interop - 2010-12-07


  1. MattJ has left

  2. Florob has left

  3. badlop has left

  4. remko has joined

  5. remko has left

  6. Tobias has joined

  7. remko has joined

  8. Jonas has joined

  9. tuomas has joined

  10. Tobias has left

  11. Tobias has joined

  12. Jonas has joined

  13. Jonas has joined

  14. steve.kille has joined

  15. Tobias has left

  16. Flo has joined

  17. dbanes has joined

  18. Bob (BJ) has joined

  19. sjoerd.simons has left

  20. vt100 has joined

  21. sjoerd.simons has joined

  22. dbanes has left

  23. Tobias has joined

  24. vt100 has left

  25. Jonas has left

  26. MattJ has joined

  27. badlop has joined

  28. wjt has joined

  29. fippo

    mattj :-)

  30. Tobias has left

  31. wjt has left

  32. Tobias has joined

  33. Tobias has left

  34. Tobias has joined

  35. remko has left

  36. remko has joined

  37. Tobias has left

  38. Florob has joined

  39. Bob (BJ) has left

  40. Florob has left

  41. Tobias has joined

  42. remko

    quiet interop day today?

  43. Florian

    very

  44. Zash

    Does that mean that everything's fine or that stuff is horribly broken and everyone just sits an stares at the code?

  45. MattJ

    :)

  46. MattJ

    fippo, it would have saved me some time if you generated CSRs, but I can do it shortly if you're too lazy ;)

  47. MattJ

    fippo, unless you happen to have a copy of the Prosody repo

  48. MattJ

    in certs/ there's a Makefile

  49. Kev

    So, I think we need to initially get to the stage where every server is running up with a CA-generated cert for their domain.

  50. MattJ

    make yourdomain.com.cnf, edit the generated file accordingly

  51. MattJ

    then make yourdomain.com.csr

  52. Kev

    Once we're there, we can start testing basic s2s interop.

  53. MattJ

    Indeed, but if I have to start generating CSRs for everyone who needs a cert then it means it's going to take twice as long :)

  54. MattJ

    I can do it, if people send me the details

  55. Kev

    Dave's taking over mlinkrelease from me, btw.

  56. MattJ

    k

  57. MattJ

    fippo, it looks like I have a fix from Isode - did you say the CSR you sent was wrong anyway? or would it be fine for me to sign it now?

  58. fippo

    mattj: the csr I sent you was based on a old version and contained funny hostnames

  59. Tobias has left

  60. MattJ

    fippo, aha, found why Prosody isn't advertising starttls

  61. MattJ

    the CA stuff doesn't generate PEM by default

  62. Dave Cridland

    MattJ, While we were tinkering, we noticed that the CRL DP is mis-marked critical in end-user certificates, so you'll probably want to reissue those. :-(

  63. Dave Cridland

    (It's technically just about legal - breaking a SHOULD - but OpenSSL certainly rejects them)

  64. MattJ

    Ah... ok

  65. Dave Cridland

    MattJ, That fix also fixes that issue. (Along with the other niggles and things you found).

  66. fippo

    mattj: openssl did not expect a DER ca certificate either :-)

  67. fippo wonders if we're doing openssl interop testing

  68. MattJ

    :)

  69. Dave Cridland

    fippo, Or X.509 interop at least.

  70. fippo

    yai

  71. Asterix has left

  72. fippo

    i've added the ca location to the wiki page btw

  73. MattJ

    Thanks

  74. remko has left

  75. florob42 has joined

  76. tuomas has left

  77. stpeter has joined

  78. Tobias has joined

  79. Tobias

    aren't CRLs normally provided via HTTPS? or are they already singed?

  80. Tobias

    *signed

  81. fippo

    tobias: dave will explain that in a second :-)

  82. MattJ

    Heh

  83. steve.kille

    CRLs are signed, so can be distributed by any mechanism. Location is explicitly or imi=plicity specified in the Cert. Usual distribution is either LDAP or HTTP. HTTPS is not really needed, although sometimes used

  84. Tobias

    steve.kille: ahh..k..then it makes sense :)

  85. steve.kille has left

  86. steve.kille has joined

  87. remko has joined

  88. remko has left

  89. remko has joined

  90. sjoerd.simons has left

  91. sjoerd.simons has joined

  92. sjoerd.simons has left

  93. Dave Cridland

    Tobias, The only CA I've seen using https is CACert.org. The problem is, how do you verify the cert used in HTTPS, and if it fails to verify but the CRL is still signed (and within its expiry), what do you do anyway?

  94. Tobias

    throw a coin

  95. Tobias

    what do you do anyway if the resource of the CRL is unavailable

  96. zanchin has left

  97. Dave Cridland

    Tobias, Ah, then the certificate is unverifiable, so cannot be trusted.

  98. Dave Cridland

    Could be an attack on the CA to avoid disclosure of a revocation.

  99. Dave Cridland

    Tobias, But that's why I personally prefer OCSP stapling, which largely avoids that case. But we don't support that. (yet?)

  100. Dave Cridland

    MattJ, Do we need to resend CSRs?

  101. fippo

    badlop: is ejabberd21 already tls-enabled?

  102. badlop

    tls not enabled; what cert should i install in it?

  103. Dave Cridland

    badlop, If you generate a CSR, then MattJ has the CA, and can issue you a cert.

  104. Dave Cridland

    badlop, http://ca.xmpptest.com

  105. fippo

    prosody has a really nice makefile for generating csrs

  106. Flo has left

  107. Dave Cridland

    fippo, Sodium is rather spiffy, too. Like Prosody's makefile, as I understand things, it generates the CSR from the configuration.

  108. fippo

    Interop day 2: We made mattj sign CSRs all day

  109. Zash

    Dave Cridland: not yet, but I have a prosodyctl patch that makes it spit out a SAN section for a openssl.cnf :)

  110. Dave Cridland sends two more CSRs to MattJ

  111. badlop

    what's his email address?

  112. badlop

    ah, mwild1@gmail.com

  113. stpeter

    are we working on email interop? :)

  114. stpeter

    we need a way to attach files to a MUC room....

  115. Dave Cridland

    stpeter, What, send the CSRs via MUC?

  116. Tobias

    yeah..since normal p2p filetransfer already works that nice :P

  117. stpeter

    attach to the room

  118. Dave Cridland has left

  119. stpeter

    if you wanted to have it available to all

  120. Dave Cridland has joined

  121. stpeter

    Tobias: heh, well, I just received a file from someone outside Cisco and it all worked fine, but it's not as reliable as it should be :(

  122. Zash

    mod_pastebin!

  123. stpeter

    :)

  124. Dave Cridland

    stpeter, Yeah, one of our (XMPP) partners sent me a file. Surprised the heck out of me that it worked.

  125. Zash

    Bah, XMPP is a messaging protocol, not a file-sharing protocol!

  126. Zash

    ;)

  127. Dave Cridland

    At least the Pontari.us guys are trying to make it a media sharing network, too.

  128. badlop

    <fippo> i've added the ca location to the wiki page btw <-- and i added instructions to build the CSR

  129. Dave Cridland

    Kev, Can you do some DNS magic for me?

  130. fippo

    Kev: if you're incrementing the serial anyway, cann you add a no.such.xmpptest.com srv record pointing to . (which iirc means: no such service)

  131. Dave Cridland

    fippo, Oh, nice thought.

  132. Dave Cridland

    Kev, In that case, also add an A record pointing somewhere interesting we can log.

  133. Dave Cridland is pretty sure we'll fail that.

  134. Dave Cridland

    Kev, When you're back, then, I have 217.155.137.58 (5222/5269) servicing mlinkrelease.xmpptest.com - feel free to give it a random hostname, like, say, mlinktrunk.xmpptest.com. :-)

  135. remko has left

  136. kurt.zeilenga has joined

  137. kurt.zeilenga has left

  138. badlop has left

  139. florob42 has left

  140. Florob has joined

  141. Asterix has left

  142. MattJ has left

  143. Kev

    It'll wait until tomorrow, I expect :)

  144. Florob has left

  145. Florob has joined

  146. Tobias has left

  147. stpeter has left