- Florob has left
- Zash has left
- sjoerd.simons has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- sjoerd.simons has left
- sjoerd.simons has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- sjoerd.simons has left
- sjoerd.simons has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- sjoerd.simons has left
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- Tobias has joined
- remko has joined
- tuomas has joined
- Flo has joined
- steve.kille has left
- steve.kille has joined
- MattJ has joined
- Sjoerd has joined
- Tobias has left
- Dave Cridland has left
- Dave Cridland has joined
- Sjoerd has left
- sjoerd.simons has joined
- Dave Cridland has left
- Dave Cridland has joined
-
Kev
Right, yes, DNS. fippo / Dave Cridland: What were the records you were suggesting adding yesterday?
-
Dave Cridland
Yesterday [20:56:49] [Isode Unclassified] Dave Cridland: [[Isode Unclassified]] Kev, When you're back, then, I have 217.155.137.58 (5222/5269) servicing mlinkrelease.xmpptest.com - feel free to give it a random hostname, like, say, mlinktrunk.xmpptest.com. :-)
-
Kev
Please check it's now right.
-
Dave Cridland
Kev, No A/AAAA records, but the SRV looks OK.
-
Dave Cridland
A is 217.155.137.58, AAAA is 2001:470:1f09:882:c0c8:f9ff:fec0:d982
-
Kev
Relly?
-
Kev
*really
-
Kev
mlinktrunk.xmpptest.com IN A 217.155.137.58
-
Kev
That *looks* right to me.
-
Kev
Ah, no, because I'm a twit.
-
Dave Cridland
"."
-
Kev
mlinktrunk IN A 217.155.137.58
-
Kev
Should be happier now.
-
Dave Cridland
If I hadn't cached the duff records.
-
Kev
Oh, I'd assumed you'd be querying athena.
-
Dave Cridland
Can you stick in the AAAA as well, in case anyone's doing IPv6 interop too?
-
Kev
Done
-
Dave Cridland
Marv.
-
Dave Cridland
Can any server developers confirm that the service xmpp:mlinkrelease.xmpptest.com is reachable now?
-
fippo
it is - but it does not seem to do tls anymore?
- Tobias has joined
-
Dave Cridland
fippo, No, that's okay, haven't done that bit yet - doing that now. Thanks.
-
bear
I have a draft post for a very brief "day one" report of the interop - still chewing thru the logs for details but I wanted to get a post going
-
bear
could someone take a quick look for a review (I'm also going to post to comm team list)
-
Dave Cridland
Mail a draft to the interop mailing list?
-
bear
ah
-
bear
yes
-
Dave Cridland
mlinkrelease.xmpptest.com should now have TLS-lovelyness.
- badlop has joined
-
bear
draft posted to list
-
Dave Cridland
bear, Matthew Wild was/is operating the CA.
-
bear
k
-
fippo
dave: works with with dialback-after-tls, that boring sasl thing and d-w-d
-
Dave Cridland
bear, And you're mixing both company names (Isode, Collabora) and product names (ejabberd, SAFEchat)
-
bear
I pulled from the wiki, hmm, guess I should also update/correct that then
-
Dave Cridland
bear, I think both are useful, but you're listing "SAFEchat" as a client developer (it's a client, the developers are BoldonJames) and Isode as a server (Whereas our server is called M-Link)
-
bear
oh - I see. that's a personal glitch of mine - I can never remember m-link and have always called your software Isode
- bear will beat that out of himself later
-
Dave Cridland
bear, Quite. Or Will will.
-
bear
eeek
-
Dave Cridland
OK, I've flipped my mlinktrunk.xmpptest.com server into only accepting strong authentication (ie, TLS with a verifiable certificate) for anything within xmpptest.com
-
bear
ok, text adjusted - sending new version to list
- fippo turns off tls and tests again
-
Dave Cridland
I'll do something similar for mlinkrelease in a moment. I'll require a valid cert, although mlinkrelease will accept dialback as sufficient and won't do CRL checking.
-
Dave Cridland
Actually, mlinkrelease will even accept no TLS at all, so I may not bother.
-
fippo
works - I get a policy violation dialback error
-
Dave Cridland
12/ 8 12:12:29 xmppd 32268 (root ) D-MBOX-Auth Rejecting (require tls peer control) connect from server psyced-db.xmpptest.com
-
Dave Cridland
fippo, Ah, yes, dialback errors too. :-)
-
Dave Cridland
fippo, Posh, aren't we?
-
fippo
you might want to put a <required/> into starttls :-)
- waqas has joined
- Tobias has left
-
Dave Cridland
fippo, Oh, isn't it there? I thought I'd got that as long as you sent a from (so it can look for the peer control) or if it's global (which it isn't on that server)
-
Dave Cridland
Oh. No, we don't - I carefully set a flag and then never use it. Well, that's an easy fix.
-
fippo
:-)
-
fippo
mh... I have a problem reaching trunk from -sasl
-
fippo
you don't offer external
- Zash has joined
-
Dave Cridland
12/ 8 12:38:53 xmppd 32268 (root ) I-MBOX-Info Verifying certificate 12/ 8 12:38:53 xmppd 32268 (root ) I-MBOX-Info certificate (subject emailA ddress=fippo@mail.symlynx.com,OU=XMPP Department,O=Your Organisation,L=The Inter net,C=DE,CN=psyced-dwd.xmpptest.com), detail (email=fippo\\40mail.symlynx.com,ou =XMPP Department,o=Your Organisation,l=The Internet,c=DE,cn=psyced-dwd.xmpptest. com) error revocation status unknown for this certificate 12/ 8 12:38:53 xmppd 32268 (root ) N-MBOX-Notice TLS certificate verificat ion failed 12/ 8 12:38:53 xmppd 32268 (root ) D-MBOX-Auth Rejecting (require strong a uth peer control) connect from server psyced-dwd.xmpptest.com
-
Dave Cridland
AH... I wonder if Matt's updated his CRL...
-
fippo
back to debugging x509 stuff :-)
-
Dave Cridland
No, it's just that Matt's not updated the CRL, so it's expired.
-
Dave Cridland
Hence M-Link can't tell if the CRL simply hasn't been updated, or if it's been replayed to conceal your certificate being revoked.
- Tobias has joined
-
Zash
So, who's winning? :)
- Tobias has left
-
Florian
right ...
-
Florian
MattJ: can I send you my CSR?
-
MattJ
Sure, mwild1@gmail.com
-
Kev
Zash: I'll be writing some suggested tests shortly.
-
MattJ
Florian, ah, got your PM, thanks
-
Kev
So at least there's some guidance on what to test :)
-
MattJ
set the topic to
XMPP Interop Event | 6th - 11th December 2010 | http://wiki.xmpp.org/web/Interop
-
Florian
:)
-
Florian
is there anything I need to do? Anything broken in Tigase that I should report back?
-
Dave Cridland
MattJ, Can you update the CRL fiole on the website?
-
MattJ
Dave Cridland, yes, I realised I hadn't done that this morning
-
MattJ
I regenerated it, but something distracted me from uploading
-
MattJ
There's a reason to use https for CRLs - an attacker could serve an old CRL over HTTP with nothing more than DNS poisoning
-
Kev
Florian: As nothing much as been tested yet ...
-
Dave Cridland
MattJ, No, because CRLs expire, so a replay attack has limited value.
-
MattJ
Aha
-
steve.kille
Technically, CRLs indicate when a new one will be issued, which is advisory rather than a hard expiration date, although it is generally treated as an expiration date
-
MattJ
This one's in date for a year, so have fun while you can
-
fippo
Kev: ah, I missed that dns question earlier. I would like a srv record for no.such.xmpptest.com pointing to "."
-
Florian
lol
-
Kev
fippo: Ok. Why, though?
-
MattJ
I second the request
-
MattJ
don't ask questions :)
-
fippo
Kev: servers should stop attempting to connect that domain
-
Kev
Oh, should they?
-
Dave Cridland
Kev, Yes.
-
MattJ
They should, see the recent discussion on the list
-
Kev
Permanently?
-
MattJ
for as long as they would cache a normal SRV lookup
-
Kev
Oh, well, that's no time at all presumably :)
-
Kev
(For clients, anyway)
-
MattJ
it's better than pointing your records to example.com and waiting for $TCP_TIMEOUT
-
MattJ
this is a definitive way of saying "There is no XMPP service at this domain, give up"
-
Dave Cridland
Kev, Well, you *can* argue that it's the TTL, however I don't think that anything other than caching resolvers should actually cache.
-
Kev
no.such now has an entry of .
-
MattJ
Thanks
-
MattJ
Dave Cridland, why do you think that?
-
Kev
Although the results look a whole lot like they do for an entry that just doesn't exist.
-
fippo
mattj: old jabberd tried to cache itself - it was a bad idea
-
Kev
bear: I'll read your post in a moment, thanks.
-
MattJ
fippo, why? (you may guess by now that Prosody caches)
-
Dave Cridland
MattJ, Because it's just as fast to run a caching nameserver on the same machine, and that's more likely to be written by people who know about DNS.
-
bear
no worries kev - I need to give it a couple hours to let other TZ's a chance to respond
-
MattJ
Fair enough
-
fippo
mattj: iirc it did not expire those records properly
-
MattJ
:)
-
MattJ
We fixed that bug a long time ago :)
- Zash has left
-
Dave Cridland
So presumably, if the CRL's been updated, then everyone should now be able to connect to mlinktrunk.xmppest.com (and everything else)?
- louiz’ has joined
-
MattJ
Does OpenSSL do CRL checking automatically? It's likely I could connect to you all along :)
-
remko
no
-
Dave Cridland
MattJ, No, don't think so. We don't use it for that, anyway. (I think it can parse CRLs, etc, but I don't think it'll fetch them for you)
-
remko
if you look at the manual, you'll see that it has error codes for CRL, but that they are "Unused by OpenSSL"
-
MattJ
Lovely
-
Kev
Right, so, tests.
-
Kev
I'll put stuff on the wiki, but I'm thinking that something like this is sensible:
-
Kev
* Check a server can receive an iq response to a ping to each server, with whatever configuration.
-
remko
mattj: i'm wrong i think
-
Kev
* Set some of the servers (all that support it) to require TLS on s2s, test iq still works.
-
Kev
* Set servers to require TLS with identity verification, test iq still works.
-
remko
MattJ: i take everything back. I should have known better than to trust on openssl documentation
-
Kev
That tests a base level of interop using s2s and TLS, I think.
-
MattJ
:)
-
Kev
* If any of the servers allow turning off dialback completely, doing that, and repeating.
-
Kev
(Dialback isn't bad, but relying on it is)
-
Kev
* Setting up a vhost on one of the servers, issuing and revoking a cert, and checking it can't then connect to any servers.
-
MattJ
and everyone fails that except M-Link? :)
-
Dave Cridland
Kev, SO you want me to drop the TLS/strong-auth requirements for mlinktrunk?
-
Kev
I have no idea.
-
Kev
Dave Cridland: I think that'd be sensible for today.
-
Kev
First establishing that everyone will interop without TLS seems sensible.
-
Kev
Even though we know that'll work.
-
MattJ
Fine by me
-
Kev
What else do people want to test? I think just checking TLS+s2s this week is sensible, as a baseline and a first effort at an interop event.
-
Dave Cridland
That's fine by me. Do we want to check reachability to MUC domains as well?
-
Kev
For the clients, I think checking that they'll all connect ok to a server. Checking they'll all connect to a server with only TLS. Checking they won't connect to a server without TLS and with PLAIN. Revoking a cert and checking they warn the user (Swift will fail this). Logging in with a user cert.
-
Kev
Dave Cridland: Each of the listed domains would be sensible, yes.
-
Dave Cridland
DO we know if all the servers are configured with an Interop CA cert?
-
Kev
I guess we'll discover that when we try testing identity verification :)
-
Kev
Will someone volunteer to set up a vhost with a self-signed cert, and one with a revoked cert?
-
MattJ
Dave Cridland, the last outstanding CSR is Florian's, which I'm now processing (just sent badlop's)
-
Kev
I'm happy to set up both of those vhosts, actually.
-
Dave Cridland
Kev, I can do that.
-
Dave Cridland
Kev, Oh, or you can, great.
-
MattJ
Florian's has no SANs... should we allow this? :)
-
Kev
Dave Cridland: Disadvantage of that is that it needs to be yet another server for you - as you can't vhost either of your existing ones?
-
Dave Cridland
Kev, Sure I can, can't I?
-
Kev
Not if you want to test interop between that server and the denied domains.
-
Dave Cridland
Ah. Well, yes. I couldn't test between other domains on the same server, no.
-
Dave Cridland
Okay, I've reconfigured.
-
Dave Cridland
Shall I run through first?
-
Kev
I think there's no harm in it.
- Tobias has joined
-
Dave Cridland
So, mlinkrelease I get a pong.
-
Dave Cridland
(Which is just as well, frankly)
-
Dave Cridland
This all from mlinktrunk, BTW.
-
Dave Cridland
tigasetrunk, ping.
-
Dave Cridland
ejabberd21, ping.
-
Florian
SANs?
-
Dave Cridland
prosody8, ping.
-
Dave Cridland
psyced-db ping.
-
Kev
Florian: Subject alt names.
-
Tobias
i see you guys found the 'topic' feature ;)
-
Dave Cridland
psyced-dwd ping, psyced-sasl ping.
-
fippo
kev: would you put that list on the wiki please?
-
Kev
fippo: I'm doing so at the moment, yes.
-
Dave Cridland
So I think that's it from mlinktrunk. All success.
-
MattJ
Florian, the only domain you have listed is in the cn field, which isn't recommended
-
Dave Cridland
FWIW, I can even turn off checking that.
-
Dave Cridland
MattJ, You can add in other SANs before signing, though.
-
Florian
yeh
-
MattJ
I can? Oh yes...
-
MattJ
That was staring me in the face
-
fippo
dave: that was with optional starttls? It might be worth repeating with tls disabled
-
Dave Cridland
RIght, just setting up a test account for mlinkrelease.
-
Dave Cridland
fippo, What, disabling TLS at my end?
-
fippo
yes. so we see that it fails with servers that <require/> tls
-
Dave Cridland
I think that's one to do later.
-
Kev
fippo: My intention is to do TLS requirements later.
-
fippo
wfm
-
MattJ
Florian, do you have a MUC domain?
-
Kev
fippo: I'll set up vhosts with invalid certs (self-signed, mismatch, and revoked) and test that s2s doesn't work.
- Florob has joined
-
fippo
kev: add an expired one
-
Florian
muc.*
-
Kev
fippo: Do you hate my time that much? :)
-
Dave Cridland
Okay, so from mlinkrelease, this time.
-
fippo
kev: and one that does not contain the vhostname
-
fippo
kev: :-)
-
Kev
Or my DSA setup, for that matter.
-
Kev
Yes, I said I'd add one with a host mismatch.
-
fippo
ah
-
Dave Cridland
mlinktrunk, ping
-
Dave Cridland
ejabberd21 ping
-
Dave Cridland
prosody8 ping
-
Dave Cridland
psyced-db ping
-
Dave Cridland
psyced-dwd ping
-
Dave Cridland
psyced-sasl ping.
-
MattJ
since XMPP implementations should recognise both xmppAddr and SRVName, only one of them should be necessary in a cert, right?
-
Dave Cridland
In principle... But in principle they'll recognise a URI one as well.
-
MattJ
.
-
Dave Cridland
In practise, most will rely on xmppAddr, and maybe sRVName.
-
Dave Cridland
tigasetrunk ping.
-
Dave Cridland
So full house from both.
-
Dave Cridland
As a general note to folk, you will need to bounce your servers, or force them to disconnect S2S some other way prior to running these tests.
-
Dave Cridland
Otherwise you may just be reusing connections.
-
Dave Cridland
(I say this because I only just remembered to do it)
-
Dave Cridland
So, who wants to go next?
-
Dave Cridland
Anyone?
-
fippo
just doing...
-
Dave Cridland
12/ 8 14:38:03 xmppd 32680 (root ) I-MBOX-Info certificate (subject emailAddress=fippo@mail.symlynx.com,OU=hangtime department,O=hangtime,L=The Internet,C=DE,CN=psyced-db.xmpptest.com), detail (email=fippo\\40mail.symlynx.com,ou=hangtime department,o=hangtime,l=The Internet,c=DE,cn=psyced-db.xmpptest.com) error revocation status unknown for this certificate I shouldn't be seeing that, I don't think.
- Dave Cridland wonders if he's caching the CRL for some reason.
-
Kev
http://wiki.xmpp.org/web/Interop#Testing
-
fippo
full house from psyced-db to anyone with tls, two failures without tls (psyced-dwd and psyced-external, but they enforce tls so that is expected)
-
Kev
fippo: It'd be great if you cut put that in terms of my test numbers for me, please.
-
Dave Cridland
psyced-sasl, surely?
-
fippo
kev: will do on the wiki
-
fippo
dave: yes
- Florian has left
-
Kev
fippo: Or that, thanks. I'm happy to put it in the wiki, if you paste something here, equally.
-
Dave Cridland
BTW, as far as I remember, all servers supported XEP-0199, and gave a positive result (ie, not an error).
-
fippo
and all servers support the good old jabber:iq:version (I prefer that to ping somehow)
-
fippo
Kev: arr, your test structure conflicts with my host setup
-
Kev
fippo: I think it just means that some of your hosts don't participate in some tests.
-
fippo
yeah
-
Kev
e.g. ones that require TLS don't do test 1, they wait until test 2.
-
Dave Cridland
Well, we've not disabled TLS, so those ones should also work, still, surely?
-
Kev
Well, true.
-
fippo
yeah
-
fippo
they will fail with tigase, but that is expected
-
MattJ
Kev, it says notls is not yet set up - feel free to point that at me
-
MattJ
I can set up a vhost with no c2s/s2s TLS
-
Kev
MattJ: On the same host, or a different one?
-
Kev
The problem with you using a vhost on one of the test systems is that you then can't test those.
-
Dave Cridland
MattJ, On a different server to prosody8, so you can test?
-
MattJ
Good point
-
MattJ
Kev, point it to matthewwild.co.uk
-
Kev
Ta.
-
MattJ
brb
-
MattJ
btw, I think everyone has certs now - shout if I missed a request
-
Dave Cridland
ANyone editing the Wiki now? If not, I'll stick my other results in.
-
Kev
I'll be requesting more certs shortly, and then asking you to revoke one of them :)
-
Kev
Dave Cridland: I am not.
-
fippo
dave: I just edited
-
Dave Cridland
Right, as did I, but quickly enough apparently.
-
Kev
"they will fail with tigase, but that is expected"
-
Kev
Expected because...?
-
fippo
Kev: because tigase does not do tls, so if it meets a server that enforces tls it should fail
-
Kev
So, server people, are there any basic s2s interop tests that we should be adding that I haven't yet done?
-
Kev
fippo: It will never do TLS over s2s?
-
fippo
kev: afaik no
- stpeter has joined
- Dave Cridland asks Florian.
-
Dave Cridland
Anyway - who's next on doing the tests?
-
fippo
I am not seing a version attribute on the stream headers either
-
Dave Cridland
MattJ, ?
-
MattJ
back
-
MattJ
I'm next I think
-
Dave Cridland
OK.
-
Dave Cridland
stpeter, Are there any other server implementors we could bring in, do you think?
- Florian has joined
-
stpeter
have we pinged Openfire and jabberd2?
-
Florian
as a response to Dave's question: [15:04:05] <Artur> no, this is what I am working on right now :-)
-
Florian
(TLS on S2S)
-
Kev
stpeter: In as much as we pinged the relevant XSF lists, and I assume they listen to them.
-
stpeter
rightio
-
Kev
Pinging them directly would not be a horrible idea.
-
Dave Cridland
stpeter, Who would we ping for those?
-
stpeter
I haven't seen a reply to the last message I sent to some Openfire folks
-
MattJ
Coversant?
-
Dave Cridland
MattJ, Good point.
-
stpeter
Tomasz Serna is the jabberd2 contact -- mailto:tomek@xiaoka.com
-
fippo
Dave: if time permits (and that is a large if) I'll try to setup jabberd14
-
MattJ
stpeter, poked in jdev
-
stpeter
heh ok
-
stpeter
MattJ: Tomasz is there?
-
MattJ
smoku
-
stpeter
right
-
stpeter
that's the one :)
-
stpeter
I'll ping Jason Frankel at Coversant
-
Dave Cridland
I was just writing a mail to Dave Richards.
-
Dave Cridland
But two won't hurt.
-
stpeter
yep
-
stpeter
email sent to Jason
-
MattJ
Dave Cridland, did you ping manually?
-
Dave Cridland
MattJ, Once a year, yes.
-
MattJ
.
- MattJ writes a script
-
Dave Cridland
MattJ, No, I used Gajim.
-
MattJ
s/writes/adopts/
-
Dave Cridland
MattJ, Started a chat to each server and typed /ping
-
MattJ
Now there's an idea
-
Dave Cridland
MattJ, I'm full of 'em.
-
MattJ
I didn't say it was a good one
-
stpeter
I wonder if we need to cull the list of XMPP servers at http://xmpp.org/xmpp-software/servers/
-
MattJ
Works, amazing
-
MattJ
stpeter, email them all, if they don't respond - remove them? :)
-
bear
stpeter - I was thinking of suggesting that after N rounds of interops we could start making active/inactive categories
-
Dave Cridland
stpeter, It might be interesting, if we can get these interop sessions to happen reasonably frequently, so say that in order to be listed to need to at least particpate in interop.
-
stpeter
MattJ: even better, ask them to participate in interop, if they don't participate then remove 'em
-
MattJ
Heh
-
stpeter
heh
-
stpeter
GMTA
-
MattJ
and I thought I was being harsh
-
Dave Cridland
steve.kille, Fools seldom differ.
-
stpeter
quarterly interop week
-
Dave Cridland
stpeter, rather.
- Florian has left
-
Dave Cridland
Didn't look at what "st<TAB>" gave me.
-
stpeter
brb
-
MattJ
or we make it a requirement to run a server at *.interop.xmpp.org :)
-
bear
xmpptest.com also
-
MattJ
In the Prosody early days we had a test script that pinged each server there daily
-
Dave Cridland
MattJ, I'm not mad keen on constantly running an interop test server, to be honest. Unused/unwatched servers tend to develop embarrassing failures at the worst moment.
-
MattJ
bear, just point xmpptest.com at prosody.im, thanks ;)
-
Kev
I'm inclined to leave the DNS in place ready for next event, and to have the CA kept around ready to run up, but I don't think it's very valuable to have them up between events.
-
MattJ
Anyway, the server would be watched by me
-
Kev
Plus it increases the value of the interop events :)
-
bear
kev +1
-
MattJ
Interop events are inconvenient, there's little reason I need all of you here to do what I'm doing right now
-
Dave Cridland
MattJ, It's a social thing. We're all going out to drink beer afterward, right?
-
MattJ
Orange juice for me please
-
Dave Cridland
MattJ, Sure. Pay no attention to this bottle of vodka.
-
MattJ
I wish Gajim would let you inspect the server cert
-
MattJ
as a client
- Florian has joined
-
MattJ
Bouncing prosody8
-
MattJ
mlinktrunk: OK
-
MattJ
mlinkrelease: OK
-
MattJ
ejabberd21: OK
-
MattJ
pscyed-db: OK
-
MattJ
pscyed-sasl: FAIL
-
Dave Cridland
Fail?
-
MattJ
psyced-dwd: FAIL
-
Dave Cridland
Did you disable your cert (or TLS)?
-
MattJ
Going to check
-
fippo
verify result 34
-
fippo
ah... that critical extension thing
-
MattJ
Looks like they hung up on me
-
Dave Cridland
Ah - MattJ, you'll need to make yourself a new cert.
-
MattJ
Aha
-
Kev
How could they?
-
fippo
they're evil
-
Kev
Natch.
- Florian has left
-
Kev
Can someone confirm whether I've screwed up DNS for notls.xmpptest.com, please?
-
Kev
It looks to me like I have.
-
Kev
Oh.
-
Kev
;; AUTHORITY SECTION: xmpptest.com. 3600 IN SOA xmpp.org. hostmaster.xmpp.org. 2010120803 14400 3600 604800 43200
-
Dave Cridland
notls.xmpptest.com. 0 IN A 67.215.65.132
-
Kev
That means it's using the serial that's two older than the current (05)
-
Dave Cridland
zero-TTL?
-
Kev
The intention was 1hour
-
Dave Cridland
Oh, no, that's opendns being crap.
- Florian has joined
-
Dave Cridland
SOA serial : 2010120803
-
MattJ
Bouncing prosody8
-
MattJ
Dave Cridland, why did M-Link not fail?
-
Dave Cridland
Also direct to Athena.
-
Dave Cridland
MattJ, Not configured to mandate TLS or strong-auth, so it'll have done dialback.
-
MattJ
Now my client can't log in - "no shared cipher" :(
-
MattJ
Hmm
-
MattJ
Key/cert mismatch I think
-
MattJ
Dec 08 15:32:12 s2smanager debug pscyed-dwd.xmpptest.com has no SRV records, falling back to A
-
MattJ
Grr
-
Kev
o_O
- Florian has left
-
Dave Cridland
MattJ, It seems to...
- Florian has joined
-
MattJ
$ host -t srv _xmpp-server.psyced-dwd.xmpptest.com Host _xmpp-server.psyced-dwd.xmpptest.com not found: 3(NXDOMAIN)
-
Dave Cridland
_tcp
-
MattJ
oops
- Florian has left
-
MattJ
Ok
-
fippo
and you pinged pscyed, not psyced
-
Dave Cridland
Ah, yes...
-
MattJ
Grr
-
MattJ
All work
-
Kev
Ok, DNS is confusing me.
-
Dave Cridland
Why?
-
Kev
We're up to 2010120806, but I'm still getting 2010120803 from athena.
-
Florob
Isn't it reassuring if your software works better then you do :)
-
Dave Cridland
Have your reloaded bind, and, if so, is there anything in its logs about why it's refusing to load the zone?
-
MattJ
Florob, :)
-
Kev
I'm not even sure where bind logs.
-
MattJ
daemon.log for me, as named
-
bear
IIRC it's the default syslog output - /var/log/messages or somesuch
-
Kev
Ta.
-
Kev
Ah.
-
Kev
no.such IN A . Isn't a valid line.
-
MattJ
wiki updated
-
MattJ
but the other servers accept it?
-
MattJ
Wait - shouldn't that be SRV?
-
Kev
I was just asked to put a line with '.' in for 'no.such.xmpptest.com', so I assumed it was A that was wanter.
-
Kev
s/wanter/wanted/
-
MattJ
No, SRV, sorry
-
Tobias
Kev: the one that fippo mentioned was a SRV record IIRC
-
MattJ
the target is just .
-
Kev
Ok, working fine now, ta.
-
MattJ
Council in 15?
-
Kev
So I can get onto setting up the invalid TLS domains now :)
-
Kev
Yep.
-
Tobias
jup
- prefiks has joined
- prefiks has left
- prefiks has joined
- prefiks has left
-
Kev
expiredcert, mismatchcert and revokedcert are all up - albeit without the certs they claim to have.
- Florob has left
- Florian has joined
- Florian has left
-
badlop
i've installed the cert in ejabberd21, enabled TLS in c2s and s2s, it connected with TLS to all the other 7 Interop servers except mlinkrelease.xmpptest.com, which apparently couldn't setup TLS
-
Kev
badlop: Is that with TLS required, or simply allowed?
-
Dave Cridland
badlop, Oh. Curious. One sec.
-
badlop
allowed, becayse ejabberd first attempts TLS, if anything fails it attempts non-TLS
-
Dave Cridland
I see it working, which is confusing. One sec, let me bounce my server and we'll have another go - it's mlink release, not trunk, right?
-
Dave Cridland
12/ 8 19:20:37 xmppd 07463 (root ) N-MBOX-Notice Peer ejabberd21.xmpptest.com authenticates via TLS. 12/ 8 19:20:37 xmppd 07463 (root ) I-MBOX-Info successful setup originating db connection from mlinkrelease.xmpptest.com to ejabberd21.xmpptest.com
-
Dave Cridland
And I'm getting all that kind of stuff on mlinkrelease, which looks like it should be working.
-
Dave Cridland
And I can indeed ping ejabberd21 after a restart, too, from mlinkrelease.
-
badlop
and do you get the exact same report with mlinktrunk?
-
Dave Cridland
Ah. No. CRL failure. But, it still sets up a session.
-
Dave Cridland
Yup, pings there too.
- Florian has joined
-
Dave Cridland
badlop, When you say "connected with TLS", and "couldn't setup TLS", do you mean TLS itself, or EXTERNAL?
-
badlop
the logs don't explicit, so i imagine it's TLS
-
badlop
i'll check the source now
-
badlop
so, don't worry yet about what ejabberd reports
- bear has left
- bear has joined
- Tobias has left
- Florob has left
- Florian has left
- Dave Cridland has left
- Dave Cridland has joined
-
Dave Cridland
badlop, Well, we're seeing TLS setup but the CRL fail.
-
Dave Cridland
Looking into that, it seems the CRL DP has a PEM-encoded CRL, whereas the standard mandates a DER-encoded one. Our software is being picky. I'll figure out some instructions for MattJ
-
Dave Cridland
No, indeed, the PEM one does crl.pem in PEM, and the DER one does crl.crl in DER.
-
Dave Cridland
Ooops. Wrong window.
-
Dave Cridland
Although right conversation, bewilderingly.
-
bear
:)
-
bear
I figured you were just continuing your outloud debugging
-
Dave Cridland
MattJ, Can you export the CRL in DER format - that'll generate a crl.crl for you to put on that website.
-
MattJ
Overwrite the PEM one?
-
Dave Cridland
Yes. Standards says DER.
-
MattJ
Try now
- Florian has joined
- Tobias has joined
-
badlop
Dave Cridland: right now, ejabberd -- mlinkrelease: s2s with TLS works
- Florian/Der Graf has joined
- tuomas has left
- Tobias has left
- Zash has joined
- Kanchil/Der Graf has joined
- Kanchil/Der Graf/Der Graf has joined
- Kanchil/Der Graf/Der Graf has left
- MattJ/Der Graf has joined
- MattJ/Der Graf has left
- remko has left
- remko has joined
- Asterix has joined
- Florian/Der Graf has joined
- remko has left
- Florian has left
-
badlop
umm, ejabberd -> tigase doesn't work with TLS, because tigase response doesn't include stream:features: 192.168.001.011.36481-094.023.164.209.05269: <?xml version='1.0'?> <stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:server' xmlns:db='jabber:server:dialback' to='tigase.me' version='1.0'> </stream:stream> 094.023.164.209.05269-192.168.001.011.36481: <stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:server' xmlns:db='jabber:server:dialback' id='f1cf3e1a-8405-4146-82d7-454d3cfb2105'> </stream:stream>
-
Dave Cridland
badlop, Right, Tigase doesn't do TLS over S2S.
-
Kev
That's not just not doing TLS, though - that's not doing XMPP 1.0, is it?
-
Kev
(Yes, I realise TLS is a requirement for XMPP 1.0 as well)
-
badlop
well, tigase doesn't advertise supporting xmpp 1.0, so tigase doesn't lie
-
Kev
Heh, true enough.
- Florian has joined
- remko has joined
- remko has left
- remko has joined
- steve.kille has left
- remko has left
- remko has joined
-
Dave Cridland
RIght, so something's up with the CRL checking code at the moment, so I've disabled that in mlinktrunk. :-(
- remko has left
- remko has joined
- Zash has left
- zash has joined
- Florian/Der Graf has left
- Tobias has joined
- Tobias has left
- steve.kille has joined
- remko has left
- Tobias has joined
- Tobias has left
- steve.kille has left
- steve.kille has joined
- sjoerd.simons has left
- sjoerd.simons has joined
- sjoerd.simons has left
- Sjoerd has joined
- Sjoerd has left
- sjoerd.simons has joined
- remko has joined
- Tobias has joined
- remko has left
-
stpeter
Dave Cridland: I did hear back from some folks at Coversant
-
Kev
Excellent.
-
Kev
Whatsaythey?
-
stpeter
they said they'll check into it :)
-
stpeter
BTW, as to the 6-month schedule, perhaps it would be good to schedule the interop weeks something like mid-way between Summits
-
stpeter
e.g., April/May and then October/November
-
stpeter
just a thought
- remko has joined
- sjoerd.simons has left
- sjoerd.simons has joined
- sjoerd.simons has left
-
Kev
Yes, we could do. Or could do it in the lead up to summits, both have merit.
-
stpeter
true
-
stpeter
well, one interop week at a time :)
-
stpeter
the lead-up makes quite a bit of sense -- raise issues that need to be hammered out
-
Kev
This is our first interop week, and it's showing things that need doing next time around, etc, so I think these will be iterative.
-
stpeter
that's good
-
Kev
Some responsibilities were clear in advance, some not so.
-
Kev
That the iteam should sort out certs and dns was decided, and obvious.
-
Kev
Who should be responsible for cajoling vendors into participating was left somewhat in the air, as was who should be deciding on what gets tested.
-
Kev
I've appointed myself the latter, as Council Chair makes some sense.
-
Kev
In the absense of any group decision.
-
Kev
Next time around it'd be good to have DNS/Certs/Test plans in advance :)
- sjoerd.simons has joined
-
stpeter
nice: https://support.process-one.net/browse/EJAB-495
-
stpeter
yes, agreed
-
Dave Cridland
MattJ, You about?
-
Dave Cridland
Or alternately, can anyone get me the certificate off ejabberd21.xmpptest.com? openssl's s_client isn't quite clever enough to grab it.
-
fippo
dave: I told you to get my patched version :-)
-
Dave Cridland
fippo, We have starttls xmpp, but it sends the hostname not the domain.
-
fippo
dave: so your patch is similar to the crippled one the openssl people accepted for c2s :-p (shall I start a rant about openssl and how to get a feature patch accepted?)
-
remko
there's xmpp starttls support in openssl?
-
zash
There is
-
fippo
there is - c2s, without support for servers that actually use srv records
-
remko
handy
-
Dave Cridland
fippo, Your patch is better?
-
zash
In, 0.9.8g and above IIRC
-
fippo
dave: you can specify starttls to+from indepently on the commandline
-
zash
no, later
-
Dave Cridland
fippo, Oh, cool. Where is it again?
-
remko
oh, *without* srv
-
Dave Cridland
zash, Not later. Now!
-
zash
Dave Cridland: Later version of openssl :/
-
Dave Cridland
zash, Oh... Right.
- remko has left
- Kev has left
-
fippo
badlop: do you see any hints why a host named 'fippo.testing.openssl' is not offered tls (or version 1.0) from ejabberd21.xmpptest.com?
-
fippo
typically, that tool works with ejabberd
-
Dave Cridland
fippo, Ah, yes, same for me. (With that tool, nice).
-
fippo
dave: it works with -connect jabberd.jabber.ccc.de -starttls_to jabber.ccc.de
-
Dave Cridland
fippo, WOrks against mlinktrunk, too.
-
badlop
fippo: how can i reproduce that problem myself?
- Tobias has left
-
Dave Cridland
badlop, Can you send me the certificate?
-
fippo
dave: already gave you a link
- Flo has left
-
badlop
Dave Cridland: if that link doesn't help, ask me again the cert
-
Dave Cridland
badlop, No, I missed the link.
-
Dave Cridland
badlop, All sorted now.
- Asterix has left
- Tobias has joined
- Tobias has left
- zash has left
- Florob has joined
- waqas has left
- Florob has left
- Zash has left
- sjoerd.simons has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- sjoerd.simons has left
- sjoerd.simons has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- sjoerd.simons has left
- sjoerd.simons has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- sjoerd.simons has left
- steve.kille has left
- steve.kille has joined
- steve.kille has left
- steve.kille has joined
- Tobias has joined
- remko has joined
- tuomas has joined
- Flo has joined
- steve.kille has left
- steve.kille has joined
- MattJ has joined
- Sjoerd has joined
- Tobias has left
- Dave Cridland has left
- Dave Cridland has joined
- Sjoerd has left
- sjoerd.simons has joined
- Dave Cridland has left
- Dave Cridland has joined
- Tobias has joined
- badlop has joined
- waqas has joined
- Tobias has left
- Zash has joined
- Tobias has joined
- Tobias has left
- Zash has left
- louiz’ has joined
- Tobias has joined
- Florob has joined
- Florian has left
- stpeter has joined
- Florian has joined
- Florian has left
- Florian has joined
- Florian has left
- Florian has joined
- Florian has left
- Florian has joined
- Florian has left
- prefiks has joined
- prefiks has left
- prefiks has joined
- prefiks has left
- Florob has left
- Florian has joined
- Florian has left
- Florian has joined
- bear has left
- bear has joined
- Tobias has left
- Florob has left
- Florian has left
- Dave Cridland has left
- Dave Cridland has joined
- Florian has joined
- Tobias has joined
- Florian/Der Graf has joined
- tuomas has left
- Tobias has left
- Zash has joined
- Kanchil/Der Graf has joined
- Kanchil/Der Graf/Der Graf has joined
- Kanchil/Der Graf/Der Graf has left
- MattJ/Der Graf has joined
- MattJ/Der Graf has left
- remko has left
- remko has joined
- Asterix has joined
- Florian/Der Graf has joined
- remko has left
- Florian has left
- Florian has joined
- remko has joined
- remko has left
- remko has joined
- steve.kille has left
- remko has left
- remko has joined
- remko has left
- remko has joined
- Zash has left
- zash has joined
- Florian/Der Graf has left
- Tobias has joined
- Tobias has left
- steve.kille has joined
- remko has left
- Tobias has joined
- Tobias has left
- steve.kille has left
- steve.kille has joined
- sjoerd.simons has left
- sjoerd.simons has joined
- sjoerd.simons has left
- Sjoerd has joined
- Sjoerd has left
- sjoerd.simons has joined
- remko has joined
- Tobias has joined
- remko has left
- remko has joined
- sjoerd.simons has left
- sjoerd.simons has joined
- sjoerd.simons has left
- sjoerd.simons has joined
- remko has left
- Kev has left
- Tobias has left
- Flo has left
- Asterix has left
- Tobias has joined
- Tobias has left
- zash has left
- Florob has joined
- waqas has left