ZashDoes that mean that everything's fine or that stuff is horribly broken and everyone just sits an stares at the code?
MattJfippo, it would have saved me some time if you generated CSRs, but I can do it shortly if you're too lazy ;)
MattJfippo, unless you happen to have a copy of the Prosody repo
MattJin certs/ there's a Makefile
KevSo, I think we need to initially get to the stage where every server is running up with a CA-generated cert for their domain.
MattJmake yourdomain.com.cnf, edit the generated file accordingly
MattJthen make yourdomain.com.csr
KevOnce we're there, we can start testing basic s2s interop.
MattJIndeed, but if I have to start generating CSRs for everyone who needs a cert then it means it's going to take twice as long :)
MattJI can do it, if people send me the details
KevDave's taking over mlinkrelease from me, btw.
MattJfippo, it looks like I have a fix from Isode - did you say the CSR you sent was wrong anyway? or would it be fine for me to sign it now?
fippomattj: the csr I sent you was based on a old version and contained funny hostnames
MattJfippo, aha, found why Prosody isn't advertising starttls
MattJthe CA stuff doesn't generate PEM by default
Dave CridlandMattJ, While we were tinkering, we noticed that the CRL DP is mis-marked critical in end-user certificates, so you'll probably want to reissue those. :-(
Dave Cridland(It's technically just about legal - breaking a SHOULD - but OpenSSL certainly rejects them)
Dave CridlandMattJ, That fix also fixes that issue. (Along with the other niggles and things you found).
fippomattj: openssl did not expect a DER ca certificate either :-)
fippowonders if we're doing openssl interop testing
Dave Cridlandfippo, Or X.509 interop at least.
fippoi've added the ca location to the wiki page btw
Tobiasaren't CRLs normally provided via HTTPS? or are they already singed?
fippotobias: dave will explain that in a second :-)
steve.killeCRLs are signed, so can be distributed by any mechanism. Location is explicitly or imi=plicity specified in the Cert. Usual distribution is either LDAP or HTTP. HTTPS is not really needed, although sometimes used
Tobiassteve.kille: ahh..k..then it makes sense :)
Dave CridlandTobias, The only CA I've seen using https is CACert.org. The problem is, how do you verify the cert used in HTTPS, and if it fails to verify but the CRL is still signed (and within its expiry), what do you do anyway?
Tobiasthrow a coin
Tobiaswhat do you do anyway if the resource of the CRL is unavailable
Dave CridlandTobias, Ah, then the certificate is unverifiable, so cannot be trusted.
Dave CridlandCould be an attack on the CA to avoid disclosure of a revocation.
Dave CridlandTobias, But that's why I personally prefer OCSP stapling, which largely avoids that case. But we don't support that. (yet?)
Dave CridlandMattJ, Do we need to resend CSRs?
fippobadlop: is ejabberd21 already tls-enabled?
badloptls not enabled; what cert should i install in it?
Dave Cridlandbadlop, If you generate a CSR, then MattJ has the CA, and can issue you a cert.
Dave Cridlandbadlop, http://ca.xmpptest.com
fippoprosody has a really nice makefile for generating csrs
Dave Cridlandfippo, Sodium is rather spiffy, too. Like Prosody's makefile, as I understand things, it generates the CSR from the configuration.
fippoInterop day 2: We made mattj sign CSRs all day
ZashDave Cridland: not yet, but I have a prosodyctl patch that makes it spit out a SAN section for a openssl.cnf :)
Dave Cridlandsends two more CSRs to MattJ
badlopwhat's his email address?
stpeterare we working on email interop? :)
stpeterwe need a way to attach files to a MUC room....
Dave Cridlandstpeter, What, send the CSRs via MUC?
Tobiasyeah..since normal p2p filetransfer already works that nice :P
stpeterattach to the room
Dave Cridlandhas left
stpeterif you wanted to have it available to all
Dave Cridlandhas joined
stpeterTobias: heh, well, I just received a file from someone outside Cisco and it all worked fine, but it's not as reliable as it should be :(
Dave Cridlandstpeter, Yeah, one of our (XMPP) partners sent me a file. Surprised the heck out of me that it worked.
ZashBah, XMPP is a messaging protocol, not a file-sharing protocol!
Dave CridlandAt least the Pontari.us guys are trying to make it a media sharing network, too.
badlop<fippo> i've added the ca location to the wiki page btw <-- and i added instructions to build the CSR
Dave CridlandKev, Can you do some DNS magic for me?
fippoKev: if you're incrementing the serial anyway, cann you add a no.such.xmpptest.com srv record pointing to . (which iirc means: no such service)
Dave Cridlandfippo, Oh, nice thought.
Dave CridlandKev, In that case, also add an A record pointing somewhere interesting we can log.
Dave Cridlandis pretty sure we'll fail that.
Dave CridlandKev, When you're back, then, I have 22.214.171.124 (5222/5269) servicing mlinkrelease.xmpptest.com - feel free to give it a random hostname, like, say, mlinktrunk.xmpptest.com. :-)