-
lash
I tried setting up an openfire server using cacert.org certificate. I have trouble connecting to other servers, and suspect maybe the certificate is the issue, that it's not trusted. Do server implementations bundle their own trusted certificates, or do they use system's, or both?
-
lash
And if own or both, does anyone know if cacert.org is included?
-
mightyBroccoli
Cacert is not in any major trust store AFAIK. Some/ most / juet mine ( I don't have any statistics) do not allow s2s without a valid cert. Why not use letsencrypt.org ?
-
lash
mightyBroccoli: Yes, I am aware. So that's why I was curious whether XMPP servers also bundles some, and if cacert.org is part of them. I really like the philosophy of cacert, and I would like to support them.
-
mightyBroccoli
I would bet some have cacert in der store, thus it's possible, but for a federated service highly unpractical, if the cert is not trusted automatically or at least widely.
-
lash
mightyBroccoli: The question was really whether the server software bundles provides them. But I assume from your reply that the answer is no.
-
Link Mauve
lash, no distribution bundles certificates as part of specific applications that I know of.
-
Maranda
hmmm interesting increase in bidi s2s connections :O
-
Maranda
nm not so interesting after all
- Maranda has disco'ed some servers running Metronome 🤣
-
pep.
Maranda, yeah, prosody has declared their mod_bidi stable not so long ago so people decided to run it, even though it's been the same code for howmanyyears
-
Maranda
pep., but most of those 22 connections weren't prosody :P
-
pep.
heh
-
Maranda
I can recognize Metronome in webmin by just looking at the s2s flags :P
-
oli
i feel xmpp federation should not enforce "valid" certs.
-
pep.
Why not
-
pep.
https://github.com/matrix-org/matrix-doc/pull/1711/commits/f30e6851127874739659ffe2b2c211c4db6e50f0 Matrix tried that, promoting the use of self-signed certs, with "notary" servers to allow you to verify a fingerprint from different perspectives, but apparently they're failing and coming back to "You should trust CAs"
-
oli
because that everyone has to rely on letsrncrypt and this cert renewal automation shit is just a big stupid workaround.
-
pep.
How is that related to "federated servers should not enforce valid certs"?
-
oli
because the suggestion was to use letsencrypt.
-
pep.
Maybe we should advertize DANE a bit more :)
-
pep.
I agree with not trusting CAs, but alternative solutions are often a lot more involved
-
oli
whats wrong with dialback?
-
oli
how is that less trustworthy than letsencrypt?
-
Link Mauve
oli, hi, here is a SRV saying that muc.xmpp.org is now served by evil.com, trust me I’m a DNS server somewhere.
-
pep.
s/somewhere/at your ISP/
-
pep.
Or others.
-
oli
somewhere at your isp the letsencrypt verification is redirected
-
pep.
You contact them over https
-
pep.
So yeah if the CA trust is compromised, we're all doomed, but that will not go unnoticed
-
oli
i don't see much of a problem with s2s if there is encrypted dns and dnssec and maybe dane
-
oli
if i then receive a compromised ns record, letsencrypt has the same problem
-
oli
of course it's easier to just trust the letsencrypt cert
-
oli
and don't care about the other stuff
-
pep.
"letsencrypt has the same problem" how?
-
Link Mauve
oli, I’d say it’s harder to poison LE’s DNS servers than a random user’s ones.
-
oli
server admin, not user. s2s
-
oli
and it's about locking servers out that use self signed certs
-
mightyBroccoli
oli: it's about setting a Standart. See it from the perspective you would like a doctor that actually is a doctor not one who says to be one.
-
oli
good example of abuse of power and authority
-
Licaon_Kter
oli: the doctors part?
-
oli
yes
-
mightyBroccoli
Why is that abusive? Or to be more specific where do you feel violated by doctors?
-
Maranda
uh... lol with this poisoning paranoy drama.
-
oli
mightyBroccoli: 50% bad science, financial exploitation, unnecessary treatment including torture.
-
oli
50% saving leaves, providing proper care, ...
-
oli
lives not leaves
-
mightyBroccoli
I would call that filter bubble and misunderstanding of statistics. Projecting problems onto different other subjects works on the surface but does not match up when you dig deeper. Think for yourself don't be sheep.
-
oli
cheap arguments...
-
oli
i just want to point certified doctors is not a good analogy for certified servers. or maybe it is, certificate does not imply guaranteed trustworthiness
-
Licaon_Kter
oli: it doesn't, now how would these stats look without any certification?
-
oli
depends. in some areas much better...