-
fippo
mattj :-)
-
remko
quiet interop day today?
-
Florian
very
-
Zash
Does that mean that everything's fine or that stuff is horribly broken and everyone just sits an stares at the code?
-
MattJ
:)
-
MattJ
fippo, it would have saved me some time if you generated CSRs, but I can do it shortly if you're too lazy ;)
-
MattJ
fippo, unless you happen to have a copy of the Prosody repo
-
MattJ
in certs/ there's a Makefile
-
Kev
So, I think we need to initially get to the stage where every server is running up with a CA-generated cert for their domain.
-
MattJ
make yourdomain.com.cnf, edit the generated file accordingly
-
MattJ
then make yourdomain.com.csr
-
Kev
Once we're there, we can start testing basic s2s interop.
-
MattJ
Indeed, but if I have to start generating CSRs for everyone who needs a cert then it means it's going to take twice as long :)
-
MattJ
I can do it, if people send me the details
-
Kev
Dave's taking over mlinkrelease from me, btw.
-
MattJ
k
-
MattJ
fippo, it looks like I have a fix from Isode - did you say the CSR you sent was wrong anyway? or would it be fine for me to sign it now?
-
fippo
mattj: the csr I sent you was based on a old version and contained funny hostnames
-
MattJ
fippo, aha, found why Prosody isn't advertising starttls
-
MattJ
the CA stuff doesn't generate PEM by default
-
Dave Cridland
MattJ, While we were tinkering, we noticed that the CRL DP is mis-marked critical in end-user certificates, so you'll probably want to reissue those. :-(
-
Dave Cridland
(It's technically just about legal - breaking a SHOULD - but OpenSSL certainly rejects them)
-
MattJ
Ah... ok
-
Dave Cridland
MattJ, That fix also fixes that issue. (Along with the other niggles and things you found).
-
fippo
mattj: openssl did not expect a DER ca certificate either :-)
- fippo wonders if we're doing openssl interop testing
-
MattJ
:)
-
Dave Cridland
fippo, Or X.509 interop at least.
-
fippo
yai
-
fippo
i've added the ca location to the wiki page btw
-
MattJ
Thanks
-
Tobias
aren't CRLs normally provided via HTTPS? or are they already singed?
-
Tobias
*signed
-
fippo
tobias: dave will explain that in a second :-)
-
MattJ
Heh
-
steve.kille
CRLs are signed, so can be distributed by any mechanism. Location is explicitly or imi=plicity specified in the Cert. Usual distribution is either LDAP or HTTP. HTTPS is not really needed, although sometimes used
-
Tobias
steve.kille: ahh..k..then it makes sense :)
-
Dave Cridland
Tobias, The only CA I've seen using https is CACert.org. The problem is, how do you verify the cert used in HTTPS, and if it fails to verify but the CRL is still signed (and within its expiry), what do you do anyway?
-
Tobias
throw a coin
-
Tobias
what do you do anyway if the resource of the CRL is unavailable
-
Dave Cridland
Tobias, Ah, then the certificate is unverifiable, so cannot be trusted.
-
Dave Cridland
Could be an attack on the CA to avoid disclosure of a revocation.
-
Dave Cridland
Tobias, But that's why I personally prefer OCSP stapling, which largely avoids that case. But we don't support that. (yet?)
-
Dave Cridland
MattJ, Do we need to resend CSRs?
-
fippo
badlop: is ejabberd21 already tls-enabled?
-
badlop
tls not enabled; what cert should i install in it?
-
Dave Cridland
badlop, If you generate a CSR, then MattJ has the CA, and can issue you a cert.
-
Dave Cridland
badlop, http://ca.xmpptest.com
-
fippo
prosody has a really nice makefile for generating csrs
-
Dave Cridland
fippo, Sodium is rather spiffy, too. Like Prosody's makefile, as I understand things, it generates the CSR from the configuration.
-
fippo
Interop day 2: We made mattj sign CSRs all day
-
Zash
Dave Cridland: not yet, but I have a prosodyctl patch that makes it spit out a SAN section for a openssl.cnf :)
- Dave Cridland sends two more CSRs to MattJ
-
badlop
what's his email address?
-
badlop
ah, mwild1@gmail.com
-
stpeter
are we working on email interop? :)
-
stpeter
we need a way to attach files to a MUC room....
-
Dave Cridland
stpeter, What, send the CSRs via MUC?
-
Tobias
yeah..since normal p2p filetransfer already works that nice :P
-
stpeter
attach to the room
-
stpeter
if you wanted to have it available to all
-
stpeter
Tobias: heh, well, I just received a file from someone outside Cisco and it all worked fine, but it's not as reliable as it should be :(
-
Zash
mod_pastebin!
-
stpeter
:)
-
Dave Cridland
stpeter, Yeah, one of our (XMPP) partners sent me a file. Surprised the heck out of me that it worked.
-
Zash
Bah, XMPP is a messaging protocol, not a file-sharing protocol!
-
Zash
;)
-
Dave Cridland
At least the Pontari.us guys are trying to make it a media sharing network, too.
-
badlop
<fippo> i've added the ca location to the wiki page btw <-- and i added instructions to build the CSR
-
Dave Cridland
Kev, Can you do some DNS magic for me?
-
fippo
Kev: if you're incrementing the serial anyway, cann you add a no.such.xmpptest.com srv record pointing to . (which iirc means: no such service)
-
Dave Cridland
fippo, Oh, nice thought.
-
Dave Cridland
Kev, In that case, also add an A record pointing somewhere interesting we can log.
- Dave Cridland is pretty sure we'll fail that.
-
Dave Cridland
Kev, When you're back, then, I have 217.155.137.58 (5222/5269) servicing mlinkrelease.xmpptest.com - feel free to give it a random hostname, like, say, mlinktrunk.xmpptest.com. :-)
-
Kev
It'll wait until tomorrow, I expect :)