[jdev] XEP-0115 Caps Verification

Matthew Wild mwild1 at gmail.com
Mon Sep 20 14:02:50 CST 2010

(forgot to send this at the weekend)

2010/9/18 Remko Tronçon <remko at el-tramo.be>:
>> As far as I know, Tkabber, Gajim and telepathy-gabble have correct
>> implementation (in TCL, Python and C).
> Yes, that I noticed. I'm asking about *in*correct implementations
> though. We've been getting reports of failing verification for some
> clients/libraries, and I wanted to double check if others also had the
> same problem before reporting it (to make sure the problem isn't on
> our side).

Since this is something I've been curious about for a while as well, I
just wrote a quick script to test caps hashes. It's based on Prosody's
100% correct caps calculation code (just ask Waqas).

Running it logged into my own account received presence from 48
contacts. 32 had valid hashes, 14 had legacy caps, 6 had no caps at
all (mostly bots), and 2 had invalid caps. Of those with invalid caps,
one was a bot (mine, using gloox), the other was an N900 - but it may
be that it returned an error or empty disco result rather than an
invalid hash as such.

The repo is at http://code.matthewwild.co.uk/xmpp-capscan but if you
don't have Verse installed already you can grab a standalone version
from http://matthewwild.co.uk/uploads/capscan.min.lua . Depends on
LuaSocket and LuaExpat, liblua5.1-socket2 and liblua5.1-expat0 in
Debian/Ubuntu. If you want TLS you also need LuaSec (liblua5.1-sec1).
You also of course need Lua 5.1 (lua5.1) if you don't have it already.

Run with "lua capscan you at yourdomain", enter your password, and when
you think it has been running long enough just Ctrl+C it (give it half
a minute or so depending on the size of your roster). It will then
write out statistics to report.html in the current directory and exit.

If it wasn't clear, running this script actively queries the
disco#info and jabber:iq:version of each contact/client it receives
presence for (only once per full JID). Just making sure nobody can say
I didn't warn them :)


PS. It might be worth doing the same for vCard/avatar hashes at some
stage - I'm pretty sure I've seen a few clients get that wrong.

More information about the JDev mailing list