Bad XMPP - Bad XMPP

💡

🕶️

🚬

A set of badly configured XMPP services for testing against. Inspired by https://badssl.com/.

A list of hosts can be found by a disco#items query to badxmpp.eu which serves as an index.

Client and Server-to-Server Tests

These XMPP hosts have various intentional problems or quirks that allow testing how your client or server implementation react in this case.

Client testing

To test a client, simply attempt to add any account there. No actual login should be possible, so username and password does not matter and should never be sent. If the client implementation gets to the point where it would normally authenticate then the test has completed. Whether this constitutes a success or a failure depends on the test.

Server testing

Testing a server implementation is done by having it attempt to establish a server-to-server connection. This could be done by sending a message or ping.

DNS problems

no-target.badxmpp.eu: SRV record points to NXDOMAIN.
no-address.badxmpp.eu: SRV record points to NOERROR (only a TXT record, no A / AAAA).
no-service.badxmpp.eu: SRV record points to '.', indicating no service.
cname.badxmpp.eu: CNAME pointing at SRV pointing at CNAME.

Network and firewall

It’s dangerous to go alone, take this: RFC 8305.

ipv4-only.badxmpp.eu: Only an A record.
ipv6-only.badxmpp.eu: Only an AAAA record.
drop.badxmpp.eu: SRV record points to a black hole.
reject.badxmpp.eu: SRV record points to blocked port.
ipv4-drop.badxmpp.eu: Port black-holed over IPv4, but not IPv6.
ipv4-reject.badxmpp.eu: Port blocked over IPv4, but not IPv6.
ipv6-drop.badxmpp.eu: Port black-holed over IPv6, but not IPv4.
ipv6-reject.badxmpp.eu: Port blocked over IPv4, but not IPv4.
http.badxmpp.eu: SRV record points to a port with a HTTP server.
https.badxmpp.eu: SRV record points to a port with a HTTPS server.

TLS compatibility levels

Based on Mozilla Server Side TLS recommendations.

modern.badxmpp.eu: Modern compatibility
intermediate.badxmpp.eu: Intermediate compatibility
old.badxmpp.eu: Old backward compatibility

TLS versions

RFC 8996 deprecates TLS 1.0 and 1.1.

tls1.badxmpp.eu: Supports only TLS 1.0.
tls11.badxmpp.eu: Supports only TLS 1.1.
tls12.badxmpp.eu: Supports only TLS 1.2.
tls13.badxmpp.eu: Supports only TLS 1.3.

Diffie-Hellman parameter sizes

Ephemeral Diffie-Hellman over a bit groups of varying sizes.

~~dh512.badxmpp.eu~~: 512-bit (forbidden) seems to be rejected by the server, does not work as intended.
dh1024.badxmpp.eu: 1024-bit (forbidden)
dh2048.badxmpp.eu: 2048-bit from RFC 7919

Certificate problems

See RFC 6125 for verification guidelines.

self-signed.badxmpp.eu: Has a self-signed certificate.
expired.badxmpp.eu: Expired certificate.
wrong-name.badxmpp.eu: Does not have a certificate matching the name.
missing-chain.badxmpp.eu: Certificate chain missing an intermediate certificate.
ecdsa.badxmpp.eu: ECDSA certificate, where others are RSA.

XMPP base connectivity

no-sasl.badxmpp.eu: Does not offer SASL.
no-tls.badxmpp.eu: Does not offer TLS.
fail-tls.badxmpp.eu: Rejects <starttls/> with <failure/>
no-dialback.badxmpp.eu: Does not support Dialback. (Servers only)
bidi-only.badxmpp.eu: Requires XEP-0288
xmpps-only.badxmpp.eu: Supports only XMPP over TLS
xmpps-reject.badxmpp.eu: Rejects XMPP over TLS

Alternate verification methods

posh.badxmpp.eu: PKIX over Secure HTTP (POSH).