interop - 2010-12-08


  1. Florob has left

  2. Zash has left

  3. sjoerd.simons has joined

  4. steve.kille has left

  5. steve.kille has joined

  6. steve.kille has left

  7. steve.kille has joined

  8. steve.kille has left

  9. steve.kille has joined

  10. steve.kille has left

  11. steve.kille has joined

  12. steve.kille has left

  13. steve.kille has joined

  14. steve.kille has left

  15. steve.kille has joined

  16. steve.kille has left

  17. steve.kille has joined

  18. sjoerd.simons has left

  19. sjoerd.simons has joined

  20. steve.kille has left

  21. steve.kille has joined

  22. steve.kille has left

  23. steve.kille has joined

  24. steve.kille has left

  25. steve.kille has joined

  26. sjoerd.simons has left

  27. sjoerd.simons has joined

  28. steve.kille has left

  29. steve.kille has joined

  30. steve.kille has left

  31. steve.kille has joined

  32. steve.kille has left

  33. steve.kille has joined

  34. steve.kille has left

  35. steve.kille has joined

  36. sjoerd.simons has left

  37. steve.kille has left

  38. steve.kille has joined

  39. steve.kille has left

  40. steve.kille has joined

  41. Tobias has joined

  42. remko has joined

  43. tuomas has joined

  44. Flo has joined

  45. steve.kille has left

  46. steve.kille has joined

  47. MattJ has joined

  48. Sjoerd has joined

  49. Tobias has left

  50. Dave Cridland has left

  51. Dave Cridland has joined

  52. Sjoerd has left

  53. sjoerd.simons has joined

  54. Dave Cridland has left

  55. Dave Cridland has joined

  56. Kev

    Right, yes, DNS. fippo / Dave Cridland: What were the records you were suggesting adding yesterday?

  57. Dave Cridland

    Yesterday [20:56:49] [Isode Unclassified] Dave Cridland: [[Isode Unclassified]] Kev, When you're back, then, I have 217.155.137.58 (5222/5269) servicing mlinkrelease.xmpptest.com - feel free to give it a random hostname, like, say, mlinktrunk.xmpptest.com. :-)

  58. Kev

    Please check it's now right.

  59. Dave Cridland

    Kev, No A/AAAA records, but the SRV looks OK.

  60. Dave Cridland

    A is 217.155.137.58, AAAA is 2001:470:1f09:882:c0c8:f9ff:fec0:d982

  61. Kev

    Relly?

  62. Kev

    *really

  63. Kev

    mlinktrunk.xmpptest.com IN A 217.155.137.58

  64. Kev

    That *looks* right to me.

  65. Kev

    Ah, no, because I'm a twit.

  66. Dave Cridland

    "."

  67. Kev

    mlinktrunk IN A 217.155.137.58

  68. Kev

    Should be happier now.

  69. Dave Cridland

    If I hadn't cached the duff records.

  70. Kev

    Oh, I'd assumed you'd be querying athena.

  71. Dave Cridland

    Can you stick in the AAAA as well, in case anyone's doing IPv6 interop too?

  72. Kev

    Done

  73. Dave Cridland

    Marv.

  74. Dave Cridland

    Can any server developers confirm that the service xmpp:mlinkrelease.xmpptest.com is reachable now?

  75. fippo

    it is - but it does not seem to do tls anymore?

  76. Tobias has joined

  77. Dave Cridland

    fippo, No, that's okay, haven't done that bit yet - doing that now. Thanks.

  78. bear

    I have a draft post for a very brief "day one" report of the interop - still chewing thru the logs for details but I wanted to get a post going

  79. bear

    could someone take a quick look for a review (I'm also going to post to comm team list)

  80. Dave Cridland

    Mail a draft to the interop mailing list?

  81. bear

    ah

  82. bear

    yes

  83. Dave Cridland

    mlinkrelease.xmpptest.com should now have TLS-lovelyness.

  84. badlop has joined

  85. bear

    draft posted to list

  86. Dave Cridland

    bear, Matthew Wild was/is operating the CA.

  87. bear

    k

  88. fippo

    dave: works with with dialback-after-tls, that boring sasl thing and d-w-d

  89. Dave Cridland

    bear, And you're mixing both company names (Isode, Collabora) and product names (ejabberd, SAFEchat)

  90. bear

    I pulled from the wiki, hmm, guess I should also update/correct that then

  91. Dave Cridland

    bear, I think both are useful, but you're listing "SAFEchat" as a client developer (it's a client, the developers are BoldonJames) and Isode as a server (Whereas our server is called M-Link)

  92. bear

    oh - I see. that's a personal glitch of mine - I can never remember m-link and have always called your software Isode

  93. bear will beat that out of himself later

  94. Dave Cridland

    bear, Quite. Or Will will.

  95. bear

    eeek

  96. Dave Cridland

    OK, I've flipped my mlinktrunk.xmpptest.com server into only accepting strong authentication (ie, TLS with a verifiable certificate) for anything within xmpptest.com

  97. bear

    ok, text adjusted - sending new version to list

  98. fippo turns off tls and tests again

  99. Dave Cridland

    I'll do something similar for mlinkrelease in a moment. I'll require a valid cert, although mlinkrelease will accept dialback as sufficient and won't do CRL checking.

  100. Dave Cridland

    Actually, mlinkrelease will even accept no TLS at all, so I may not bother.

  101. fippo

    works - I get a policy violation dialback error

  102. Dave Cridland

    12/ 8 12:12:29 xmppd 32268 (root ) D-MBOX-Auth Rejecting (require tls peer control) connect from server psyced-db.xmpptest.com

  103. Dave Cridland

    fippo, Ah, yes, dialback errors too. :-)

  104. Dave Cridland

    fippo, Posh, aren't we?

  105. fippo

    you might want to put a <required/> into starttls :-)

  106. waqas has joined

  107. Tobias has left

  108. Dave Cridland

    fippo, Oh, isn't it there? I thought I'd got that as long as you sent a from (so it can look for the peer control) or if it's global (which it isn't on that server)

  109. Dave Cridland

    Oh. No, we don't - I carefully set a flag and then never use it. Well, that's an easy fix.

  110. fippo

    :-)

  111. fippo

    mh... I have a problem reaching trunk from -sasl

  112. fippo

    you don't offer external

  113. Zash has joined

  114. Dave Cridland

    12/ 8 12:38:53 xmppd 32268 (root ) I-MBOX-Info Verifying certificate 12/ 8 12:38:53 xmppd 32268 (root ) I-MBOX-Info certificate (subject emailA ddress=fippo@mail.symlynx.com,OU=XMPP Department,O=Your Organisation,L=The Inter net,C=DE,CN=psyced-dwd.xmpptest.com), detail (email=fippo\\40mail.symlynx.com,ou =XMPP Department,o=Your Organisation,l=The Internet,c=DE,cn=psyced-dwd.xmpptest. com) error revocation status unknown for this certificate 12/ 8 12:38:53 xmppd 32268 (root ) N-MBOX-Notice TLS certificate verificat ion failed 12/ 8 12:38:53 xmppd 32268 (root ) D-MBOX-Auth Rejecting (require strong a uth peer control) connect from server psyced-dwd.xmpptest.com

  115. Dave Cridland

    AH... I wonder if Matt's updated his CRL...

  116. fippo

    back to debugging x509 stuff :-)

  117. Dave Cridland

    No, it's just that Matt's not updated the CRL, so it's expired.

  118. Dave Cridland

    Hence M-Link can't tell if the CRL simply hasn't been updated, or if it's been replayed to conceal your certificate being revoked.

  119. Tobias has joined

  120. Zash

    So, who's winning? :)

  121. Tobias has left

  122. Florian

    right ...

  123. Florian

    MattJ: can I send you my CSR?

  124. MattJ

    Sure, mwild1@gmail.com

  125. Kev

    Zash: I'll be writing some suggested tests shortly.

  126. MattJ

    Florian, ah, got your PM, thanks

  127. Kev

    So at least there's some guidance on what to test :)

  128. MattJ set the topic to

    XMPP Interop Event | 6th - 11th December 2010 | http://wiki.xmpp.org/web/Interop

  129. Florian

    :)

  130. Florian

    is there anything I need to do? Anything broken in Tigase that I should report back?

  131. Dave Cridland

    MattJ, Can you update the CRL fiole on the website?

  132. MattJ

    Dave Cridland, yes, I realised I hadn't done that this morning

  133. MattJ

    I regenerated it, but something distracted me from uploading

  134. MattJ

    There's a reason to use https for CRLs - an attacker could serve an old CRL over HTTP with nothing more than DNS poisoning

  135. Kev

    Florian: As nothing much as been tested yet ...

  136. Dave Cridland

    MattJ, No, because CRLs expire, so a replay attack has limited value.

  137. MattJ

    Aha

  138. steve.kille

    Technically, CRLs indicate when a new one will be issued, which is advisory rather than a hard expiration date, although it is generally treated as an expiration date

  139. MattJ

    This one's in date for a year, so have fun while you can

  140. fippo

    Kev: ah, I missed that dns question earlier. I would like a srv record for no.such.xmpptest.com pointing to "."

  141. Florian

    lol

  142. Kev

    fippo: Ok. Why, though?

  143. MattJ

    I second the request

  144. MattJ

    don't ask questions :)

  145. fippo

    Kev: servers should stop attempting to connect that domain

  146. Kev

    Oh, should they?

  147. Dave Cridland

    Kev, Yes.

  148. MattJ

    They should, see the recent discussion on the list

  149. Kev

    Permanently?

  150. MattJ

    for as long as they would cache a normal SRV lookup

  151. Kev

    Oh, well, that's no time at all presumably :)

  152. Kev

    (For clients, anyway)

  153. MattJ

    it's better than pointing your records to example.com and waiting for $TCP_TIMEOUT

  154. MattJ

    this is a definitive way of saying "There is no XMPP service at this domain, give up"

  155. Dave Cridland

    Kev, Well, you *can* argue that it's the TTL, however I don't think that anything other than caching resolvers should actually cache.

  156. Kev

    no.such now has an entry of .

  157. MattJ

    Thanks

  158. MattJ

    Dave Cridland, why do you think that?

  159. Kev

    Although the results look a whole lot like they do for an entry that just doesn't exist.

  160. fippo

    mattj: old jabberd tried to cache itself - it was a bad idea

  161. Kev

    bear: I'll read your post in a moment, thanks.

  162. MattJ

    fippo, why? (you may guess by now that Prosody caches)

  163. Dave Cridland

    MattJ, Because it's just as fast to run a caching nameserver on the same machine, and that's more likely to be written by people who know about DNS.

  164. bear

    no worries kev - I need to give it a couple hours to let other TZ's a chance to respond

  165. MattJ

    Fair enough

  166. fippo

    mattj: iirc it did not expire those records properly

  167. MattJ

    :)

  168. MattJ

    We fixed that bug a long time ago :)

  169. Zash has left

  170. Dave Cridland

    So presumably, if the CRL's been updated, then everyone should now be able to connect to mlinktrunk.xmppest.com (and everything else)?

  171. louiz’ has joined

  172. MattJ

    Does OpenSSL do CRL checking automatically? It's likely I could connect to you all along :)

  173. remko

    no

  174. Dave Cridland

    MattJ, No, don't think so. We don't use it for that, anyway. (I think it can parse CRLs, etc, but I don't think it'll fetch them for you)

  175. remko

    if you look at the manual, you'll see that it has error codes for CRL, but that they are "Unused by OpenSSL"

  176. MattJ

    Lovely

  177. Kev

    Right, so, tests.

  178. Kev

    I'll put stuff on the wiki, but I'm thinking that something like this is sensible:

  179. Kev

    * Check a server can receive an iq response to a ping to each server, with whatever configuration.

  180. remko

    mattj: i'm wrong i think

  181. Kev

    * Set some of the servers (all that support it) to require TLS on s2s, test iq still works.

  182. Kev

    * Set servers to require TLS with identity verification, test iq still works.

  183. remko

    MattJ: i take everything back. I should have known better than to trust on openssl documentation

  184. Kev

    That tests a base level of interop using s2s and TLS, I think.

  185. MattJ

    :)

  186. Kev

    * If any of the servers allow turning off dialback completely, doing that, and repeating.

  187. Kev

    (Dialback isn't bad, but relying on it is)

  188. Kev

    * Setting up a vhost on one of the servers, issuing and revoking a cert, and checking it can't then connect to any servers.

  189. MattJ

    and everyone fails that except M-Link? :)

  190. Dave Cridland

    Kev, SO you want me to drop the TLS/strong-auth requirements for mlinktrunk?

  191. Kev

    I have no idea.

  192. Kev

    Dave Cridland: I think that'd be sensible for today.

  193. Kev

    First establishing that everyone will interop without TLS seems sensible.

  194. Kev

    Even though we know that'll work.

  195. MattJ

    Fine by me

  196. Kev

    What else do people want to test? I think just checking TLS+s2s this week is sensible, as a baseline and a first effort at an interop event.

  197. Dave Cridland

    That's fine by me. Do we want to check reachability to MUC domains as well?

  198. Kev

    For the clients, I think checking that they'll all connect ok to a server. Checking they'll all connect to a server with only TLS. Checking they won't connect to a server without TLS and with PLAIN. Revoking a cert and checking they warn the user (Swift will fail this). Logging in with a user cert.

  199. Kev

    Dave Cridland: Each of the listed domains would be sensible, yes.

  200. Dave Cridland

    DO we know if all the servers are configured with an Interop CA cert?

  201. Kev

    I guess we'll discover that when we try testing identity verification :)

  202. Kev

    Will someone volunteer to set up a vhost with a self-signed cert, and one with a revoked cert?

  203. MattJ

    Dave Cridland, the last outstanding CSR is Florian's, which I'm now processing (just sent badlop's)

  204. Kev

    I'm happy to set up both of those vhosts, actually.

  205. Dave Cridland

    Kev, I can do that.

  206. Dave Cridland

    Kev, Oh, or you can, great.

  207. MattJ

    Florian's has no SANs... should we allow this? :)

  208. Kev

    Dave Cridland: Disadvantage of that is that it needs to be yet another server for you - as you can't vhost either of your existing ones?

  209. Dave Cridland

    Kev, Sure I can, can't I?

  210. Kev

    Not if you want to test interop between that server and the denied domains.

  211. Dave Cridland

    Ah. Well, yes. I couldn't test between other domains on the same server, no.

  212. Dave Cridland

    Okay, I've reconfigured.

  213. Dave Cridland

    Shall I run through first?

  214. Kev

    I think there's no harm in it.

  215. Tobias has joined

  216. Dave Cridland

    So, mlinkrelease I get a pong.

  217. Dave Cridland

    (Which is just as well, frankly)

  218. Dave Cridland

    This all from mlinktrunk, BTW.

  219. Dave Cridland

    tigasetrunk, ping.

  220. Dave Cridland

    ejabberd21, ping.

  221. Florian

    SANs?

  222. Dave Cridland

    prosody8, ping.

  223. Dave Cridland

    psyced-db ping.

  224. Kev

    Florian: Subject alt names.

  225. Tobias

    i see you guys found the 'topic' feature ;)

  226. Dave Cridland

    psyced-dwd ping, psyced-sasl ping.

  227. fippo

    kev: would you put that list on the wiki please?

  228. Kev

    fippo: I'm doing so at the moment, yes.

  229. Dave Cridland

    So I think that's it from mlinktrunk. All success.

  230. MattJ

    Florian, the only domain you have listed is in the cn field, which isn't recommended

  231. Dave Cridland

    FWIW, I can even turn off checking that.

  232. Dave Cridland

    MattJ, You can add in other SANs before signing, though.

  233. Florian

    yeh

  234. MattJ

    I can? Oh yes...

  235. MattJ

    That was staring me in the face

  236. fippo

    dave: that was with optional starttls? It might be worth repeating with tls disabled

  237. Dave Cridland

    RIght, just setting up a test account for mlinkrelease.

  238. Dave Cridland

    fippo, What, disabling TLS at my end?

  239. fippo

    yes. so we see that it fails with servers that <require/> tls

  240. Dave Cridland

    I think that's one to do later.

  241. Kev

    fippo: My intention is to do TLS requirements later.

  242. fippo

    wfm

  243. MattJ

    Florian, do you have a MUC domain?

  244. Kev

    fippo: I'll set up vhosts with invalid certs (self-signed, mismatch, and revoked) and test that s2s doesn't work.

  245. Florob has joined

  246. fippo

    kev: add an expired one

  247. Florian

    muc.*

  248. Kev

    fippo: Do you hate my time that much? :)

  249. Dave Cridland

    Okay, so from mlinkrelease, this time.

  250. fippo

    kev: and one that does not contain the vhostname

  251. fippo

    kev: :-)

  252. Kev

    Or my DSA setup, for that matter.

  253. Kev

    Yes, I said I'd add one with a host mismatch.

  254. fippo

    ah

  255. Dave Cridland

    mlinktrunk, ping

  256. Dave Cridland

    ejabberd21 ping

  257. Dave Cridland

    prosody8 ping

  258. Dave Cridland

    psyced-db ping

  259. Dave Cridland

    psyced-dwd ping

  260. Dave Cridland

    psyced-sasl ping.

  261. MattJ

    since XMPP implementations should recognise both xmppAddr and SRVName, only one of them should be necessary in a cert, right?

  262. Dave Cridland

    In principle... But in principle they'll recognise a URI one as well.

  263. MattJ

    .

  264. Dave Cridland

    In practise, most will rely on xmppAddr, and maybe sRVName.

  265. Dave Cridland

    tigasetrunk ping.

  266. Dave Cridland

    So full house from both.

  267. Dave Cridland

    As a general note to folk, you will need to bounce your servers, or force them to disconnect S2S some other way prior to running these tests.

  268. Dave Cridland

    Otherwise you may just be reusing connections.

  269. Dave Cridland

    (I say this because I only just remembered to do it)

  270. Dave Cridland

    So, who wants to go next?

  271. Dave Cridland

    Anyone?

  272. fippo

    just doing...

  273. Dave Cridland

    12/ 8 14:38:03 xmppd 32680 (root ) I-MBOX-Info certificate (subject emailAddress=fippo@mail.symlynx.com,OU=hangtime department,O=hangtime,L=The Internet,C=DE,CN=psyced-db.xmpptest.com), detail (email=fippo\\40mail.symlynx.com,ou=hangtime department,o=hangtime,l=The Internet,c=DE,cn=psyced-db.xmpptest.com) error revocation status unknown for this certificate I shouldn't be seeing that, I don't think.

  274. Dave Cridland wonders if he's caching the CRL for some reason.

  275. Kev

    http://wiki.xmpp.org/web/Interop#Testing

  276. fippo

    full house from psyced-db to anyone with tls, two failures without tls (psyced-dwd and psyced-external, but they enforce tls so that is expected)

  277. Kev

    fippo: It'd be great if you cut put that in terms of my test numbers for me, please.

  278. Dave Cridland

    psyced-sasl, surely?

  279. fippo

    kev: will do on the wiki

  280. fippo

    dave: yes

  281. Florian has left

  282. Kev

    fippo: Or that, thanks. I'm happy to put it in the wiki, if you paste something here, equally.

  283. Dave Cridland

    BTW, as far as I remember, all servers supported XEP-0199, and gave a positive result (ie, not an error).

  284. fippo

    and all servers support the good old jabber:iq:version (I prefer that to ping somehow)

  285. fippo

    Kev: arr, your test structure conflicts with my host setup

  286. Kev

    fippo: I think it just means that some of your hosts don't participate in some tests.

  287. fippo

    yeah

  288. Kev

    e.g. ones that require TLS don't do test 1, they wait until test 2.

  289. Dave Cridland

    Well, we've not disabled TLS, so those ones should also work, still, surely?

  290. Kev

    Well, true.

  291. fippo

    yeah

  292. fippo

    they will fail with tigase, but that is expected

  293. MattJ

    Kev, it says notls is not yet set up - feel free to point that at me

  294. MattJ

    I can set up a vhost with no c2s/s2s TLS

  295. Kev

    MattJ: On the same host, or a different one?

  296. Kev

    The problem with you using a vhost on one of the test systems is that you then can't test those.

  297. Dave Cridland

    MattJ, On a different server to prosody8, so you can test?

  298. MattJ

    Good point

  299. MattJ

    Kev, point it to matthewwild.co.uk

  300. Kev

    Ta.

  301. MattJ

    brb

  302. MattJ

    btw, I think everyone has certs now - shout if I missed a request

  303. Dave Cridland

    ANyone editing the Wiki now? If not, I'll stick my other results in.

  304. Kev

    I'll be requesting more certs shortly, and then asking you to revoke one of them :)

  305. Kev

    Dave Cridland: I am not.

  306. fippo

    dave: I just edited

  307. Dave Cridland

    Right, as did I, but quickly enough apparently.

  308. Kev

    "they will fail with tigase, but that is expected"

  309. Kev

    Expected because...?

  310. fippo

    Kev: because tigase does not do tls, so if it meets a server that enforces tls it should fail

  311. Kev

    So, server people, are there any basic s2s interop tests that we should be adding that I haven't yet done?

  312. Kev

    fippo: It will never do TLS over s2s?

  313. fippo

    kev: afaik no

  314. stpeter has joined

  315. Dave Cridland asks Florian.

  316. Dave Cridland

    Anyway - who's next on doing the tests?

  317. fippo

    I am not seing a version attribute on the stream headers either

  318. Dave Cridland

    MattJ, ?

  319. MattJ

    back

  320. MattJ

    I'm next I think

  321. Dave Cridland

    OK.

  322. Dave Cridland

    stpeter, Are there any other server implementors we could bring in, do you think?

  323. Florian has joined

  324. stpeter

    have we pinged Openfire and jabberd2?

  325. Florian

    as a response to Dave's question: [15:04:05] <Artur> no, this is what I am working on right now :-)

  326. Florian

    (TLS on S2S)

  327. Kev

    stpeter: In as much as we pinged the relevant XSF lists, and I assume they listen to them.

  328. stpeter

    rightio

  329. Kev

    Pinging them directly would not be a horrible idea.

  330. Dave Cridland

    stpeter, Who would we ping for those?

  331. stpeter

    I haven't seen a reply to the last message I sent to some Openfire folks

  332. MattJ

    Coversant?

  333. Dave Cridland

    MattJ, Good point.

  334. stpeter

    Tomasz Serna is the jabberd2 contact -- mailto:tomek@xiaoka.com

  335. fippo

    Dave: if time permits (and that is a large if) I'll try to setup jabberd14

  336. MattJ

    stpeter, poked in jdev

  337. stpeter

    heh ok

  338. stpeter

    MattJ: Tomasz is there?

  339. MattJ

    smoku

  340. stpeter

    right

  341. stpeter

    that's the one :)

  342. stpeter

    I'll ping Jason Frankel at Coversant

  343. Dave Cridland

    I was just writing a mail to Dave Richards.

  344. Dave Cridland

    But two won't hurt.

  345. stpeter

    yep

  346. stpeter

    email sent to Jason

  347. MattJ

    Dave Cridland, did you ping manually?

  348. Dave Cridland

    MattJ, Once a year, yes.

  349. MattJ

    .

  350. MattJ writes a script

  351. Dave Cridland

    MattJ, No, I used Gajim.

  352. MattJ

    s/writes/adopts/

  353. Dave Cridland

    MattJ, Started a chat to each server and typed /ping

  354. MattJ

    Now there's an idea

  355. Dave Cridland

    MattJ, I'm full of 'em.

  356. MattJ

    I didn't say it was a good one

  357. stpeter

    I wonder if we need to cull the list of XMPP servers at http://xmpp.org/xmpp-software/servers/

  358. MattJ

    Works, amazing

  359. MattJ

    stpeter, email them all, if they don't respond - remove them? :)

  360. bear

    stpeter - I was thinking of suggesting that after N rounds of interops we could start making active/inactive categories

  361. Dave Cridland

    stpeter, It might be interesting, if we can get these interop sessions to happen reasonably frequently, so say that in order to be listed to need to at least particpate in interop.

  362. stpeter

    MattJ: even better, ask them to participate in interop, if they don't participate then remove 'em

  363. MattJ

    Heh

  364. stpeter

    heh

  365. stpeter

    GMTA

  366. MattJ

    and I thought I was being harsh

  367. Dave Cridland

    steve.kille, Fools seldom differ.

  368. stpeter

    quarterly interop week

  369. Dave Cridland

    stpeter, rather.

  370. Florian has left

  371. Dave Cridland

    Didn't look at what "st<TAB>" gave me.

  372. stpeter

    brb

  373. MattJ

    or we make it a requirement to run a server at *.interop.xmpp.org :)

  374. bear

    xmpptest.com also

  375. MattJ

    In the Prosody early days we had a test script that pinged each server there daily

  376. Dave Cridland

    MattJ, I'm not mad keen on constantly running an interop test server, to be honest. Unused/unwatched servers tend to develop embarrassing failures at the worst moment.

  377. MattJ

    bear, just point xmpptest.com at prosody.im, thanks ;)

  378. Kev

    I'm inclined to leave the DNS in place ready for next event, and to have the CA kept around ready to run up, but I don't think it's very valuable to have them up between events.

  379. MattJ

    Anyway, the server would be watched by me

  380. Kev

    Plus it increases the value of the interop events :)

  381. bear

    kev +1

  382. MattJ

    Interop events are inconvenient, there's little reason I need all of you here to do what I'm doing right now

  383. Dave Cridland

    MattJ, It's a social thing. We're all going out to drink beer afterward, right?

  384. MattJ

    Orange juice for me please

  385. Dave Cridland

    MattJ, Sure. Pay no attention to this bottle of vodka.

  386. MattJ

    I wish Gajim would let you inspect the server cert

  387. MattJ

    as a client

  388. Florian has joined

  389. MattJ

    Bouncing prosody8

  390. MattJ

    mlinktrunk: OK

  391. MattJ

    mlinkrelease: OK

  392. MattJ

    ejabberd21: OK

  393. MattJ

    pscyed-db: OK

  394. MattJ

    pscyed-sasl: FAIL

  395. Dave Cridland

    Fail?

  396. MattJ

    psyced-dwd: FAIL

  397. Dave Cridland

    Did you disable your cert (or TLS)?

  398. MattJ

    Going to check

  399. fippo

    verify result 34

  400. fippo

    ah... that critical extension thing

  401. MattJ

    Looks like they hung up on me

  402. Dave Cridland

    Ah - MattJ, you'll need to make yourself a new cert.

  403. MattJ

    Aha

  404. Kev

    How could they?

  405. fippo

    they're evil

  406. Kev

    Natch.

  407. Florian has left

  408. Kev

    Can someone confirm whether I've screwed up DNS for notls.xmpptest.com, please?

  409. Kev

    It looks to me like I have.

  410. Kev

    Oh.

  411. Kev

    ;; AUTHORITY SECTION: xmpptest.com. 3600 IN SOA xmpp.org. hostmaster.xmpp.org. 2010120803 14400 3600 604800 43200

  412. Dave Cridland

    notls.xmpptest.com. 0 IN A 67.215.65.132

  413. Kev

    That means it's using the serial that's two older than the current (05)

  414. Dave Cridland

    zero-TTL?

  415. Kev

    The intention was 1hour

  416. Dave Cridland

    Oh, no, that's opendns being crap.

  417. Florian has joined

  418. Dave Cridland

    SOA serial : 2010120803

  419. MattJ

    Bouncing prosody8

  420. MattJ

    Dave Cridland, why did M-Link not fail?

  421. Dave Cridland

    Also direct to Athena.

  422. Dave Cridland

    MattJ, Not configured to mandate TLS or strong-auth, so it'll have done dialback.

  423. MattJ

    Now my client can't log in - "no shared cipher" :(

  424. MattJ

    Hmm

  425. MattJ

    Key/cert mismatch I think

  426. MattJ

    Dec 08 15:32:12 s2smanager debug pscyed-dwd.xmpptest.com has no SRV records, falling back to A

  427. MattJ

    Grr

  428. Kev

    o_O

  429. Florian has left

  430. Dave Cridland

    MattJ, It seems to...

  431. Florian has joined

  432. MattJ

    $ host -t srv _xmpp-server.psyced-dwd.xmpptest.com Host _xmpp-server.psyced-dwd.xmpptest.com not found: 3(NXDOMAIN)

  433. Dave Cridland

    _tcp

  434. MattJ

    oops

  435. Florian has left

  436. MattJ

    Ok

  437. fippo

    and you pinged pscyed, not psyced

  438. Dave Cridland

    Ah, yes...

  439. MattJ

    Grr

  440. MattJ

    All work

  441. Kev

    Ok, DNS is confusing me.

  442. Dave Cridland

    Why?

  443. Kev

    We're up to 2010120806, but I'm still getting 2010120803 from athena.

  444. Florob

    Isn't it reassuring if your software works better then you do :)

  445. Dave Cridland

    Have your reloaded bind, and, if so, is there anything in its logs about why it's refusing to load the zone?

  446. MattJ

    Florob, :)

  447. Kev

    I'm not even sure where bind logs.

  448. MattJ

    daemon.log for me, as named

  449. bear

    IIRC it's the default syslog output - /var/log/messages or somesuch

  450. Kev

    Ta.

  451. Kev

    Ah.

  452. Kev

    no.such IN A . Isn't a valid line.

  453. MattJ

    wiki updated

  454. MattJ

    but the other servers accept it?

  455. MattJ

    Wait - shouldn't that be SRV?

  456. Kev

    I was just asked to put a line with '.' in for 'no.such.xmpptest.com', so I assumed it was A that was wanter.

  457. Kev

    s/wanter/wanted/

  458. MattJ

    No, SRV, sorry

  459. Tobias

    Kev: the one that fippo mentioned was a SRV record IIRC

  460. MattJ

    the target is just .

  461. Kev

    Ok, working fine now, ta.

  462. MattJ

    Council in 15?

  463. Kev

    So I can get onto setting up the invalid TLS domains now :)

  464. Kev

    Yep.

  465. Tobias

    jup

  466. prefiks has joined

  467. prefiks has left

  468. prefiks has joined

  469. prefiks has left

  470. Kev

    expiredcert, mismatchcert and revokedcert are all up - albeit without the certs they claim to have.

  471. Florob has left

  472. Florian has joined

  473. Florian has left

  474. badlop

    i've installed the cert in ejabberd21, enabled TLS in c2s and s2s, it connected with TLS to all the other 7 Interop servers except mlinkrelease.xmpptest.com, which apparently couldn't setup TLS

  475. Kev

    badlop: Is that with TLS required, or simply allowed?

  476. Dave Cridland

    badlop, Oh. Curious. One sec.

  477. badlop

    allowed, becayse ejabberd first attempts TLS, if anything fails it attempts non-TLS

  478. Dave Cridland

    I see it working, which is confusing. One sec, let me bounce my server and we'll have another go - it's mlink release, not trunk, right?

  479. Dave Cridland

    12/ 8 19:20:37 xmppd 07463 (root ) N-MBOX-Notice Peer ejabberd21.xmpptest.com authenticates via TLS. 12/ 8 19:20:37 xmppd 07463 (root ) I-MBOX-Info successful setup originating db connection from mlinkrelease.xmpptest.com to ejabberd21.xmpptest.com

  480. Dave Cridland

    And I'm getting all that kind of stuff on mlinkrelease, which looks like it should be working.

  481. Dave Cridland

    And I can indeed ping ejabberd21 after a restart, too, from mlinkrelease.

  482. badlop

    and do you get the exact same report with mlinktrunk?

  483. Dave Cridland

    Ah. No. CRL failure. But, it still sets up a session.

  484. Dave Cridland

    Yup, pings there too.

  485. Florian has joined

  486. Dave Cridland

    badlop, When you say "connected with TLS", and "couldn't setup TLS", do you mean TLS itself, or EXTERNAL?

  487. badlop

    the logs don't explicit, so i imagine it's TLS

  488. badlop

    i'll check the source now

  489. badlop

    so, don't worry yet about what ejabberd reports

  490. bear has left

  491. bear has joined

  492. Tobias has left

  493. Florob has left

  494. Florian has left

  495. Dave Cridland has left

  496. Dave Cridland has joined

  497. Dave Cridland

    badlop, Well, we're seeing TLS setup but the CRL fail.

  498. Dave Cridland

    Looking into that, it seems the CRL DP has a PEM-encoded CRL, whereas the standard mandates a DER-encoded one. Our software is being picky. I'll figure out some instructions for MattJ

  499. Dave Cridland

    No, indeed, the PEM one does crl.pem in PEM, and the DER one does crl.crl in DER.

  500. Dave Cridland

    Ooops. Wrong window.

  501. Dave Cridland

    Although right conversation, bewilderingly.

  502. bear

    :)

  503. bear

    I figured you were just continuing your outloud debugging

  504. Dave Cridland

    MattJ, Can you export the CRL in DER format - that'll generate a crl.crl for you to put on that website.

  505. MattJ

    Overwrite the PEM one?

  506. Dave Cridland

    Yes. Standards says DER.

  507. MattJ

    Try now

  508. Florian has joined

  509. Tobias has joined

  510. badlop

    Dave Cridland: right now, ejabberd -- mlinkrelease: s2s with TLS works

  511. Florian/Der Graf has joined

  512. tuomas has left

  513. Tobias has left

  514. Zash has joined

  515. Kanchil/Der Graf has joined

  516. Kanchil/Der Graf/Der Graf has joined

  517. Kanchil/Der Graf/Der Graf has left

  518. MattJ/Der Graf has joined

  519. MattJ/Der Graf has left

  520. remko has left

  521. remko has joined

  522. Asterix has joined

  523. Florian/Der Graf has joined

  524. remko has left

  525. Florian has left

  526. badlop

    umm, ejabberd -> tigase doesn't work with TLS, because tigase response doesn't include stream:features: 192.168.001.011.36481-094.023.164.209.05269: <?xml version='1.0'?> <stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:server' xmlns:db='jabber:server:dialback' to='tigase.me' version='1.0'> </stream:stream> 094.023.164.209.05269-192.168.001.011.36481: <stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:server' xmlns:db='jabber:server:dialback' id='f1cf3e1a-8405-4146-82d7-454d3cfb2105'> </stream:stream>

  527. Dave Cridland

    badlop, Right, Tigase doesn't do TLS over S2S.

  528. Kev

    That's not just not doing TLS, though - that's not doing XMPP 1.0, is it?

  529. Kev

    (Yes, I realise TLS is a requirement for XMPP 1.0 as well)

  530. badlop

    well, tigase doesn't advertise supporting xmpp 1.0, so tigase doesn't lie

  531. Kev

    Heh, true enough.

  532. Florian has joined

  533. remko has joined

  534. remko has left

  535. remko has joined

  536. steve.kille has left

  537. remko has left

  538. remko has joined

  539. Dave Cridland

    RIght, so something's up with the CRL checking code at the moment, so I've disabled that in mlinktrunk. :-(

  540. remko has left

  541. remko has joined

  542. Zash has left

  543. zash has joined

  544. Florian/Der Graf has left

  545. Tobias has joined

  546. Tobias has left

  547. steve.kille has joined

  548. remko has left

  549. Tobias has joined

  550. Tobias has left

  551. steve.kille has left

  552. steve.kille has joined

  553. sjoerd.simons has left

  554. sjoerd.simons has joined

  555. sjoerd.simons has left

  556. Sjoerd has joined

  557. Sjoerd has left

  558. sjoerd.simons has joined

  559. remko has joined

  560. Tobias has joined

  561. remko has left

  562. stpeter

    Dave Cridland: I did hear back from some folks at Coversant

  563. Kev

    Excellent.

  564. Kev

    Whatsaythey?

  565. stpeter

    they said they'll check into it :)

  566. stpeter

    BTW, as to the 6-month schedule, perhaps it would be good to schedule the interop weeks something like mid-way between Summits

  567. stpeter

    e.g., April/May and then October/November

  568. stpeter

    just a thought

  569. remko has joined

  570. sjoerd.simons has left

  571. sjoerd.simons has joined

  572. sjoerd.simons has left

  573. Kev

    Yes, we could do. Or could do it in the lead up to summits, both have merit.

  574. stpeter

    true

  575. stpeter

    well, one interop week at a time :)

  576. stpeter

    the lead-up makes quite a bit of sense -- raise issues that need to be hammered out

  577. Kev

    This is our first interop week, and it's showing things that need doing next time around, etc, so I think these will be iterative.

  578. stpeter

    that's good

  579. Kev

    Some responsibilities were clear in advance, some not so.

  580. Kev

    That the iteam should sort out certs and dns was decided, and obvious.

  581. Kev

    Who should be responsible for cajoling vendors into participating was left somewhat in the air, as was who should be deciding on what gets tested.

  582. Kev

    I've appointed myself the latter, as Council Chair makes some sense.

  583. Kev

    In the absense of any group decision.

  584. Kev

    Next time around it'd be good to have DNS/Certs/Test plans in advance :)

  585. sjoerd.simons has joined

  586. stpeter

    nice: https://support.process-one.net/browse/EJAB-495

  587. stpeter

    yes, agreed

  588. Dave Cridland

    MattJ, You about?

  589. Dave Cridland

    Or alternately, can anyone get me the certificate off ejabberd21.xmpptest.com? openssl's s_client isn't quite clever enough to grab it.

  590. fippo

    dave: I told you to get my patched version :-)

  591. Dave Cridland

    fippo, We have starttls xmpp, but it sends the hostname not the domain.

  592. fippo

    dave: so your patch is similar to the crippled one the openssl people accepted for c2s :-p (shall I start a rant about openssl and how to get a feature patch accepted?)

  593. remko

    there's xmpp starttls support in openssl?

  594. zash

    There is

  595. fippo

    there is - c2s, without support for servers that actually use srv records

  596. remko

    handy

  597. Dave Cridland

    fippo, Your patch is better?

  598. zash

    In, 0.9.8g and above IIRC

  599. fippo

    dave: you can specify starttls to+from indepently on the commandline

  600. zash

    no, later

  601. Dave Cridland

    fippo, Oh, cool. Where is it again?

  602. remko

    oh, *without* srv

  603. Dave Cridland

    zash, Not later. Now!

  604. zash

    Dave Cridland: Later version of openssl :/

  605. Dave Cridland

    zash, Oh... Right.

  606. remko has left

  607. Kev has left

  608. fippo

    badlop: do you see any hints why a host named 'fippo.testing.openssl' is not offered tls (or version 1.0) from ejabberd21.xmpptest.com?

  609. fippo

    typically, that tool works with ejabberd

  610. Dave Cridland

    fippo, Ah, yes, same for me. (With that tool, nice).

  611. fippo

    dave: it works with -connect jabberd.jabber.ccc.de -starttls_to jabber.ccc.de

  612. Dave Cridland

    fippo, WOrks against mlinktrunk, too.

  613. badlop

    fippo: how can i reproduce that problem myself?

  614. Tobias has left

  615. Dave Cridland

    badlop, Can you send me the certificate?

  616. fippo

    dave: already gave you a link

  617. Flo has left

  618. badlop

    Dave Cridland: if that link doesn't help, ask me again the cert

  619. Dave Cridland

    badlop, No, I missed the link.

  620. Dave Cridland

    badlop, All sorted now.

  621. Asterix has left

  622. Tobias has joined

  623. Tobias has left

  624. zash has left

  625. Florob has joined

  626. waqas has left