interop - 2010-12-07


  1. MattJ has left
  2. Florob has left
  3. badlop has left
  4. remko has joined
  5. remko has left
  6. Tobias has joined
  7. remko has joined
  8. Jonas has joined
  9. tuomas has joined
  10. Tobias has left
  11. Tobias has joined
  12. Jonas has joined
  13. Jonas has joined
  14. steve.kille has joined
  15. Tobias has left
  16. Flo has joined
  17. dbanes has joined
  18. Bob (BJ) has joined
  19. sjoerd.simons has left
  20. vt100 has joined
  21. sjoerd.simons has joined
  22. dbanes has left
  23. Tobias has joined
  24. vt100 has left
  25. Jonas has left
  26. MattJ has joined
  27. badlop has joined
  28. wjt has joined
  29. fippo mattj :-)
  30. Tobias has left
  31. wjt has left
  32. Tobias has joined
  33. Tobias has left
  34. Tobias has joined
  35. remko has left
  36. remko has joined
  37. Tobias has left
  38. Florob has joined
  39. Bob (BJ) has left
  40. Florob has left
  41. Tobias has joined
  42. remko quiet interop day today?
  43. Florian very
  44. Zash Does that mean that everything's fine or that stuff is horribly broken and everyone just sits an stares at the code?
  45. MattJ :)
  46. MattJ fippo, it would have saved me some time if you generated CSRs, but I can do it shortly if you're too lazy ;)
  47. MattJ fippo, unless you happen to have a copy of the Prosody repo
  48. MattJ in certs/ there's a Makefile
  49. Kev So, I think we need to initially get to the stage where every server is running up with a CA-generated cert for their domain.
  50. MattJ make yourdomain.com.cnf, edit the generated file accordingly
  51. MattJ then make yourdomain.com.csr
  52. Kev Once we're there, we can start testing basic s2s interop.
  53. MattJ Indeed, but if I have to start generating CSRs for everyone who needs a cert then it means it's going to take twice as long :)
  54. MattJ I can do it, if people send me the details
  55. Kev Dave's taking over mlinkrelease from me, btw.
  56. MattJ k
  57. MattJ fippo, it looks like I have a fix from Isode - did you say the CSR you sent was wrong anyway? or would it be fine for me to sign it now?
  58. fippo mattj: the csr I sent you was based on a old version and contained funny hostnames
  59. Tobias has left
  60. MattJ fippo, aha, found why Prosody isn't advertising starttls
  61. MattJ the CA stuff doesn't generate PEM by default
  62. Dave Cridland MattJ, While we were tinkering, we noticed that the CRL DP is mis-marked critical in end-user certificates, so you'll probably want to reissue those. :-(
  63. Dave Cridland (It's technically just about legal - breaking a SHOULD - but OpenSSL certainly rejects them)
  64. MattJ Ah... ok
  65. Dave Cridland MattJ, That fix also fixes that issue. (Along with the other niggles and things you found).
  66. fippo mattj: openssl did not expect a DER ca certificate either :-)
  67. fippo wonders if we're doing openssl interop testing
  68. MattJ :)
  69. Dave Cridland fippo, Or X.509 interop at least.
  70. fippo yai
  71. Asterix has left
  72. fippo i've added the ca location to the wiki page btw
  73. MattJ Thanks
  74. remko has left
  75. florob42 has joined
  76. tuomas has left
  77. stpeter has joined
  78. Tobias has joined
  79. Tobias aren't CRLs normally provided via HTTPS? or are they already singed?
  80. Tobias *signed
  81. fippo tobias: dave will explain that in a second :-)
  82. MattJ Heh
  83. steve.kille CRLs are signed, so can be distributed by any mechanism. Location is explicitly or imi=plicity specified in the Cert. Usual distribution is either LDAP or HTTP. HTTPS is not really needed, although sometimes used
  84. Tobias steve.kille: ahh..k..then it makes sense :)
  85. steve.kille has left
  86. steve.kille has joined
  87. remko has joined
  88. remko has left
  89. remko has joined
  90. sjoerd.simons has left
  91. sjoerd.simons has joined
  92. sjoerd.simons has left
  93. Dave Cridland Tobias, The only CA I've seen using https is CACert.org. The problem is, how do you verify the cert used in HTTPS, and if it fails to verify but the CRL is still signed (and within its expiry), what do you do anyway?
  94. Tobias throw a coin
  95. Tobias what do you do anyway if the resource of the CRL is unavailable
  96. zanchin has left
  97. Dave Cridland Tobias, Ah, then the certificate is unverifiable, so cannot be trusted.
  98. Dave Cridland Could be an attack on the CA to avoid disclosure of a revocation.
  99. Dave Cridland Tobias, But that's why I personally prefer OCSP stapling, which largely avoids that case. But we don't support that. (yet?)
  100. Dave Cridland MattJ, Do we need to resend CSRs?
  101. fippo badlop: is ejabberd21 already tls-enabled?
  102. badlop tls not enabled; what cert should i install in it?
  103. Dave Cridland badlop, If you generate a CSR, then MattJ has the CA, and can issue you a cert.
  104. Dave Cridland badlop, http://ca.xmpptest.com
  105. fippo prosody has a really nice makefile for generating csrs
  106. Flo has left
  107. Dave Cridland fippo, Sodium is rather spiffy, too. Like Prosody's makefile, as I understand things, it generates the CSR from the configuration.
  108. fippo Interop day 2: We made mattj sign CSRs all day
  109. Zash Dave Cridland: not yet, but I have a prosodyctl patch that makes it spit out a SAN section for a openssl.cnf :)
  110. Dave Cridland sends two more CSRs to MattJ
  111. badlop what's his email address?
  112. badlop ah, mwild1@gmail.com
  113. stpeter are we working on email interop? :)
  114. stpeter we need a way to attach files to a MUC room....
  115. Dave Cridland stpeter, What, send the CSRs via MUC?
  116. Tobias yeah..since normal p2p filetransfer already works that nice :P
  117. stpeter attach to the room
  118. Dave Cridland has left
  119. stpeter if you wanted to have it available to all
  120. Dave Cridland has joined
  121. stpeter Tobias: heh, well, I just received a file from someone outside Cisco and it all worked fine, but it's not as reliable as it should be :(
  122. Zash mod_pastebin!
  123. stpeter :)
  124. Dave Cridland stpeter, Yeah, one of our (XMPP) partners sent me a file. Surprised the heck out of me that it worked.
  125. Zash Bah, XMPP is a messaging protocol, not a file-sharing protocol!
  126. Zash ;)
  127. Dave Cridland At least the Pontari.us guys are trying to make it a media sharing network, too.
  128. badlop <fippo> i've added the ca location to the wiki page btw <-- and i added instructions to build the CSR
  129. Dave Cridland Kev, Can you do some DNS magic for me?
  130. fippo Kev: if you're incrementing the serial anyway, cann you add a no.such.xmpptest.com srv record pointing to . (which iirc means: no such service)
  131. Dave Cridland fippo, Oh, nice thought.
  132. Dave Cridland Kev, In that case, also add an A record pointing somewhere interesting we can log.
  133. Dave Cridland is pretty sure we'll fail that.
  134. Dave Cridland Kev, When you're back, then, I have 217.155.137.58 (5222/5269) servicing mlinkrelease.xmpptest.com - feel free to give it a random hostname, like, say, mlinktrunk.xmpptest.com. :-)
  135. remko has left
  136. kurt.zeilenga has joined
  137. kurt.zeilenga has left
  138. badlop has left
  139. florob42 has left
  140. Florob has joined
  141. Asterix has left
  142. MattJ has left
  143. Kev It'll wait until tomorrow, I expect :)
  144. Florob has left
  145. Florob has joined
  146. Tobias has left
  147. stpeter has left