KevRight, yes, DNS. fippo / Dave Cridland: What were the records you were suggesting adding yesterday?
Dave CridlandYesterday [20:56:49] [Isode Unclassified] Dave Cridland: [[Isode Unclassified]]
Kev, When you're back, then, I have 217.155.137.58 (5222/5269) servicing mlinkrelease.xmpptest.com - feel free to give it a random hostname, like, say, mlinktrunk.xmpptest.com. :-)
KevPlease check it's now right.
Dave CridlandKev, No A/AAAA records, but the SRV looks OK.
Dave CridlandA is 217.155.137.58, AAAA is 2001:470:1f09:882:c0c8:f9ff:fec0:d982
KevRelly?
Kev*really
Kevmlinktrunk.xmpptest.com IN A 217.155.137.58
KevThat *looks* right to me.
KevAh, no, because I'm a twit.
Dave Cridland"."
Kevmlinktrunk IN A 217.155.137.58
KevShould be happier now.
Dave CridlandIf I hadn't cached the duff records.
KevOh, I'd assumed you'd be querying athena.
Dave CridlandCan you stick in the AAAA as well, in case anyone's doing IPv6 interop too?
KevDone
Dave CridlandMarv.
Dave CridlandCan any server developers confirm that the service xmpp:mlinkrelease.xmpptest.com is reachable now?
fippoit is - but it does not seem to do tls anymore?
Tobiashas joined
Dave Cridlandfippo, No, that's okay, haven't done that bit yet - doing that now. Thanks.
bearI have a draft post for a very brief "day one" report of the interop - still chewing thru the logs for details but I wanted to get a post going
bearcould someone take a quick look for a review (I'm also going to post to comm team list)
Dave CridlandMail a draft to the interop mailing list?
bearah
bearyes
Dave Cridlandmlinkrelease.xmpptest.com should now have TLS-lovelyness.
badlophas joined
beardraft posted to list
Dave Cridlandbear, Matthew Wild was/is operating the CA.
beark
fippodave: works with with dialback-after-tls, that boring sasl thing and d-w-d
Dave Cridlandbear, And you're mixing both company names (Isode, Collabora) and product names (ejabberd, SAFEchat)
bearI pulled from the wiki, hmm, guess I should also update/correct that then
Dave Cridlandbear, I think both are useful, but you're listing "SAFEchat" as a client developer (it's a client, the developers are BoldonJames) and Isode as a server (Whereas our server is called M-Link)
bearoh - I see. that's a personal glitch of mine - I can never remember m-link and have always called your software Isode
bearwill beat that out of himself later
Dave Cridlandbear, Quite. Or Will will.
beareeek
Dave CridlandOK, I've flipped my mlinktrunk.xmpptest.com server into only accepting strong authentication (ie, TLS with a verifiable certificate) for anything within xmpptest.com
bearok, text adjusted - sending new version to list
fippoturns off tls and tests again
Dave CridlandI'll do something similar for mlinkrelease in a moment. I'll require a valid cert, although mlinkrelease will accept dialback as sufficient and won't do CRL checking.
Dave CridlandActually, mlinkrelease will even accept no TLS at all, so I may not bother.
fippoworks - I get a policy violation dialback error
Dave Cridland12/ 8 12:12:29 xmppd 32268 (root ) D-MBOX-Auth Rejecting (require tls peer control) connect from server psyced-db.xmpptest.com
Dave Cridlandfippo, Ah, yes, dialback errors too. :-)
Dave Cridlandfippo, Posh, aren't we?
fippoyou might want to put a <required/> into starttls :-)
waqashas joined
Tobiashas left
Dave Cridlandfippo, Oh, isn't it there? I thought I'd got that as long as you sent a from (so it can look for the peer control) or if it's global (which it isn't on that server)
Dave CridlandOh. No, we don't - I carefully set a flag and then never use it. Well, that's an easy fix.
fippo:-)
fippomh... I have a problem reaching trunk from -sasl
fippoyou don't offer external
Zashhas joined
Dave Cridland12/ 8 12:38:53 xmppd 32268 (root ) I-MBOX-Info Verifying certificate
12/ 8 12:38:53 xmppd 32268 (root ) I-MBOX-Info certificate (subject emailA
ddress=fippo@mail.symlynx.com,OU=XMPP Department,O=Your Organisation,L=The Inter
net,C=DE,CN=psyced-dwd.xmpptest.com), detail (email=fippo\\40mail.symlynx.com,ou
=XMPP Department,o=Your Organisation,l=The Internet,c=DE,cn=psyced-dwd.xmpptest.
com) error revocation status unknown for this certificate
12/ 8 12:38:53 xmppd 32268 (root ) N-MBOX-Notice TLS certificate verificat
ion failed
12/ 8 12:38:53 xmppd 32268 (root ) D-MBOX-Auth Rejecting (require strong a
uth peer control) connect from server psyced-dwd.xmpptest.com
Dave CridlandAH... I wonder if Matt's updated his CRL...
fippoback to debugging x509 stuff :-)
Dave CridlandNo, it's just that Matt's not updated the CRL, so it's expired.
Dave CridlandHence M-Link can't tell if the CRL simply hasn't been updated, or if it's been replayed to conceal your certificate being revoked.
Tobiashas joined
ZashSo, who's winning? :)
Tobiashas left
Florianright ...
FlorianMattJ: can I send you my CSR?
MattJSure, mwild1@gmail.com
KevZash: I'll be writing some suggested tests shortly.
MattJFlorian, ah, got your PM, thanks
KevSo at least there's some guidance on what to test :)
MattJset the topic toXMPP Interop Event | 6th - 11th December 2010 | http://wiki.xmpp.org/web/Interop
Florian:)
Florianis there anything I need to do? Anything broken in Tigase that I should report back?
Dave CridlandMattJ, Can you update the CRL fiole on the website?
MattJDave Cridland, yes, I realised I hadn't done that this morning
MattJI regenerated it, but something distracted me from uploading
MattJThere's a reason to use https for CRLs - an attacker could serve an old CRL over HTTP with nothing more than DNS poisoning
KevFlorian: As nothing much as been tested yet ...
Dave CridlandMattJ, No, because CRLs expire, so a replay attack has limited value.
MattJAha
steve.killeTechnically, CRLs indicate when a new one will be issued, which is advisory rather than a hard expiration date, although it is generally treated as an expiration date
MattJThis one's in date for a year, so have fun while you can
fippoKev: ah, I missed that dns question earlier. I would like a srv record for no.such.xmpptest.com pointing to "."
Florianlol
Kevfippo: Ok. Why, though?
MattJI second the request
MattJdon't ask questions :)
fippoKev: servers should stop attempting to connect that domain
KevOh, should they?
Dave CridlandKev, Yes.
MattJThey should, see the recent discussion on the list
KevPermanently?
MattJfor as long as they would cache a normal SRV lookup
KevOh, well, that's no time at all presumably :)
Kev(For clients, anyway)
MattJit's better than pointing your records to example.com and waiting for $TCP_TIMEOUT
MattJthis is a definitive way of saying "There is no XMPP service at this domain, give up"
Dave CridlandKev, Well, you *can* argue that it's the TTL, however I don't think that anything other than caching resolvers should actually cache.
Kevno.such now has an entry of .
MattJThanks
MattJDave Cridland, why do you think that?
KevAlthough the results look a whole lot like they do for an entry that just doesn't exist.
fippomattj: old jabberd tried to cache itself - it was a bad idea
Kevbear: I'll read your post in a moment, thanks.
MattJfippo, why? (you may guess by now that Prosody caches)
Dave CridlandMattJ, Because it's just as fast to run a caching nameserver on the same machine, and that's more likely to be written by people who know about DNS.
bearno worries kev - I need to give it a couple hours to let other TZ's a chance to respond
MattJFair enough
fippomattj: iirc it did not expire those records properly
MattJ:)
MattJWe fixed that bug a long time ago :)
Zashhas left
Dave CridlandSo presumably, if the CRL's been updated, then everyone should now be able to connect to mlinktrunk.xmppest.com (and everything else)?
louiz’has joined
MattJDoes OpenSSL do CRL checking automatically? It's likely I could connect to you all along :)
remkono
Dave CridlandMattJ, No, don't think so. We don't use it for that, anyway. (I think it can parse CRLs, etc, but I don't think it'll fetch them for you)
remkoif you look at the manual, you'll see that it has error codes for CRL, but that they are "Unused by OpenSSL"
MattJLovely
KevRight, so, tests.
KevI'll put stuff on the wiki, but I'm thinking that something like this is sensible:
Kev* Check a server can receive an iq response to a ping to each server, with whatever configuration.
remkomattj: i'm wrong i think
Kev* Set some of the servers (all that support it) to require TLS on s2s, test iq still works.
Kev* Set servers to require TLS with identity verification, test iq still works.
remkoMattJ: i take everything back. I should have known better than to trust on openssl documentation
KevThat tests a base level of interop using s2s and TLS, I think.
MattJ:)
Kev* If any of the servers allow turning off dialback completely, doing that, and repeating.
Kev(Dialback isn't bad, but relying on it is)
Kev* Setting up a vhost on one of the servers, issuing and revoking a cert, and checking it can't then connect to any servers.
MattJand everyone fails that except M-Link? :)
Dave CridlandKev, SO you want me to drop the TLS/strong-auth requirements for mlinktrunk?
KevI have no idea.
KevDave Cridland: I think that'd be sensible for today.
KevFirst establishing that everyone will interop without TLS seems sensible.
KevEven though we know that'll work.
MattJFine by me
KevWhat else do people want to test? I think just checking TLS+s2s this week is sensible, as a baseline and a first effort at an interop event.
Dave CridlandThat's fine by me. Do we want to check reachability to MUC domains as well?
KevFor the clients, I think checking that they'll all connect ok to a server. Checking they'll all connect to a server with only TLS. Checking they won't connect to a server without TLS and with PLAIN. Revoking a cert and checking they warn the user (Swift will fail this). Logging in with a user cert.
KevDave Cridland: Each of the listed domains would be sensible, yes.
Dave CridlandDO we know if all the servers are configured with an Interop CA cert?
KevI guess we'll discover that when we try testing identity verification :)
KevWill someone volunteer to set up a vhost with a self-signed cert, and one with a revoked cert?
MattJDave Cridland, the last outstanding CSR is Florian's, which I'm now processing (just sent badlop's)
KevI'm happy to set up both of those vhosts, actually.
Dave CridlandKev, I can do that.
Dave CridlandKev, Oh, or you can, great.
MattJFlorian's has no SANs... should we allow this? :)
KevDave Cridland: Disadvantage of that is that it needs to be yet another server for you - as you can't vhost either of your existing ones?
Dave CridlandKev, Sure I can, can't I?
KevNot if you want to test interop between that server and the denied domains.
Dave CridlandAh. Well, yes. I couldn't test between other domains on the same server, no.
Dave CridlandOkay, I've reconfigured.
Dave CridlandShall I run through first?
KevI think there's no harm in it.
Tobiashas joined
Dave CridlandSo, mlinkrelease I get a pong.
Dave Cridland(Which is just as well, frankly)
Dave CridlandThis all from mlinktrunk, BTW.
Dave Cridlandtigasetrunk, ping.
Dave Cridlandejabberd21, ping.
FlorianSANs?
Dave Cridlandprosody8, ping.
Dave Cridlandpsyced-db ping.
KevFlorian: Subject alt names.
Tobiasi see you guys found the 'topic' feature ;)
Dave Cridlandpsyced-dwd ping, psyced-sasl ping.
fippokev: would you put that list on the wiki please?
Kevfippo: I'm doing so at the moment, yes.
Dave CridlandSo I think that's it from mlinktrunk. All success.
MattJFlorian, the only domain you have listed is in the cn field, which isn't recommended
Dave CridlandFWIW, I can even turn off checking that.
Dave CridlandMattJ, You can add in other SANs before signing, though.
Florianyeh
MattJI can? Oh yes...
MattJThat was staring me in the face
fippodave: that was with optional starttls? It might be worth repeating with tls disabled
Dave CridlandRIght, just setting up a test account for mlinkrelease.
Dave Cridlandfippo, What, disabling TLS at my end?
fippoyes. so we see that it fails with servers that <require/> tls
Dave CridlandI think that's one to do later.
Kevfippo: My intention is to do TLS requirements later.
fippowfm
MattJFlorian, do you have a MUC domain?
Kevfippo: I'll set up vhosts with invalid certs (self-signed, mismatch, and revoked) and test that s2s doesn't work.
Florobhas joined
fippokev: add an expired one
Florianmuc.*
Kevfippo: Do you hate my time that much? :)
Dave CridlandOkay, so from mlinkrelease, this time.
fippokev: and one that does not contain the vhostname
fippokev: :-)
KevOr my DSA setup, for that matter.
KevYes, I said I'd add one with a host mismatch.
fippoah
Dave Cridlandmlinktrunk, ping
Dave Cridlandejabberd21 ping
Dave Cridlandprosody8 ping
Dave Cridlandpsyced-db ping
Dave Cridlandpsyced-dwd ping
Dave Cridlandpsyced-sasl ping.
MattJsince XMPP implementations should recognise both xmppAddr and SRVName, only one of them should be necessary in a cert, right?
Dave CridlandIn principle... But in principle they'll recognise a URI one as well.
MattJ.
Dave CridlandIn practise, most will rely on xmppAddr, and maybe sRVName.
Dave Cridlandtigasetrunk ping.
Dave CridlandSo full house from both.
Dave CridlandAs a general note to folk, you will need to bounce your servers, or force them to disconnect S2S some other way prior to running these tests.
Dave CridlandOtherwise you may just be reusing connections.
Dave Cridland(I say this because I only just remembered to do it)
Dave CridlandSo, who wants to go next?
Dave CridlandAnyone?
fippojust doing...
Dave Cridland12/ 8 14:38:03 xmppd 32680 (root ) I-MBOX-Info certificate (subject emailAddress=fippo@mail.symlynx.com,OU=hangtime department,O=hangtime,L=The Internet,C=DE,CN=psyced-db.xmpptest.com), detail (email=fippo\\40mail.symlynx.com,ou=hangtime department,o=hangtime,l=The Internet,c=DE,cn=psyced-db.xmpptest.com) error revocation status unknown for this certificate
I shouldn't be seeing that, I don't think.
Dave Cridlandwonders if he's caching the CRL for some reason.
Kevhttp://wiki.xmpp.org/web/Interop#Testing
fippofull house from psyced-db to anyone with tls, two failures without tls (psyced-dwd and psyced-external, but they enforce tls so that is expected)
Kevfippo: It'd be great if you cut put that in terms of my test numbers for me, please.
Dave Cridlandpsyced-sasl, surely?
fippokev: will do on the wiki
fippodave: yes
Florianhas left
Kevfippo: Or that, thanks. I'm happy to put it in the wiki, if you paste something here, equally.
Dave CridlandBTW, as far as I remember, all servers supported XEP-0199, and gave a positive result (ie, not an error).
fippoand all servers support the good old jabber:iq:version (I prefer that to ping somehow)
fippoKev: arr, your test structure conflicts with my host setup
Kevfippo: I think it just means that some of your hosts don't participate in some tests.
fippoyeah
Keve.g. ones that require TLS don't do test 1, they wait until test 2.
Dave CridlandWell, we've not disabled TLS, so those ones should also work, still, surely?
KevWell, true.
fippoyeah
fippothey will fail with tigase, but that is expected
MattJKev, it says notls is not yet set up - feel free to point that at me
MattJI can set up a vhost with no c2s/s2s TLS
KevMattJ: On the same host, or a different one?
KevThe problem with you using a vhost on one of the test systems is that you then can't test those.
Dave CridlandMattJ, On a different server to prosody8, so you can test?
MattJGood point
MattJKev, point it to matthewwild.co.uk
KevTa.
MattJbrb
MattJbtw, I think everyone has certs now - shout if I missed a request
Dave CridlandANyone editing the Wiki now? If not, I'll stick my other results in.
KevI'll be requesting more certs shortly, and then asking you to revoke one of them :)
KevDave Cridland: I am not.
fippodave: I just edited
Dave CridlandRight, as did I, but quickly enough apparently.
Kev"they will fail with tigase, but that is expected"
KevExpected because...?
fippoKev: because tigase does not do tls, so if it meets a server that enforces tls it should fail
KevSo, server people, are there any basic s2s interop tests that we should be adding that I haven't yet done?
Kevfippo: It will never do TLS over s2s?
fippokev: afaik no
stpeterhas joined
Dave Cridlandasks Florian.
Dave CridlandAnyway - who's next on doing the tests?
fippoI am not seing a version attribute on the stream headers either
Dave CridlandMattJ, ?
MattJback
MattJI'm next I think
Dave CridlandOK.
Dave Cridlandstpeter, Are there any other server implementors we could bring in, do you think?
Florianhas joined
stpeterhave we pinged Openfire and jabberd2?
Florianas a response to Dave's question: [15:04:05] <Artur> no, this is what I am working on right now :-)
Florian(TLS on S2S)
Kevstpeter: In as much as we pinged the relevant XSF lists, and I assume they listen to them.
stpeterrightio
KevPinging them directly would not be a horrible idea.
Dave Cridlandstpeter, Who would we ping for those?
stpeterI haven't seen a reply to the last message I sent to some Openfire folks
MattJCoversant?
Dave CridlandMattJ, Good point.
stpeterTomasz Serna is the jabberd2 contact -- mailto:tomek@xiaoka.com
fippoDave: if time permits (and that is a large if) I'll try to setup jabberd14
MattJstpeter, poked in jdev
stpeterheh ok
stpeterMattJ: Tomasz is there?
MattJsmoku
stpeterright
stpeterthat's the one :)
stpeterI'll ping Jason Frankel at Coversant
Dave CridlandI was just writing a mail to Dave Richards.
Dave CridlandBut two won't hurt.
stpeteryep
stpeteremail sent to Jason
MattJDave Cridland, did you ping manually?
Dave CridlandMattJ, Once a year, yes.
MattJ.
MattJwrites a script
Dave CridlandMattJ, No, I used Gajim.
MattJs/writes/adopts/
Dave CridlandMattJ, Started a chat to each server and typed /ping
MattJNow there's an idea
Dave CridlandMattJ, I'm full of 'em.
MattJI didn't say it was a good one
stpeterI wonder if we need to cull the list of XMPP servers at http://xmpp.org/xmpp-software/servers/
MattJWorks, amazing
MattJstpeter, email them all, if they don't respond - remove them? :)
bearstpeter - I was thinking of suggesting that after N rounds of interops we could start making active/inactive categories
Dave Cridlandstpeter, It might be interesting, if we can get these interop sessions to happen reasonably frequently, so say that in order to be listed to need to at least particpate in interop.
stpeterMattJ: even better, ask them to participate in interop, if they don't participate then remove 'em
MattJHeh
stpeterheh
stpeterGMTA
MattJand I thought I was being harsh
Dave Cridlandsteve.kille, Fools seldom differ.
stpeterquarterly interop week
Dave Cridlandstpeter, rather.
Florianhas left
Dave CridlandDidn't look at what "st<TAB>" gave me.
stpeterbrb
MattJor we make it a requirement to run a server at *.interop.xmpp.org :)
bearxmpptest.com also
MattJIn the Prosody early days we had a test script that pinged each server there daily
Dave CridlandMattJ, I'm not mad keen on constantly running an interop test server, to be honest. Unused/unwatched servers tend to develop embarrassing failures at the worst moment.
MattJbear, just point xmpptest.com at prosody.im, thanks ;)
KevI'm inclined to leave the DNS in place ready for next event, and to have the CA kept around ready to run up, but I don't think it's very valuable to have them up between events.
MattJAnyway, the server would be watched by me
KevPlus it increases the value of the interop events :)
bearkev +1
MattJInterop events are inconvenient, there's little reason I need all of you here to do what I'm doing right now
Dave CridlandMattJ, It's a social thing. We're all going out to drink beer afterward, right?
MattJOrange juice for me please
Dave CridlandMattJ, Sure. Pay no attention to this bottle of vodka.
MattJI wish Gajim would let you inspect the server cert
MattJas a client
Florianhas joined
MattJBouncing prosody8
MattJmlinktrunk: OK
MattJmlinkrelease: OK
MattJejabberd21: OK
MattJpscyed-db: OK
MattJpscyed-sasl: FAIL
Dave CridlandFail?
MattJpsyced-dwd: FAIL
Dave CridlandDid you disable your cert (or TLS)?
MattJGoing to check
fippoverify result 34
fippoah... that critical extension thing
MattJLooks like they hung up on me
Dave CridlandAh - MattJ, you'll need to make yourself a new cert.
MattJAha
KevHow could they?
fippothey're evil
KevNatch.
Florianhas left
KevCan someone confirm whether I've screwed up DNS for notls.xmpptest.com, please?
KevIt looks to me like I have.
KevOh.
Kev;; AUTHORITY SECTION:
xmpptest.com. 3600 IN SOA xmpp.org. hostmaster.xmpp.org. 2010120803 14400 3600 604800 43200
Dave Cridlandnotls.xmpptest.com. 0 IN A 67.215.65.132
KevThat means it's using the serial that's two older than the current (05)
Dave Cridlandzero-TTL?
KevThe intention was 1hour
Dave CridlandOh, no, that's opendns being crap.
Florianhas joined
Dave CridlandSOA serial : 2010120803
MattJBouncing prosody8
MattJDave Cridland, why did M-Link not fail?
Dave CridlandAlso direct to Athena.
Dave CridlandMattJ, Not configured to mandate TLS or strong-auth, so it'll have done dialback.
MattJNow my client can't log in - "no shared cipher" :(
MattJHmm
MattJKey/cert mismatch I think
MattJDec 08 15:32:12 s2smanager debug pscyed-dwd.xmpptest.com has no SRV records, falling back to A
MattJGrr
Kevo_O
Florianhas left
Dave CridlandMattJ, It seems to...
Florianhas joined
MattJ$ host -t srv _xmpp-server.psyced-dwd.xmpptest.com
Host _xmpp-server.psyced-dwd.xmpptest.com not found: 3(NXDOMAIN)
Dave Cridland_tcp
MattJoops
Florianhas left
MattJOk
fippoand you pinged pscyed, not psyced
Dave CridlandAh, yes...
MattJGrr
MattJAll work
KevOk, DNS is confusing me.
Dave CridlandWhy?
KevWe're up to 2010120806, but I'm still getting 2010120803 from athena.
FlorobIsn't it reassuring if your software works better then you do :)
Dave CridlandHave your reloaded bind, and, if so, is there anything in its logs about why it's refusing to load the zone?
MattJFlorob, :)
KevI'm not even sure where bind logs.
MattJdaemon.log for me, as named
bearIIRC it's the default syslog output - /var/log/messages or somesuch
KevTa.
KevAh.
Kevno.such IN A .
Isn't a valid line.
MattJwiki updated
MattJbut the other servers accept it?
MattJWait - shouldn't that be SRV?
KevI was just asked to put a line with '.' in for 'no.such.xmpptest.com', so I assumed it was A that was wanter.
Kevs/wanter/wanted/
MattJNo, SRV, sorry
TobiasKev: the one that fippo mentioned was a SRV record IIRC
MattJthe target is just .
KevOk, working fine now, ta.
MattJCouncil in 15?
KevSo I can get onto setting up the invalid TLS domains now :)
KevYep.
Tobiasjup
prefikshas joined
prefikshas left
prefikshas joined
prefikshas left
Kevexpiredcert, mismatchcert and revokedcert are all up - albeit without the certs they claim to have.
Florobhas left
Florianhas joined
Florianhas left
badlopi've installed the cert in ejabberd21, enabled TLS in c2s and s2s, it connected with TLS to all the other 7 Interop servers except mlinkrelease.xmpptest.com, which apparently couldn't setup TLS
Kevbadlop: Is that with TLS required, or simply allowed?
Dave Cridlandbadlop, Oh. Curious. One sec.
badlopallowed, becayse ejabberd first attempts TLS, if anything fails it attempts non-TLS
Dave CridlandI see it working, which is confusing. One sec, let me bounce my server and we'll have another go - it's mlink release, not trunk, right?
Dave Cridland12/ 8 19:20:37 xmppd 07463 (root ) N-MBOX-Notice Peer ejabberd21.xmpptest.com authenticates via TLS.
12/ 8 19:20:37 xmppd 07463 (root ) I-MBOX-Info successful setup originating db connection from mlinkrelease.xmpptest.com to ejabberd21.xmpptest.com
Dave CridlandAnd I'm getting all that kind of stuff on mlinkrelease, which looks like it should be working.
Dave CridlandAnd I can indeed ping ejabberd21 after a restart, too, from mlinkrelease.
badlopand do you get the exact same report with mlinktrunk?
Dave CridlandAh. No. CRL failure. But, it still sets up a session.
Dave CridlandYup, pings there too.
Florianhas joined
Dave Cridlandbadlop, When you say "connected with TLS", and "couldn't setup TLS", do you mean TLS itself, or EXTERNAL?
badlopthe logs don't explicit, so i imagine it's TLS
badlopi'll check the source now
badlopso, don't worry yet about what ejabberd reports
bearhas left
bearhas joined
Tobiashas left
Florobhas left
Florianhas left
Dave Cridlandhas left
Dave Cridlandhas joined
Dave Cridlandbadlop, Well, we're seeing TLS setup but the CRL fail.
Dave CridlandLooking into that, it seems the CRL DP has a PEM-encoded CRL, whereas the standard mandates a DER-encoded one. Our software is being picky. I'll figure out some instructions for MattJ
Dave CridlandNo, indeed, the PEM one does crl.pem in PEM, and the DER one does crl.crl in DER.
Dave CridlandOoops. Wrong window.
Dave CridlandAlthough right conversation, bewilderingly.
bear:)
bearI figured you were just continuing your outloud debugging
Dave CridlandMattJ, Can you export the CRL in DER format - that'll generate a crl.crl for you to put on that website.
MattJOverwrite the PEM one?
Dave CridlandYes. Standards says DER.
MattJTry now
Florianhas joined
Tobiashas joined
badlopDave Cridland: right now, ejabberd -- mlinkrelease: s2s with TLS works
Florian/Der Grafhas joined
tuomashas left
Tobiashas left
Zashhas joined
Kanchil/Der Grafhas joined
Kanchil/Der Graf/Der Grafhas joined
Kanchil/Der Graf/Der Grafhas left
MattJ/Der Grafhas joined
MattJ/Der Grafhas left
remkohas left
remkohas joined
Asterixhas joined
Florian/Der Grafhas joined
remkohas left
Florianhas left
badlopumm, ejabberd -> tigase doesn't work with TLS, because tigase response doesn't include stream:features:
192.168.001.011.36481-094.023.164.209.05269:
<?xml version='1.0'?>
<stream:stream xmlns:stream='http://etherx.jabber.org/streams'
xmlns='jabber:server'
xmlns:db='jabber:server:dialback'
to='tigase.me'
version='1.0'>
</stream:stream>
094.023.164.209.05269-192.168.001.011.36481:
<stream:stream xmlns:stream='http://etherx.jabber.org/streams'
xmlns='jabber:server'
xmlns:db='jabber:server:dialback'
id='f1cf3e1a-8405-4146-82d7-454d3cfb2105'>
</stream:stream>
Dave Cridlandbadlop, Right, Tigase doesn't do TLS over S2S.
KevThat's not just not doing TLS, though - that's not doing XMPP 1.0, is it?
Kev(Yes, I realise TLS is a requirement for XMPP 1.0 as well)
Dave CridlandOr alternately, can anyone get me the certificate off ejabberd21.xmpptest.com? openssl's s_client isn't quite clever enough to grab it.
fippodave: I told you to get my patched version :-)
Dave Cridlandfippo, We have starttls xmpp, but it sends the hostname not the domain.
fippodave: so your patch is similar to the crippled one the openssl people accepted for c2s :-p (shall I start a rant about openssl and how to get a feature patch accepted?)
remkothere's xmpp starttls support in openssl?
zashThere is
fippothere is - c2s, without support for servers that actually use srv records
remkohandy
Dave Cridlandfippo, Your patch is better?
zashIn, 0.9.8g and above IIRC
fippodave: you can specify starttls to+from indepently on the commandline
zashno, later
Dave Cridlandfippo, Oh, cool. Where is it again?
remkooh, *without* srv
Dave Cridlandzash, Not later. Now!
zashDave Cridland: Later version of openssl :/
Dave Cridlandzash, Oh... Right.
remkohas left
Kevhas left
fippobadlop: do you see any hints why a host named 'fippo.testing.openssl' is not offered tls (or version 1.0) from ejabberd21.xmpptest.com?
fippotypically, that tool works with ejabberd
Dave Cridlandfippo, Ah, yes, same for me. (With that tool, nice).
fippodave: it works with -connect jabberd.jabber.ccc.de -starttls_to jabber.ccc.de
Dave Cridlandfippo, WOrks against mlinktrunk, too.
badlopfippo: how can i reproduce that problem myself?
Tobiashas left
Dave Cridlandbadlop, Can you send me the certificate?
fippodave: already gave you a link
Flohas left
badlopDave Cridland: if that link doesn't help, ask me again the cert