[07:26:17]
<Maranda> https://upload.lightwitch.org/share/kdjI0btn7dyu6368/EI6T3M_1S7WLhQ6wOoSEcA.gif
[07:41:28]
<Maranda> zinid: so idea for next benchmark... Rise drones timeout over auth to 20 seconds? 🤸♂️😜
[07:41:57]
<zinid> dunno, the admin is still sleeping seems like 🙂
[07:42:27]
<Maranda> zinid, if it's not a big code change that is
[07:45:21]
<Maranda> That's ok, didn't mean to do it now anyways. 🤸♂️😆
[07:49:48]
<Maranda> zinid, and I think I found what slown it down so much. starttls on reconnects + certificate checks
[07:50:34]
<Maranda> zinid, those take a lot of cpu time 😣 apparently
[07:54:26]
<Maranda> zinid: and the underperforming bit is openssl mostly so not easy to workaround either
[07:59:43]
<zinid> disable certfile checks for c2s?
[08:00:18]
<zinid> except for SASL EXTERNAL
[08:03:29]
<Maranda> zinid: but I need to fire certificate checks at features to check if a certificate is valid, to offer the sasl mechanism only in that case
[08:03:45]
<zinid> Maranda, I don't do that
[08:04:01]
<Maranda> At least that's in the best practices xep
[08:04:07]
<zinid> Maranda, I offer it always, then check only on a request and return <failure/> if needed
[08:04:18]
<zinid> Maranda, it's best crappy practice
[08:04:29]
<Maranda> 🤔
[08:04:31]
<zinid> and has been discussed many times with the XSF gangband
[08:04:44]
<zinid> also, the XEP doesn't require you at all, there are no MUSTs
[08:04:51]
<zinid> and such behaviour doesn't break anything
[08:05:51]
<zinid> Maranda, also, another advantage is to report *exact* sasl failure to the peer, so it's easy to debug
[08:06:20]
<Maranda> Ok guess I'll try that way then, it's remove code anyways more than adding 😋
[08:06:47]
<Maranda> Or more likely just remove
[08:06:56]
<zinid> the only rationale not to provide the mechanism is to force a client to pick another supported mechanism, but this is lame: a client should try all available mechs until succeed
[08:07:15]
<Maranda> Yeah
[08:07:48]
<zinid> for example, my library supports SASL mechs chaining: it trying one by one, and my server supports chaining: it doesn't bounce on the first auth failure
[08:08:02]
<zinid> and in order to avoid brute force there is mod_fail2ban
[08:09:33]
<zinid> if you don't have mod_fail2ban then a client may retry SASL PLAIN (for example) in a loop, i.e. bruteforcing without stream restarts and reconnects
[08:09:45]
<zinid> so you need another way to control this if there is no mod_fail2ban
[08:11:01]
<zinid> my benchmarking library supports SASL chaining, I can try it on your server (with a single user) if you like
[08:11:14]
<zinid> it supports [EXTERNAL, PLAIN] chaining
[08:12:04]
<Maranda> zinid: well I esteemed that starttls + x509 checks take around 70% of the cpu time, so removing that on a multiplier case I should have a 45% gain back or some such
[08:12:08]
<Maranda> 🤔
[08:12:19]
<zinid> yep
[08:23:21]
<zinid> so the benchmark machine is ready
[08:23:28]
<zinid> let me know if you want to benchmark
[12:19:45]
<Maranda> zinid: when i get back but first I wanna remove the code we talked about yesterday
[12:20:25]
<Maranda> Err not yesterday lol
[12:20:33]
<Maranda> Earlier I meant
[12:21:56]
<zinid> I already stopped the machines
[12:26:32]
<Maranda> zinid: ah no problem, sorry but when we were talking I was already on my way to the gym 🙏
[12:29:56]
<Maranda> zinid: I'll have the same behaviour for both c2s and s2s, I don't see why I should do it differently
[12:44:15]
<zinid> sure, same for me
[12:44:35]
<zinid> the only difference is authzid: in s2s case you just ignore it 🙂
[12:44:48]
<zinid> IIRC
[12:45:55]
<Maranda> I think that for s2s it needs to match the hostname or something
[12:46:31]
<Maranda> And you match that vs the certificate sans
[12:46:43]
<zinid> authzid? I recall something is said in the RFC about it, like it can be ignored and you rely only on certfile CN/SAN
[12:46:44]
<Maranda> /cn
[12:47:38]
<zinid> you have already server domain name from stream header, so...
[12:47:42]
<Maranda> I think I read that in that cursed best practices for sasl external xep zinid still haha
[12:48:00]
<Maranda> @xep sasl external
[12:48:22]
<Maranda> @xep external
[12:48:22]
<Echo1> Maranda: Sorry, I couldn't find a match
[12:48:33]
<Maranda> @xep sasl
[12:48:33]
<Echo1> Maranda: Sorry, I couldn't find a match
[12:48:37]
<Maranda> Blah
[12:49:58]
<Maranda> @xep 178
[12:49:58]
<Echo1> Maranda: Sorry, I don't think there is a XEP-0178
[12:50:03]
<Maranda> Whay
[12:50:12]
<Maranda> Lol
[12:50:15]
<Maranda> Well
[12:51:29]
<Maranda> > If no authorization identity is included, then the server SHOULD return a SASL failure case of <invalid-authzid/> and close the stream.
https://xmpp.org/extensions/xep-0178.html ex 13 zinid
[12:51:44]
<zinid> that's for c2s?
[12:53:00]
<zinid> > For server-to-server authentication, the <auth/> element MAY include an authorization identity, however a future version of this specification might disallow use of the authorization identity in server-to-server authentication
[12:53:11]
<Maranda> zinid: hmmm you're right
[12:53:16]
<Maranda> 😋
[12:53:27]
<Maranda> I recalled just that bit
[16:00:34]
<Maranda> zinid, I revolved to a slight different change, I won't present the mechanism if there isn't a certificate associated, firing :getpeercertificate() only should pose a minimal overhead.
[16:05:09]
<Echo1> maranda committed --
{...}: refactor SASL EXTERNAL related code. (Fixes #389)
-> https://github.com/maranda/metronome/commit/c928eb77c0309f287c427eec00488ee11b2b1af8
[16:25:11]
<Maranda> and sasl external for c2s broken.
[16:25:15]
<Maranda> rrrr
[16:29:50]
<zinid> Ahaha
[16:30:01]
<zinid> You Failed
[16:30:34]
<zinid> I have it covered with the tests, so I'm good 😂
[16:36:06]
<Maranda> zinid, oh wait got it.
[16:38:34]
<Maranda> Jul 02 16:37:39 c2s83b8680 info Client connected
Jul 02 16:37:40 c2s83b8680 debug Client sent opening <stream:stream> to lightwitch.org
Jul 02 16:37:40 c2s83b8680 debug Sent reply <stream:stream> to client
Jul 02 16:37:40 c2s83b8680 debug Received[c2s_unauthed]: <auth mechanism='EXTERNAL' xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
Jul 02 16:37:40 c2s83b8680 debug Certificate verification is being handled by mod_adhoc_cm...
Jul 02 16:37:40 c2s83b8680 info Authenticated as maranda@lightwitch.org
Jul 02 16:37:40 lightwitch.org:saslauth debug sasl reply: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
[16:38:38]
<Maranda> zinid, there.
[16:39:35]
<Maranda> I actually forgot to reload the auth backend (mod_auth_internal_hashed), it picks up stuff from the sasl auxiliary library which was changed as well.
[16:50:09]
<Echo1> maranda committed --
sasl_aux.lib: remove unused variable.
-> https://github.com/maranda/metronome/commit/40ac0fdd03f95ae953a4ead9d25e93b3564409a3
[16:52:07]
<Maranda> zinid, and guess what? Around half a second faster on logins. 🤦♂
[16:52:19]
<zinid> neat
[16:52:39]
<zinid> 👍
[17:05:09]
<Echo1> maranda committed --
metronome.release: set version to 3.9.11.
-> https://github.com/maranda/metronome/commit/6d9be00376b2ff05aa5d272716f3134473341e0f
[17:30:42]
<Maranda> restarting server process sorry :(
[17:44:15]
<Maranda> hmm missed a change to dialback for shortcircuiting.
[17:46:03]
<Echo1> maranda committed --
mod_dialback: reflect previous changes.
-> https://github.com/maranda/metronome/commit/5a4f819d38ea47ec1d7b32086894cce99b82a275
[17:53:41]
<Maranda> @ping jabberfr.org
[17:54:15]
<Maranda> o.o
[17:54:37]
<Maranda> @ping
[17:54:48]
<Maranda> huhu
[17:59:53]
<Maranda> @ping
[18:01:11]
<Maranda> @ping
[18:01:11]
<Echo1> Maranda: pong
[18:01:25]
<Maranda> @ping
[18:01:25]
<Echo1> Maranda: pong
[18:01:30]
<Maranda> ....
[18:01:36]
<Maranda> @ping
[18:02:00]
<Maranda> ....
[18:02:02]
<Maranda> ...
[18:02:03]
<Maranda> ..
[18:02:05]
<Maranda> .
[18:19:06]
<Maranda> @ping
[18:19:06]
<Echo1> Maranda: pong
[18:19:23]
<Maranda> @ping
[18:19:23]
*Echo1 E_TEMPORARY_FAILURE, try again later.
[18:19:30]
<Maranda> @ping
[18:19:30]
*Echo1 E_TEMPORARY_FAILURE, try again later.
[18:19:47]
<Maranda> @ping isode.com
[18:19:47]
<Echo1> Ping failed (remote-server-not-found): Server-to-server connection failed: received a response of type invalid while authenticating with the authoritative server
[18:20:36]
<Maranda> @ping
[18:20:36]
*Echo1 E_TEMPORARY_FAILURE, try again later.
[18:20:50]
<Maranda> hmm no idea