interop - 2010-12-07

  1. fippo

    mattj :-)

  2. remko

    quiet interop day today?

  3. Florian

    very

  4. Zash

    Does that mean that everything's fine or that stuff is horribly broken and everyone just sits an stares at the code?

  5. MattJ

    :)

  6. MattJ

    fippo, it would have saved me some time if you generated CSRs, but I can do it shortly if you're too lazy ;)

  7. MattJ

    fippo, unless you happen to have a copy of the Prosody repo

  8. MattJ

    in certs/ there's a Makefile

  9. Kev

    So, I think we need to initially get to the stage where every server is running up with a CA-generated cert for their domain.

  10. MattJ

    make yourdomain.com.cnf, edit the generated file accordingly

  11. MattJ

    then make yourdomain.com.csr

  12. Kev

    Once we're there, we can start testing basic s2s interop.

  13. MattJ

    Indeed, but if I have to start generating CSRs for everyone who needs a cert then it means it's going to take twice as long :)

  14. MattJ

    I can do it, if people send me the details

  15. Kev

    Dave's taking over mlinkrelease from me, btw.

  16. MattJ

    k

  17. MattJ

    fippo, it looks like I have a fix from Isode - did you say the CSR you sent was wrong anyway? or would it be fine for me to sign it now?

  18. fippo

    mattj: the csr I sent you was based on a old version and contained funny hostnames

  19. MattJ

    fippo, aha, found why Prosody isn't advertising starttls

  20. MattJ

    the CA stuff doesn't generate PEM by default

  21. Dave Cridland

    MattJ, While we were tinkering, we noticed that the CRL DP is mis-marked critical in end-user certificates, so you'll probably want to reissue those. :-(

  22. Dave Cridland

    (It's technically just about legal - breaking a SHOULD - but OpenSSL certainly rejects them)

  23. MattJ

    Ah... ok

  24. Dave Cridland

    MattJ, That fix also fixes that issue. (Along with the other niggles and things you found).

  25. fippo

    mattj: openssl did not expect a DER ca certificate either :-)

  26. fippo wonders if we're doing openssl interop testing

  27. MattJ

    :)

  28. Dave Cridland

    fippo, Or X.509 interop at least.

  29. fippo

    yai

  30. fippo

    i've added the ca location to the wiki page btw

  31. MattJ

    Thanks

  32. Tobias

    aren't CRLs normally provided via HTTPS? or are they already singed?

  33. Tobias

    *signed

  34. fippo

    tobias: dave will explain that in a second :-)

  35. MattJ

    Heh

  36. steve.kille

    CRLs are signed, so can be distributed by any mechanism. Location is explicitly or imi=plicity specified in the Cert. Usual distribution is either LDAP or HTTP. HTTPS is not really needed, although sometimes used

  37. Tobias

    steve.kille: ahh..k..then it makes sense :)

  38. Dave Cridland

    Tobias, The only CA I've seen using https is CACert.org. The problem is, how do you verify the cert used in HTTPS, and if it fails to verify but the CRL is still signed (and within its expiry), what do you do anyway?

  39. Tobias

    throw a coin

  40. Tobias

    what do you do anyway if the resource of the CRL is unavailable

  41. Dave Cridland

    Tobias, Ah, then the certificate is unverifiable, so cannot be trusted.

  42. Dave Cridland

    Could be an attack on the CA to avoid disclosure of a revocation.

  43. Dave Cridland

    Tobias, But that's why I personally prefer OCSP stapling, which largely avoids that case. But we don't support that. (yet?)

  44. Dave Cridland

    MattJ, Do we need to resend CSRs?

  45. fippo

    badlop: is ejabberd21 already tls-enabled?

  46. badlop

    tls not enabled; what cert should i install in it?

  47. Dave Cridland

    badlop, If you generate a CSR, then MattJ has the CA, and can issue you a cert.

  48. Dave Cridland

    badlop, http://ca.xmpptest.com

  49. fippo

    prosody has a really nice makefile for generating csrs

  50. Dave Cridland

    fippo, Sodium is rather spiffy, too. Like Prosody's makefile, as I understand things, it generates the CSR from the configuration.

  51. fippo

    Interop day 2: We made mattj sign CSRs all day

  52. Zash

    Dave Cridland: not yet, but I have a prosodyctl patch that makes it spit out a SAN section for a openssl.cnf :)

  53. Dave Cridland sends two more CSRs to MattJ

  54. badlop

    what's his email address?

  55. badlop

    ah, mwild1@gmail.com

  56. stpeter

    are we working on email interop? :)

  57. stpeter

    we need a way to attach files to a MUC room....

  58. Dave Cridland

    stpeter, What, send the CSRs via MUC?

  59. Tobias

    yeah..since normal p2p filetransfer already works that nice :P

  60. stpeter

    attach to the room

  61. stpeter

    if you wanted to have it available to all

  62. stpeter

    Tobias: heh, well, I just received a file from someone outside Cisco and it all worked fine, but it's not as reliable as it should be :(

  63. Zash

    mod_pastebin!

  64. stpeter

    :)

  65. Dave Cridland

    stpeter, Yeah, one of our (XMPP) partners sent me a file. Surprised the heck out of me that it worked.

  66. Zash

    Bah, XMPP is a messaging protocol, not a file-sharing protocol!

  67. Zash

    ;)

  68. Dave Cridland

    At least the Pontari.us guys are trying to make it a media sharing network, too.

  69. badlop

    <fippo> i've added the ca location to the wiki page btw <-- and i added instructions to build the CSR

  70. Dave Cridland

    Kev, Can you do some DNS magic for me?

  71. fippo

    Kev: if you're incrementing the serial anyway, cann you add a no.such.xmpptest.com srv record pointing to . (which iirc means: no such service)

  72. Dave Cridland

    fippo, Oh, nice thought.

  73. Dave Cridland

    Kev, In that case, also add an A record pointing somewhere interesting we can log.

  74. Dave Cridland is pretty sure we'll fail that.

  75. Dave Cridland

    Kev, When you're back, then, I have 217.155.137.58 (5222/5269) servicing mlinkrelease.xmpptest.com - feel free to give it a random hostname, like, say, mlinktrunk.xmpptest.com. :-)

  76. Kev

    It'll wait until tomorrow, I expect :)