Modern XMPP project discussion - 2026-04-12

  1. s123

    So s2s is still not working between some servers?

  2. s123

    I was reading this the other day and all the bullshit Let's Encrypt (and other CAs that supported google's idiocy, and google themselves) said has aged comically badly: https://community.letsencrypt.org/t/do-not-remove-tls-client-auth-eku/237427

  3. s123

    For reason that aren't clear except maybe herd behavior, a lot of people echoed the (invalid, nonsense) justification google gave

  4. s123

    Pretty much a study in failure

  5. s123

    https://github.com/processone/ejabberd/commit/72bc9b6c7f6afce7aa671a47eee343cc25b0abcb

  6. s123

    "we get some people yelling, some of them are [sic] just don't like change" 🤣

  7. s123

    "I believe you'll find that this transition is easier to navigate than you expect." 🤣

  8. s123

    "There's an awful lot of heat on this thread, but so far not one description of actual harm that inability to use LE certificates for client authentication will cause."🤪

  9. menel

    I think most are over it already. Only some severs stuck behind as was to be expected.

  10. s123

    "If that truly is your objective, I'd recommend you: Demonstrate understanding of the reasons behind this change--the discussions are all public; this is not simply a matter of "Google has decreed it" 😄

  11. menel

    Why warming up that old topic. It's ancient past now

  12. s123

    well because it's recently caused lots of problems

  13. s123

    " Describe, with as few buzzwords as possible, and in as much detail as possible, the use case that requires a single cert, from a publicly-trusted CA whose root is in all the OS trust stores, that provides both ClientAuth and ServerAuth EKUs. Include discussion of what characteristics of the relevant software make it impossible to use separate certs for these two functions, why the software in question can't be configured to trust a private CA, and a reasonable estimate of the number of installations that would be affected. If you "don't have the energy" even for that, why would you expect LE to expend considerably more energy to defend a use case you won't even describe?"😂

  14. menel

    It's unrelated to "modernxmpp"

  15. s123

    it's the reason why xmpp s2s isn't working

  16. s123

    and it's the reason why thousands of users recently had their rosters, mucs etc wiped in a failed upgrade

  17. s123

    and their accounts actually, they've had to regregister

  18. s123

    the current version of ejabberd that ubuntu lts installs does not have the patch to use certificates for client auth even if they are "officially" not intended for that purpose

  19. s123

    servers have been patched to work around (undermine) google's policy but clearly not all

  20. Link Mauve

    s123, certificates failing to validate in old software can’t be the cause of database failures.

  21. s123

    the version latest ubuntu LTS installs if I install it from the newest version today, is not exactly old

  22. Link Mauve

    s123, I recommend raising that issue to Ubuntu’s venue for bug reports.

  23. Link Mauve

    But I believe they don’t provide any support for community-managed packages.

  24. s123

    well it wasn't my server anyway I'm just one of the affected users and been trying to help the affected admin

  25. Link Mauve

    Their universe repository I think?

  26. Link Mauve

    I don’t recommend using Ubuntu on servers for that reason.

  27. s123

    thousands of people do use Ubuntu anyway and for almost anything else it works

  28. s123

    it's newer than what debian installs

  29. Link Mauve

    Well, they do they, but what I said is still true AFAIK, so unless they exclusively use packages from the core repositories, they are running fully unsupported configurations unknowingly.

  30. Link Mauve

    I wouldn’t recommend Debian either but only for your reason.

  31. admin

    > I don’t recommend using Ubuntu on servers for that reason. But people coming in to the XMPP service provider side from the start don't know that. People or time and effort to put up someone stable, and only until they get connected to the community they get told to undo everything cause they didn't choose the correct starting point

  32. admin

    > I don’t recommend using Ubuntu on servers for that reason. But people coming in to the XMPP service provider side from the start don't know that. People put time and effort to put up someone stable, and only until they get connected to the community they get told to undo everything cause they didn't choose the correct starting point

  33. Link Mauve

    admin, I believe the issue could be fixed by Ubuntu discouraging people from using their unsupported packages, but for obvious reasons they won’t.

  34. admin

    And software providers like Process One should stop mentioning distro packages as an option on their website

  35. admin

    People go to the site trusting they are getting the best information best recommendation

  36. admin

    > I don’t recommend using Ubuntu on servers for that reason. But people coming in to the XMPP service provider side from the start don't know that. People put time and effort to put up something stable, and only until they get connected to the community they get told to undo everything cause they didn't choose the correct starting point