting) than just let the local DNS server accept or reject as is right

  63. manday

    (i can't say I've grasped DNSSEC I admit, as I just learned TLS can't be trusted because certs are being given away to malicious parties, how does the same not apply to breaking the chain of trust in DNSSEC, ... meh)

  64. moparisthebest

    > uhm... wouldn't the (local) resolver figure out the difference? manday: yes, but prosody needs to know the difference because it affects how TLS certificates are authenticated (read the wiki I linked and ask if you need more clarification)

  65. manday

    I actually read the story of the knight but what you refer to must have eluded me, I'll read more carefully again ;)

  66. manday

    in effect though, I deduce from your statement that libc's resolver is unfit for DNSSEC and needs a better API... (?)

  67. Zash

    > Zash I'm still trying to wrap my head around the unbound dependency of prosody (and the lua bindings). Why is it that prosody itself has to be concerned with DNSSEC? I've read that normally to use DNSSEC you have the program just use normal DNS lookup to a local, secure DNS server (like unbound; I guess) - why is it not done that way in prosody? By validating in the process itself there's no room for anything inbetween to flip the single bit that says an anwer is secure.

  68. Zash

    manday, and the primary reason is to have async DNS support that supports SRV records. By using libunbound, we can concentrate on developing an XMPP server instead of having to also develop a stub DNS resolver (which you can still use if you don't want to use libunbound)

  69. moparisthebest

    > in effect though, I deduce from your statement that libc's resolver is unfit for DNSSEC and needs a better API... (?) manday: I mean... Yes? Or no depending on if your application cares πŸ˜‚ in TLS using applications, DNSSEC status changes the way TLS is validated, so those need them for ssh/ping the current API is fine

  70. manday

    so basically some minimal info would have to be added to addrinfo in https://man7.org/linux/man-pages/man3/getaddrinfo.3.html to make libc sufficient? is there a pr for that?

  71. Zash

    Does it support SRV records? Does it support async queries?

  72. Zash

    Those are the hard requirements.

  73. manday

    no zach your points nonwithstandinf

  74. Zash

    DNSSEC is a nice-to-have

  75. manday

    asynch however i dont see the problem, thats something an app can do and wouldnt require an entire resolver builtin

  76. moparisthebest

    It's ok all apps will have their own DNS resolver soon because https mandates it now

  77. moparisthebest

    http3 specifically

  78. manday

    😯

  79. MSavoritias fae.ve

    also everybody uses browers or browser containers now which also have their own resolvers pretty much

  80. MSavoritias fae.ve

    libc things are obsolete for a while

  81. moparisthebest

    Browsers have had their own for... Probably a decade at least

  82. MSavoritias fae.ve

    yep

  83. singpolyma

    >> Is Egypt known to block XMPP? While my dad was there lots of stuff seemed blocked on web and xmpp didn't work, and I see they at least used to block signal > Did you see I added a setting to enforce DANE connections in monocles chat singpolyma ? Arne-BrΓΌn: that's great! I have it on my list to add such an option soon as well

  84. manday

    none of them dep on unbound though so i didnt notice πŸ˜‚

  85. singpolyma

    > Yes all systems should hopefully be set up to reject bad DNSSEC signed records, the problem for prosody or anything using Dane comes from the fact that without special DNS tools you can't tell the difference between "valid because it's signed with DNSSEC" vs "valid because DNSSEC isn't enabled on the domain" Well, you can if you trust the resolver (eg it is in localhost) by checking the ad flag

  86. moparisthebest

    >> Yes all systems should hopefully be set up to reject bad DNSSEC signed records, the problem for prosody or anything using Dane comes from the fact that without special DNS tools you can't tell the difference between "valid because it's signed with DNSSEC" vs "valid because DNSSEC isn't enabled on the domain" > Well, you can if you trust the resolver (eg it is in localhost) by checking the ad flag Which you need special support for, getaddrinfo isn't enough, and we are back at square 1 😁

  87. singpolyma

    Oh sure, getaddrinfo doesn't return the flags AFAIK

  88. moparisthebest

    >> Is Egypt known to block XMPP? While my dad was there lots of stuff seemed blocked on web and xmpp didn't work, and I see they at least used to block signal > singpolyma: does the XMPP server support direct TLS on port 443 singpolyma: so? 😁

  89. manday

    i mean it's prolly a good thing that we are moving away from libc resolver - a chance for one kitchen sink fewer in libc, right? πŸ™ƒ

  90. singpolyma

    moparisthebest: since they were blocking most 443 traffic as well I'm not sure that would have helped. But definitely not relevant to my question πŸ™‚

  91. moparisthebest

    singpolyma: I think it is relevant? I'm wondering if they were blocking/filtering TLS on port 443 or not, and if so, in what way?

  92. moparisthebest

    "are they blocking XMPP" isn't that helpful "how are they blocking XMPP" is what we need to know for how to work around

  93. singpolyma

    Need to know if there's anything to work around first though

  94. moparisthebest

    sure

  95. moparisthebest

    But knowing that the server supported TLS on 443, if the client still couldn't connect, would indicate either srv is blocked or they are filtering TLS on 443

  96. singpolyma

    Well we know they're not filtering *all* TLS on 443 at least since any (but not all) webpages work

  97. dwd

    > I actually read the story of the knight but what you refer to must have eluded me, I'll read more carefully again ;) Ah, the Knight is still around. Poor chap. You may prefer RFC 6125, but the short version is that DNSSEC allows us to gather more than one domain name to match against the Subject of the certificate (either by Subject CommonName, or better, by an explicit SAN). Additionally, we can look up TLSA records, use DANE, and potentially ignore bits of PKIX, potentially even all of it.

  98. Zash

    One of these days, RFC 7250

  99. moparisthebest

    The sad irony is DNSSEC let's us validate a cert against more than one domain, but SNI only allows us to ask for a cert matching 1 domain, so... gotta guess or try multiple times 😱

  100. moparisthebest

    dwd: for the record I always thought the knight story was perfect and frankly the best way I've ever seen this mess explained to date <3

  101. singpolyma

    > The sad irony is DNSSEC let's us validate a cert against more than one domain, but SNI only allows us to ask for a cert matching 1 domain, so... gotta guess or try multiple times 😱 Luckily in practise we always know exactly what domain is in the jid anyway

  102. dwd

    > The sad irony is DNSSEC let's us validate a cert against more than one domain, but SNI only allows us to ask for a cert matching 1 domain, so... gotta guess or try multiple times 😱 SNI also only says what domain the client wants, not what domain the server should expect. Some of Metre's use cases are quite tricky due to that on '368

  103. singpolyma

    Once you use DANE SNI becomes borderline meaningless anyway since your certs don't need to have any particular names in them.

  104. Zash

    and with RFC 7250 you hos

  105. Zash

    and with RFC 7250 you don't even need the certificate container!

  106. singpolyma

    https://mov.im/stickers/miho/e599dca3de182a821ef2e92234fb2bfca04a325e.png

  107. moparisthebest

    > Once you use DANE SNI becomes borderline meaningless anyway since your certs don't need to have any particular names in them. Only if all your clients support Dane though, in the meantime you have to hand them the cert they ask for with sni

  108. singpolyma

    I'm not usually thinking if clients when I talk about certs, but sure either way we support pkix fallback yes. And SNI works the same there as it always did

  109. Zash

    I enjoyed reading these words: https://lobste.rs/s/ymxynk/calling_time_on_dnssec#c_hfqngl

  110. singpolyma

    I liked that comment but also enjoyed that they misremembered the name as xmpp.ru

  111. moparisthebest

    > I'm not usually thinking if clients when I talk about certs, but sure either way we support pkix fallback yes. And SNI works the same there as it always did singpolyma: no it can't, say with DNSSEC you will accept a cert for bob.com or srv1.xmpphost.net, you have to ask for one with SNI and you don't know which they have, if you ask for bob.com and they send you a cert only valid for alice.com you really have to ask again using srv1.xmpphost.net because they might have that instead

  112. singpolyma

    With dnssec+DANE I will accept for *any* name not just those two

  113. Zash

    Accepting any name and asking for a particular name with SNI are separate things

  114. singpolyma

    Right. So ask for the correct name (bob.com) and that's it. I'm not going to enumerate every possible name just because I accept them all

  115. moparisthebest

    Ok so take what I said above, and replace "they send you a cert only valid for alice.com" with "they send you a cert who's key doesn't match what DANE says", it's the same problem, you still have to ask up to twice

  116. moparisthebest

    You have to

  117. moparisthebest

    You don't know how the server was configured

  118. singpolyma

    No I don't. And anyone who does is doing it wrong

  119. singpolyma

    Ask for bob.com

  120. singpolyma

    If the server doesn't give you the right cert the server is broken

  121. Zash

    The SRV target scenario doesn't happen because that wouldn't work with legacy PKIX clients

  122. singpolyma

    Exactly

  123. singpolyma

    We're only using SNI for fallback

  124. singpolyma

    So use what works with the fallback case

  125. Zash

    So no hosting delegatio

  126. Zash

    So no hosting delegatio n

  127. Zash

    So no hosting delegation

  128. singpolyma

    Not in a pkix world no

  129. singpolyma

    In a Dane only world sure, it'll just work

  130. Zash

    singpolyma, have you been following the dance wg (client-dane) btw? I'm subscribed to the mailing list but haven't hade the energy to do anything but read

  131. singpolyma

    No. Some new disaster we need to watch out for?

  132. Zash

    Not sure if any of the now discussed problems were in scope

  133. singpolyma

    My main concern is s2s since clients we could do by tofu or all kinds of other stuff if we really had to

  134. Zash

    Nah, because DANE only authenticates the client side, DANCE is about authenticating clients, I was under the impression this included server "clients" in order to bring non-hacky mutual authentication.

  135. Zash

    Nah, because DANE only authenticates the server side, DANCE is about authenticating clients, I was under the impression this included server "clients" in order to bring non-hacky mutual authentication.

  136. singpolyma

    Instead of the check-back thing you do now?

  137. singpolyma

    That could be nice if it turns out good

  138. singpolyma

    Though check-back seems fine

  139. singpolyma

    Who are they even working on it for? What protocol has use for this?

  140. Zash

    Too sleepy to go check now, only bit I remember is a location for a single set of TLSA records so you don't have to go chase SRV first

  141. Zash

    But there was also stuff for IoT clients.

  142. Zash

    Might have been some TLS extension, unless I misremember, which could be useful in a decade when openssl might have support for it

  143. Zash

    If the connecting party could just include its own signed DNSSEC chain in the handshake to authenticate its own ~client certificate~ public key, It Would Be Nice

  144. singpolyma

    So long as people don't have to go change all their dns records again, I'm in

  145. Zash

    You could go add `_xmpp-server.example.com IN CNAME _5269._tcp.example.com` for a tiny speed boost with some Prosody trunk

  146. Zash

    or add that name to your TLSA automation

  147. moparisthebest

    singpolyma: Sounds like you are saying servers and clients have to do 1 thing in a CA world (current world) and a totally different thing in a DANE world, with no way to migrate between the two then?

  148. singpolyma

    moparisthebest: no. I'm saying it's exactly the same for both

  149. singpolyma

    Unless they want to do something Dane can do that pkix can't do

  150. Zash

    It'd be nice if there was a DANE-SNI TLS extension for saying "Hey I know DANE and I expect you to show me some credential matching this [TLSA record OR hostname]"

  151. moparisthebest

    singpolyma: Could you name one server that you can configure to serve multiple certs with SNI where you can configure it to hand out the cert only valid for srv1.xmpphost.com when SNI contains bob.com ? I'm not aware of any

  152. singpolyma

    Oh indeed. Sending SNI of a cert hash or something would be Neat but not useful in a dual with pkix world

  153. singpolyma

    moparisthebest: yes. Prosody

  154. singpolyma

    I mean, don't do that it's silly. But you can easily

  155. moparisthebest

    How? I'm 90% sure you can't

  156. Zash

    If you specify certs manually nobody should anymore, you can make it send any certificates you want at any time.

  157. Zash

    If you specify certs manually likenobody should anymore, you can make it send any certificates you want at any time.

  158. Zash

    If you specify certs manually like nobody should anymore, you can make it send any certificates you want at any time.

  159. singpolyma

    Yup

  160. singpolyma

    Which is all I ever do anyway since it's easier on my brain than copying all certs into prosody's magic store thing

  161. Zash

    You may need a recent Prosody for SNI stuff to be non-automatic tho

  162. Zash

    singpolyma, if you spent a decade watching everyone use the manual settings to shoot themselves in the foot, because they read a guide written by someone who shot themselves in the foot without noticing, you'd appreciate the magic too

  163. singpolyma

    Zash: i believe you. I have to config certs for all my other services anyway and my certs all live in a single folder already because that's where my acme puts them, so it just makes sense to me to config them in the server config like anything else. I appreciate that the feature is useful to others and that's fine

  164. Zash

    If it works for you (and you don't have holes in your feet) then carry on :)

  165. singpolyma checks feed for holes

  166. singpolyma checks feet for holes