Re: Future of jabberd
If you can create and maintain the database through standard programs (sqlite being my favorite), I don't mind the caching. But in a system that uses TLS, is a database lookup that significant of a time sink in the whole transaction flow. This is interesting reading: http://stackoverflow.com/questions/11216647/why-is-sqlite-faster-than-redis-in-this-simple-benchmark I don't do a lot of database stuff, but learning on mysql and then trying sqlite, I'm just amazed at how it cranks. I really like sqlite3. Original Message From: Tomasz Sterna Sent: Monday, May 30, 2016 4:30 PM To: jabberd2@lists.xiaoka.com Reply To: jabberd2@lists.xiaoka.com Subject: Re: Future of jabberd W dniu 30.05.2016, pon o godzinie 12∶50 -0700, użytkownik li...@lazygranch.com napisał: > Do you really have to cache something in jabberd when the data can be > pulled from the sql database? Sure the data has changed. But if you > pull a fresh record each time, I don't see the issue. Unfortunately RDBMs are notorious to be a choking point. You just cannot fetch data over and over again and expect reasonable preformance. This is the reason for raise of memcached, redis etc. Also, see: https://metajack.wordpress.com/2008/08/26/choosing-an-xmpp-server/ -- /o__ (_<^' I must follow the people. Am I not their leader? -Benjamin Disraeli
Re: Future of jabberd
Do you really have to cache something in jabberd when the data can be pulled from the sql database? Sure the data has changed. But if you pull a fresh record each time, I don't see the issue. Original Message From: Tomasz Sterna Sent: Monday, May 30, 2016 11:40 AM To: jabberd2@lists.xiaoka.com Reply To: jabberd2@lists.xiaoka.com Subject: Re: Future of jabberd W dniu 30.05.2016, pon o godzinie 10∶00 -0700, użytkownik li...@lazygranch.com napisał: > That is one of the beauties of programs written around standard tools > like sql. You can hook into the database and add features, or not. The issue with this approach is that SM component caches user data and has no way of knowing that data was changed directly in database backend. http://martinfowler.com/bliki/TwoHardThings.html -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/
Re: Future of jabberd
That is one of the beauties of programs written around standard tools like sql. You can hook into the database and add features, or not. ;-) In defense of web interfaces, you can hand off that administration task to someone else without granting login access to the server. Or depending on your setup, the web interface could be restricted to lan facing only, such as in the proposed ddwrt setup. It might pay to check out the XMPP pentest tools if what sounds like a total rewrite of jabberd is in the works. Original Message From: brahmann Sent: Monday, May 30, 2016 8:26 AM To: jabberd2@lists.xiaoka.com Reply To: jabberd2@lists.xiaoka.com Subject: Re: Future of jabberd Agree (web). I wrote some years ago simple web interface for jabberd2, need to review it and rewrite for new one later. Its will be good for those who want it but not in jabberd2 code inside. Using it with mysql and postgresql - works perfectly wbr, brahmann On 30.05.2016 16:43, li...@lazygranch.com wrote: > Regarding item 4, seriously, does everything these days have to have a web > interface? It just increases the attack surface. Adding a web interface means > one more thing to protect against hackers, which means writing rules for the > WAF or adding something else for fail2ban or sshguard to watch. > > Most services have a "reload" and "restart" in the service command. It really > isn't a burden to use them. The burden is to have yet another means to > restart the service. > > Personally, I viewed the XML setup as a feature since it is self documenting. > > My preference would be for better sqlite support. That is add and delete > users from sqlite3 rather than mysql. >
Re: Future of jabberd
Regarding item 4, seriously, does everything these days have to have a web interface? It just increases the attack surface. Adding a web interface means one more thing to protect against hackers, which means writing rules for the WAF or adding something else for fail2ban or sshguard to watch. Most services have a "reload" and "restart" in the service command. It really isn't a burden to use them. The burden is to have yet another means to restart the service. Personally, I viewed the XML setup as a feature since it is self documenting. My preference would be for better sqlite support. That is add and delete users from sqlite3 rather than mysql.
Re: jabberd-2.4.0 release
Right. But what exactly do I update? Original Message From: Tomasz Sterna Sent: Saturday, May 28, 2016 7:20 AM To: jabberd2@lists.xiaoka.com Reply To: jabberd2@lists.xiaoka.com Subject: Re: jabberd-2.4.0 release W dniu 27.05.2016, pią o godzinie 23∶57 -0700, użytkownik li...@lazygranch.com napisał: > I don't understand this: > remember to update /etc/ld.so.conf too Common issue is to build jabberd2 against libraries in non-standard path and then jabberd2 fails to run, because dynamic linker cannot find these libraries. This is a reminder, to update dynamic linker configuration file. -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/
Re: jabberd-2.4.0 release
I'm on freebsd 10.2 Original Message From: Matěj Cepl Sent: Friday, May 27, 2016 9:31 AM To: jabberd2@lists.xiaoka.com Reply To: jabberd2@lists.xiaoka.com Subject: Re: jabberd-2.4.0 release On 2016-05-27, 07:09 GMT, li...@lazygranch.com wrote: > I get this error message: > -- > checking for XML_ParserCreate in -lexpat... no > configure: error: Expat not found > -- > I have expat, so it is a matter of configure not finding it. Do you have appropriate -dev (for Debian), or -devel (for Fedora/SUSE) package installed? Matěj -- https://matej.ceplovi.cz/blog/, Jabber: mc...@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 Less is more or less more. -- Y_Plentyn on #LinuxGER (from fortunes -- I cannot resist :-)
Re: self signed cert
Actually that was with a Go Daddy purchased cert, not a self signed cert. As it stands, I have my own CA when I made my cert. I suspect I'm not putting all the elements (ca-cert, cert, key) in the right locations. Original Message From: Tomasz Sterna Sent: Saturday, May 7, 2016 8:21 AM To: jabberd2@lists.xiaoka.com Reply To: jabberd2@lists.xiaoka.com Subject: Re: self signed cert W dniu 03.05.2016, wto o godzinie 16∶51 -0700, użytkownik li...@lazygranch.com napisał: > I know when I used a web hosting company to handle my email, I would > yearly have to blindly trust the new cert. And this exact behavior I'd like to erradicate. Most users do not bother to check whether they are blindly accepting right certificate, or the certificate provided by middle-man. -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/
Re: self signed cert
I'm not following you here. You still have encryption with a self signed cert, but no trust. But if you can't trust yourself, who else can you trust? On public wifi without the self signed cert, the conversation could be read, not to mention login credentials. Take "letsencrypt" for example. Prior to adding their certificates to my root store, I could still get encryption, provided I let my browser go ahead. I just could trust the website identity. The Hong Kong Post Office is a CA, but I don't really trust them. ;-) For private use, self signed is fine. Note than in email, you generally set up the mta with "may encrypt". That is how the MITM hacks your email my stripping SSL then allowing a downgrade. (Neither rain nor snow nor a MITM, the mail must go through.) But xmpp doesn't have the downgrade option. Original Message From: Tomasz Sterna Sent: Tuesday, May 3, 2016 11:12 AM To: jabberd2@lists.xiaoka.com Reply To: jabberd2@lists.xiaoka.com Cc: Jabber/XMPP software development list Subject: Re: self signed cert W dniu 03.05.2016, wto o godzinie 09∶40 -0700, użytkownik li...@lazygranch.com napisał: > I suspect you wouldn't want s2s to use a self signed cert, so > allowing two level of verification (c2s and s2s) sounds complex. You > fix one thing in software and you break something else. So, why would you allow self-signed on C2S? Why do you want to use encryption in the first place? So, no one is able to read the conversation, right? But self-signed cert does not give you this... Just a false illusion that you are protected from evesdropping. But self-signed does not protect you from man-in-the-middle attack, so basically still anyone able to tap the wire your transmission is going through is able to read it, with just slightly more effort. > I noticed the online documentation doesn't completely match the xml, > but there are enough comments in the xml that I could get close to > setting it up. It is just the certs that are confusing. Yeah. The real and up to date source of documentation are the comments in the configuration files. -- /o__ (_<^' Practice is the best of all instructors.
Re: self signed cert
So the documentation on generating a self signed cert is not correct. Isn't the key generated in that document technically the root CA? Original Message From: Tomasz Sterna Sent: Tuesday, May 3, 2016 5:12 AM To: jabberd2@lists.xiaoka.com Reply To: jabberd2@lists.xiaoka.com Subject: Re: self signed cert W dniu 03.05.2016, wto o godzinie 02∶12 -0700, użytkownik li...@lazygranch.com napisał: > How exactly do I specify the cachain for a self signed cert. You need to put your root CA used to sign the cert to the CA certs store specified in 'cachain' option. This is to encourage deployments to stop using self-signed certs, of questionable security, and instead get a real cert. You can get real, widely accepted certs for free. > I get openssl error 18 meaning it can't be verified. Setting > verify-mode='0' didn't help. verify-mode sets how should the server verify client provided certificates. 0 (SSL_VERIFY_NONE[1]) is the default. [1] https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_verify.html -- /o__ (_<^' I respect faith, but doubt is what gives you an education.