Does that mean that everything's fine or that stuff is horribly broken and everyone just sits an stares at the code?
MattJ
:)
MattJ
fippo, it would have saved me some time if you generated CSRs, but I can do it shortly if you're too lazy ;)
MattJ
fippo, unless you happen to have a copy of the Prosody repo
MattJ
in certs/ there's a Makefile
Kev
So, I think we need to initially get to the stage where every server is running up with a CA-generated cert for their domain.
MattJ
make yourdomain.com.cnf, edit the generated file accordingly
MattJ
then make yourdomain.com.csr
Kev
Once we're there, we can start testing basic s2s interop.
MattJ
Indeed, but if I have to start generating CSRs for everyone who needs a cert then it means it's going to take twice as long :)
MattJ
I can do it, if people send me the details
Kev
Dave's taking over mlinkrelease from me, btw.
MattJ
k
MattJ
fippo, it looks like I have a fix from Isode - did you say the CSR you sent was wrong anyway? or would it be fine for me to sign it now?
fippo
mattj: the csr I sent you was based on a old version and contained funny hostnames
Tobiashas left
MattJ
fippo, aha, found why Prosody isn't advertising starttls
MattJ
the CA stuff doesn't generate PEM by default
Dave Cridland
MattJ, While we were tinkering, we noticed that the CRL DP is mis-marked critical in end-user certificates, so you'll probably want to reissue those. :-(
Dave Cridland
(It's technically just about legal - breaking a SHOULD - but OpenSSL certainly rejects them)
MattJ
Ah... ok
Dave Cridland
MattJ, That fix also fixes that issue. (Along with the other niggles and things you found).
fippo
mattj: openssl did not expect a DER ca certificate either :-)
fippowonders if we're doing openssl interop testing
MattJ
:)
Dave Cridland
fippo, Or X.509 interop at least.
fippo
yai
Asterixhas left
fippo
i've added the ca location to the wiki page btw
MattJ
Thanks
remkohas left
florob42has joined
tuomashas left
stpeterhas joined
Tobiashas joined
Tobias
aren't CRLs normally provided via HTTPS? or are they already singed?
Tobias
*signed
fippo
tobias: dave will explain that in a second :-)
MattJ
Heh
steve.kille
CRLs are signed, so can be distributed by any mechanism. Location is explicitly or imi=plicity specified in the Cert. Usual distribution is either LDAP or HTTP. HTTPS is not really needed, although sometimes used
Tobias
steve.kille: ahh..k..then it makes sense :)
steve.killehas left
steve.killehas joined
remkohas joined
remkohas left
remkohas joined
sjoerd.simonshas left
sjoerd.simonshas joined
sjoerd.simonshas left
Dave Cridland
Tobias, The only CA I've seen using https is CACert.org. The problem is, how do you verify the cert used in HTTPS, and if it fails to verify but the CRL is still signed (and within its expiry), what do you do anyway?
Tobias
throw a coin
Tobias
what do you do anyway if the resource of the CRL is unavailable
zanchinhas left
Dave Cridland
Tobias, Ah, then the certificate is unverifiable, so cannot be trusted.
Dave Cridland
Could be an attack on the CA to avoid disclosure of a revocation.
Dave Cridland
Tobias, But that's why I personally prefer OCSP stapling, which largely avoids that case. But we don't support that. (yet?)
Dave Cridland
MattJ, Do we need to resend CSRs?
fippo
badlop: is ejabberd21 already tls-enabled?
badlop
tls not enabled; what cert should i install in it?
Dave Cridland
badlop, If you generate a CSR, then MattJ has the CA, and can issue you a cert.
Dave Cridland
badlop, http://ca.xmpptest.com
fippo
prosody has a really nice makefile for generating csrs
Flohas left
Dave Cridland
fippo, Sodium is rather spiffy, too. Like Prosody's makefile, as I understand things, it generates the CSR from the configuration.
fippo
Interop day 2: We made mattj sign CSRs all day
Zash
Dave Cridland: not yet, but I have a prosodyctl patch that makes it spit out a SAN section for a openssl.cnf :)
Dave Cridlandsends two more CSRs to MattJ
badlop
what's his email address?
badlop
ah, mwild1@gmail.com
stpeter
are we working on email interop? :)
stpeter
we need a way to attach files to a MUC room....
Dave Cridland
stpeter, What, send the CSRs via MUC?
Tobias
yeah..since normal p2p filetransfer already works that nice :P
stpeter
attach to the room
Dave Cridlandhas left
stpeter
if you wanted to have it available to all
Dave Cridlandhas joined
stpeter
Tobias: heh, well, I just received a file from someone outside Cisco and it all worked fine, but it's not as reliable as it should be :(
Zash
mod_pastebin!
stpeter
:)
Dave Cridland
stpeter, Yeah, one of our (XMPP) partners sent me a file. Surprised the heck out of me that it worked.
Zash
Bah, XMPP is a messaging protocol, not a file-sharing protocol!
Zash
;)
Dave Cridland
At least the Pontari.us guys are trying to make it a media sharing network, too.
badlop
<fippo> i've added the ca location to the wiki page btw <-- and i added instructions to build the CSR
Dave Cridland
Kev, Can you do some DNS magic for me?
fippo
Kev: if you're incrementing the serial anyway, cann you add a no.such.xmpptest.com srv record pointing to . (which iirc means: no such service)
Dave Cridland
fippo, Oh, nice thought.
Dave Cridland
Kev, In that case, also add an A record pointing somewhere interesting we can log.
Dave Cridlandis pretty sure we'll fail that.
Dave Cridland
Kev, When you're back, then, I have 217.155.137.58 (5222/5269) servicing mlinkrelease.xmpptest.com - feel free to give it a random hostname, like, say, mlinktrunk.xmpptest.com. :-)