interop - 2010-12-08

  1. Kev

    Right, yes, DNS. fippo / Dave Cridland: What were the records you were suggesting adding yesterday?

  2. Dave Cridland

    Yesterday [20:56:49] [Isode Unclassified] Dave Cridland: [[Isode Unclassified]] Kev, When you're back, then, I have (5222/5269) servicing - feel free to give it a random hostname, like, say, :-)

  3. Kev

    Please check it's now right.

  4. Dave Cridland

    Kev, No A/AAAA records, but the SRV looks OK.

  5. Dave Cridland

    A is, AAAA is 2001:470:1f09:882:c0c8:f9ff:fec0:d982

  6. Kev


  7. Kev


  8. Kev IN A

  9. Kev

    That *looks* right to me.

  10. Kev

    Ah, no, because I'm a twit.

  11. Dave Cridland


  12. Kev

    mlinktrunk IN A

  13. Kev

    Should be happier now.

  14. Dave Cridland

    If I hadn't cached the duff records.

  15. Kev

    Oh, I'd assumed you'd be querying athena.

  16. Dave Cridland

    Can you stick in the AAAA as well, in case anyone's doing IPv6 interop too?

  17. Kev


  18. Dave Cridland


  19. Dave Cridland

    Can any server developers confirm that the service is reachable now?

  20. fippo

    it is - but it does not seem to do tls anymore?

  21. Dave Cridland

    fippo, No, that's okay, haven't done that bit yet - doing that now. Thanks.

  22. bear

    I have a draft post for a very brief "day one" report of the interop - still chewing thru the logs for details but I wanted to get a post going

  23. bear

    could someone take a quick look for a review (I'm also going to post to comm team list)

  24. Dave Cridland

    Mail a draft to the interop mailing list?

  25. bear


  26. bear


  27. Dave Cridland should now have TLS-lovelyness.

  28. bear

    draft posted to list

  29. Dave Cridland

    bear, Matthew Wild was/is operating the CA.

  30. bear


  31. fippo

    dave: works with with dialback-after-tls, that boring sasl thing and d-w-d

  32. Dave Cridland

    bear, And you're mixing both company names (Isode, Collabora) and product names (ejabberd, SAFEchat)

  33. bear

    I pulled from the wiki, hmm, guess I should also update/correct that then

  34. Dave Cridland

    bear, I think both are useful, but you're listing "SAFEchat" as a client developer (it's a client, the developers are BoldonJames) and Isode as a server (Whereas our server is called M-Link)

  35. bear

    oh - I see. that's a personal glitch of mine - I can never remember m-link and have always called your software Isode

  36. bear will beat that out of himself later

  37. Dave Cridland

    bear, Quite. Or Will will.

  38. bear


  39. Dave Cridland

    OK, I've flipped my server into only accepting strong authentication (ie, TLS with a verifiable certificate) for anything within

  40. bear

    ok, text adjusted - sending new version to list

  41. fippo turns off tls and tests again

  42. Dave Cridland

    I'll do something similar for mlinkrelease in a moment. I'll require a valid cert, although mlinkrelease will accept dialback as sufficient and won't do CRL checking.

  43. Dave Cridland

    Actually, mlinkrelease will even accept no TLS at all, so I may not bother.

  44. fippo

    works - I get a policy violation dialback error

  45. Dave Cridland

    12/ 8 12:12:29 xmppd 32268 (root ) D-MBOX-Auth Rejecting (require tls peer control) connect from server

  46. Dave Cridland

    fippo, Ah, yes, dialback errors too. :-)

  47. Dave Cridland

    fippo, Posh, aren't we?

  48. fippo

    you might want to put a <required/> into starttls :-)

  49. Dave Cridland

    fippo, Oh, isn't it there? I thought I'd got that as long as you sent a from (so it can look for the peer control) or if it's global (which it isn't on that server)

  50. Dave Cridland

    Oh. No, we don't - I carefully set a flag and then never use it. Well, that's an easy fix.

  51. fippo


  52. fippo

    mh... I have a problem reaching trunk from -sasl

  53. fippo

    you don't offer external

  54. Dave Cridland

    12/ 8 12:38:53 xmppd 32268 (root ) I-MBOX-Info Verifying certificate 12/ 8 12:38:53 xmppd 32268 (root ) I-MBOX-Info certificate (subject emailA,OU=XMPP Department,O=Your Organisation,L=The Inter net,C=DE,, detail (email=fippo\\,ou =XMPP Department,o=Your Organisation,l=The Internet,c=DE,cn=psyced-dwd.xmpptest. com) error revocation status unknown for this certificate 12/ 8 12:38:53 xmppd 32268 (root ) N-MBOX-Notice TLS certificate verificat ion failed 12/ 8 12:38:53 xmppd 32268 (root ) D-MBOX-Auth Rejecting (require strong a uth peer control) connect from server

  55. Dave Cridland

    AH... I wonder if Matt's updated his CRL...

  56. fippo

    back to debugging x509 stuff :-)

  57. Dave Cridland

    No, it's just that Matt's not updated the CRL, so it's expired.

  58. Dave Cridland

    Hence M-Link can't tell if the CRL simply hasn't been updated, or if it's been replayed to conceal your certificate being revoked.

  59. Zash

    So, who's winning? :)

  60. Florian

    right ...

  61. Florian

    MattJ: can I send you my CSR?

  62. MattJ


  63. Kev

    Zash: I'll be writing some suggested tests shortly.

  64. MattJ

    Florian, ah, got your PM, thanks

  65. Kev

    So at least there's some guidance on what to test :)

  66. MattJ set the topic to

    XMPP Interop Event | 6th - 11th December 2010 |

  67. Florian


  68. Florian

    is there anything I need to do? Anything broken in Tigase that I should report back?

  69. Dave Cridland

    MattJ, Can you update the CRL fiole on the website?

  70. MattJ

    Dave Cridland, yes, I realised I hadn't done that this morning

  71. MattJ

    I regenerated it, but something distracted me from uploading

  72. MattJ

    There's a reason to use https for CRLs - an attacker could serve an old CRL over HTTP with nothing more than DNS poisoning

  73. Kev

    Florian: As nothing much as been tested yet ...

  74. Dave Cridland

    MattJ, No, because CRLs expire, so a replay attack has limited value.

  75. MattJ


  76. steve.kille

    Technically, CRLs indicate when a new one will be issued, which is advisory rather than a hard expiration date, although it is generally treated as an expiration date

  77. MattJ

    This one's in date for a year, so have fun while you can

  78. fippo

    Kev: ah, I missed that dns question earlier. I would like a srv record for pointing to "."

  79. Florian


  80. Kev

    fippo: Ok. Why, though?

  81. MattJ

    I second the request

  82. MattJ

    don't ask questions :)

  83. fippo

    Kev: servers should stop attempting to connect that domain

  84. Kev

    Oh, should they?

  85. Dave Cridland

    Kev, Yes.

  86. MattJ

    They should, see the recent discussion on the list

  87. Kev


  88. MattJ

    for as long as they would cache a normal SRV lookup

  89. Kev

    Oh, well, that's no time at all presumably :)

  90. Kev

    (For clients, anyway)

  91. MattJ

    it's better than pointing your records to and waiting for $TCP_TIMEOUT

  92. MattJ

    this is a definitive way of saying "There is no XMPP service at this domain, give up"

  93. Dave Cridland

    Kev, Well, you *can* argue that it's the TTL, however I don't think that anything other than caching resolvers should actually cache.

  94. Kev

    no.such now has an entry of .

  95. MattJ


  96. MattJ

    Dave Cridland, why do you think that?

  97. Kev

    Although the results look a whole lot like they do for an entry that just doesn't exist.

  98. fippo

    mattj: old jabberd tried to cache itself - it was a bad idea

  99. Kev

    bear: I'll read your post in a moment, thanks.

  100. MattJ

    fippo, why? (you may guess by now that Prosody caches)

  101. Dave Cridland

    MattJ, Because it's just as fast to run a caching nameserver on the same machine, and that's more likely to be written by people who know about DNS.

  102. bear

    no worries kev - I need to give it a couple hours to let other TZ's a chance to respond

  103. MattJ

    Fair enough

  104. fippo

    mattj: iirc it did not expire those records properly

  105. MattJ


  106. MattJ

    We fixed that bug a long time ago :)

  107. Dave Cridland

    So presumably, if the CRL's been updated, then everyone should now be able to connect to (and everything else)?

  108. MattJ

    Does OpenSSL do CRL checking automatically? It's likely I could connect to you all along :)

  109. remko


  110. Dave Cridland

    MattJ, No, don't think so. We don't use it for that, anyway. (I think it can parse CRLs, etc, but I don't think it'll fetch them for you)

  111. remko

    if you look at the manual, you'll see that it has error codes for CRL, but that they are "Unused by OpenSSL"

  112. MattJ


  113. Kev

    Right, so, tests.

  114. Kev

    I'll put stuff on the wiki, but I'm thinking that something like this is sensible:

  115. Kev

    * Check a server can receive an iq response to a ping to each server, with whatever configuration.

  116. remko

    mattj: i'm wrong i think

  117. Kev

    * Set some of the servers (all that support it) to require TLS on s2s, test iq still works.

  118. Kev

    * Set servers to require TLS with identity verification, test iq still works.

  119. remko

    MattJ: i take everything back. I should have known better than to trust on openssl documentation

  120. Kev

    That tests a base level of interop using s2s and TLS, I think.

  121. MattJ


  122. Kev

    * If any of the servers allow turning off dialback completely, doing that, and repeating.

  123. Kev

    (Dialback isn't bad, but relying on it is)

  124. Kev

    * Setting up a vhost on one of the servers, issuing and revoking a cert, and checking it can't then connect to any servers.

  125. MattJ

    and everyone fails that except M-Link? :)

  126. Dave Cridland

    Kev, SO you want me to drop the TLS/strong-auth requirements for mlinktrunk?

  127. Kev

    I have no idea.

  128. Kev

    Dave Cridland: I think that'd be sensible for today.

  129. Kev

    First establishing that everyone will interop without TLS seems sensible.

  130. Kev

    Even though we know that'll work.

  131. MattJ

    Fine by me

  132. Kev

    What else do people want to test? I think just checking TLS+s2s this week is sensible, as a baseline and a first effort at an interop event.

  133. Dave Cridland

    That's fine by me. Do we want to check reachability to MUC domains as well?

  134. Kev

    For the clients, I think checking that they'll all connect ok to a server. Checking they'll all connect to a server with only TLS. Checking they won't connect to a server without TLS and with PLAIN. Revoking a cert and checking they warn the user (Swift will fail this). Logging in with a user cert.

  135. Kev

    Dave Cridland: Each of the listed domains would be sensible, yes.

  136. Dave Cridland

    DO we know if all the servers are configured with an Interop CA cert?

  137. Kev

    I guess we'll discover that when we try testing identity verification :)

  138. Kev

    Will someone volunteer to set up a vhost with a self-signed cert, and one with a revoked cert?

  139. MattJ

    Dave Cridland, the last outstanding CSR is Florian's, which I'm now processing (just sent badlop's)

  140. Kev

    I'm happy to set up both of those vhosts, actually.

  141. Dave Cridland

    Kev, I can do that.

  142. Dave Cridland

    Kev, Oh, or you can, great.

  143. MattJ

    Florian's has no SANs... should we allow this? :)

  144. Kev

    Dave Cridland: Disadvantage of that is that it needs to be yet another server for you - as you can't vhost either of your existing ones?

  145. Dave Cridland

    Kev, Sure I can, can't I?

  146. Kev

    Not if you want to test interop between that server and the denied domains.

  147. Dave Cridland

    Ah. Well, yes. I couldn't test between other domains on the same server, no.

  148. Dave Cridland

    Okay, I've reconfigured.

  149. Dave Cridland

    Shall I run through first?

  150. Kev

    I think there's no harm in it.

  151. Dave Cridland

    So, mlinkrelease I get a pong.

  152. Dave Cridland

    (Which is just as well, frankly)

  153. Dave Cridland

    This all from mlinktrunk, BTW.

  154. Dave Cridland

    tigasetrunk, ping.

  155. Dave Cridland

    ejabberd21, ping.

  156. Florian


  157. Dave Cridland

    prosody8, ping.

  158. Dave Cridland

    psyced-db ping.

  159. Kev

    Florian: Subject alt names.

  160. Tobias

    i see you guys found the 'topic' feature ;)

  161. Dave Cridland

    psyced-dwd ping, psyced-sasl ping.

  162. fippo

    kev: would you put that list on the wiki please?

  163. Kev

    fippo: I'm doing so at the moment, yes.

  164. Dave Cridland

    So I think that's it from mlinktrunk. All success.

  165. MattJ

    Florian, the only domain you have listed is in the cn field, which isn't recommended

  166. Dave Cridland

    FWIW, I can even turn off checking that.

  167. Dave Cridland

    MattJ, You can add in other SANs before signing, though.

  168. Florian


  169. MattJ

    I can? Oh yes...

  170. MattJ

    That was staring me in the face

  171. fippo

    dave: that was with optional starttls? It might be worth repeating with tls disabled

  172. Dave Cridland

    RIght, just setting up a test account for mlinkrelease.

  173. Dave Cridland

    fippo, What, disabling TLS at my end?

  174. fippo

    yes. so we see that it fails with servers that <require/> tls

  175. Dave Cridland

    I think that's one to do later.

  176. Kev

    fippo: My intention is to do TLS requirements later.

  177. fippo


  178. MattJ

    Florian, do you have a MUC domain?

  179. Kev

    fippo: I'll set up vhosts with invalid certs (self-signed, mismatch, and revoked) and test that s2s doesn't work.

  180. fippo

    kev: add an expired one

  181. Florian


  182. Kev

    fippo: Do you hate my time that much? :)

  183. Dave Cridland

    Okay, so from mlinkrelease, this time.

  184. fippo

    kev: and one that does not contain the vhostname

  185. fippo

    kev: :-)

  186. Kev

    Or my DSA setup, for that matter.

  187. Kev

    Yes, I said I'd add one with a host mismatch.

  188. fippo


  189. Dave Cridland

    mlinktrunk, ping

  190. Dave Cridland

    ejabberd21 ping

  191. Dave Cridland

    prosody8 ping

  192. Dave Cridland

    psyced-db ping

  193. Dave Cridland

    psyced-dwd ping

  194. Dave Cridland

    psyced-sasl ping.

  195. MattJ

    since XMPP implementations should recognise both xmppAddr and SRVName, only one of them should be necessary in a cert, right?

  196. Dave Cridland

    In principle... But in principle they'll recognise a URI one as well.

  197. MattJ


  198. Dave Cridland

    In practise, most will rely on xmppAddr, and maybe sRVName.

  199. Dave Cridland

    tigasetrunk ping.

  200. Dave Cridland

    So full house from both.

  201. Dave Cridland

    As a general note to folk, you will need to bounce your servers, or force them to disconnect S2S some other way prior to running these tests.

  202. Dave Cridland

    Otherwise you may just be reusing connections.

  203. Dave Cridland

    (I say this because I only just remembered to do it)

  204. Dave Cridland

    So, who wants to go next?

  205. Dave Cridland


  206. fippo

    just doing...

  207. Dave Cridland

    12/ 8 14:38:03 xmppd 32680 (root ) I-MBOX-Info certificate (subject,OU=hangtime department,O=hangtime,L=The Internet,C=DE,, detail (email=fippo\\,ou=hangtime department,o=hangtime,l=The Internet,c=DE, error revocation status unknown for this certificate I shouldn't be seeing that, I don't think.

  208. Dave Cridland wonders if he's caching the CRL for some reason.

  209. Kev

  210. fippo

    full house from psyced-db to anyone with tls, two failures without tls (psyced-dwd and psyced-external, but they enforce tls so that is expected)

  211. Kev

    fippo: It'd be great if you cut put that in terms of my test numbers for me, please.

  212. Dave Cridland

    psyced-sasl, surely?

  213. fippo

    kev: will do on the wiki

  214. fippo

    dave: yes

  215. Kev

    fippo: Or that, thanks. I'm happy to put it in the wiki, if you paste something here, equally.

  216. Dave Cridland

    BTW, as far as I remember, all servers supported XEP-0199, and gave a positive result (ie, not an error).

  217. fippo

    and all servers support the good old jabber:iq:version (I prefer that to ping somehow)

  218. fippo

    Kev: arr, your test structure conflicts with my host setup

  219. Kev

    fippo: I think it just means that some of your hosts don't participate in some tests.

  220. fippo


  221. Kev

    e.g. ones that require TLS don't do test 1, they wait until test 2.

  222. Dave Cridland

    Well, we've not disabled TLS, so those ones should also work, still, surely?

  223. Kev

    Well, true.

  224. fippo


  225. fippo

    they will fail with tigase, but that is expected

  226. MattJ

    Kev, it says notls is not yet set up - feel free to point that at me

  227. MattJ

    I can set up a vhost with no c2s/s2s TLS

  228. Kev

    MattJ: On the same host, or a different one?

  229. Kev

    The problem with you using a vhost on one of the test systems is that you then can't test those.

  230. Dave Cridland

    MattJ, On a different server to prosody8, so you can test?

  231. MattJ

    Good point

  232. MattJ

    Kev, point it to

  233. Kev


  234. MattJ


  235. MattJ

    btw, I think everyone has certs now - shout if I missed a request

  236. Dave Cridland

    ANyone editing the Wiki now? If not, I'll stick my other results in.

  237. Kev

    I'll be requesting more certs shortly, and then asking you to revoke one of them :)

  238. Kev

    Dave Cridland: I am not.

  239. fippo

    dave: I just edited

  240. Dave Cridland

    Right, as did I, but quickly enough apparently.

  241. Kev

    "they will fail with tigase, but that is expected"

  242. Kev

    Expected because...?

  243. fippo

    Kev: because tigase does not do tls, so if it meets a server that enforces tls it should fail

  244. Kev

    So, server people, are there any basic s2s interop tests that we should be adding that I haven't yet done?

  245. Kev

    fippo: It will never do TLS over s2s?

  246. fippo

    kev: afaik no

  247. Dave Cridland asks Florian.

  248. Dave Cridland

    Anyway - who's next on doing the tests?

  249. fippo

    I am not seing a version attribute on the stream headers either

  250. Dave Cridland

    MattJ, ?

  251. MattJ


  252. MattJ

    I'm next I think

  253. Dave Cridland


  254. Dave Cridland

    stpeter, Are there any other server implementors we could bring in, do you think?

  255. stpeter

    have we pinged Openfire and jabberd2?

  256. Florian

    as a response to Dave's question: [15:04:05] <Artur> no, this is what I am working on right now :-)

  257. Florian

    (TLS on S2S)

  258. Kev

    stpeter: In as much as we pinged the relevant XSF lists, and I assume they listen to them.

  259. stpeter


  260. Kev

    Pinging them directly would not be a horrible idea.

  261. Dave Cridland

    stpeter, Who would we ping for those?

  262. stpeter

    I haven't seen a reply to the last message I sent to some Openfire folks

  263. MattJ


  264. Dave Cridland

    MattJ, Good point.

  265. stpeter

    Tomasz Serna is the jabberd2 contact --

  266. fippo

    Dave: if time permits (and that is a large if) I'll try to setup jabberd14

  267. MattJ

    stpeter, poked in jdev

  268. stpeter

    heh ok

  269. stpeter

    MattJ: Tomasz is there?

  270. MattJ


  271. stpeter


  272. stpeter

    that's the one :)

  273. stpeter

    I'll ping Jason Frankel at Coversant

  274. Dave Cridland

    I was just writing a mail to Dave Richards.

  275. Dave Cridland

    But two won't hurt.

  276. stpeter


  277. stpeter

    email sent to Jason

  278. MattJ

    Dave Cridland, did you ping manually?

  279. Dave Cridland

    MattJ, Once a year, yes.

  280. MattJ


  281. MattJ writes a script

  282. Dave Cridland

    MattJ, No, I used Gajim.

  283. MattJ


  284. Dave Cridland

    MattJ, Started a chat to each server and typed /ping

  285. MattJ

    Now there's an idea

  286. Dave Cridland

    MattJ, I'm full of 'em.

  287. MattJ

    I didn't say it was a good one

  288. stpeter

    I wonder if we need to cull the list of XMPP servers at

  289. MattJ

    Works, amazing

  290. MattJ

    stpeter, email them all, if they don't respond - remove them? :)

  291. bear

    stpeter - I was thinking of suggesting that after N rounds of interops we could start making active/inactive categories

  292. Dave Cridland

    stpeter, It might be interesting, if we can get these interop sessions to happen reasonably frequently, so say that in order to be listed to need to at least particpate in interop.

  293. stpeter

    MattJ: even better, ask them to participate in interop, if they don't participate then remove 'em

  294. MattJ


  295. stpeter


  296. stpeter


  297. MattJ

    and I thought I was being harsh

  298. Dave Cridland

    steve.kille, Fools seldom differ.

  299. stpeter

    quarterly interop week

  300. Dave Cridland

    stpeter, rather.

  301. Dave Cridland

    Didn't look at what "st<TAB>" gave me.

  302. stpeter


  303. MattJ

    or we make it a requirement to run a server at * :)

  304. bear also

  305. MattJ

    In the Prosody early days we had a test script that pinged each server there daily

  306. Dave Cridland

    MattJ, I'm not mad keen on constantly running an interop test server, to be honest. Unused/unwatched servers tend to develop embarrassing failures at the worst moment.

  307. MattJ

    bear, just point at, thanks ;)

  308. Kev

    I'm inclined to leave the DNS in place ready for next event, and to have the CA kept around ready to run up, but I don't think it's very valuable to have them up between events.

  309. MattJ

    Anyway, the server would be watched by me

  310. Kev

    Plus it increases the value of the interop events :)

  311. bear

    kev +1

  312. MattJ

    Interop events are inconvenient, there's little reason I need all of you here to do what I'm doing right now

  313. Dave Cridland

    MattJ, It's a social thing. We're all going out to drink beer afterward, right?

  314. MattJ

    Orange juice for me please

  315. Dave Cridland

    MattJ, Sure. Pay no attention to this bottle of vodka.

  316. MattJ

    I wish Gajim would let you inspect the server cert

  317. MattJ

    as a client

  318. MattJ

    Bouncing prosody8

  319. MattJ

    mlinktrunk: OK

  320. MattJ

    mlinkrelease: OK

  321. MattJ

    ejabberd21: OK

  322. MattJ

    pscyed-db: OK

  323. MattJ

    pscyed-sasl: FAIL

  324. Dave Cridland


  325. MattJ

    psyced-dwd: FAIL

  326. Dave Cridland

    Did you disable your cert (or TLS)?

  327. MattJ

    Going to check

  328. fippo

    verify result 34

  329. fippo

    ah... that critical extension thing

  330. MattJ

    Looks like they hung up on me

  331. Dave Cridland

    Ah - MattJ, you'll need to make yourself a new cert.

  332. MattJ


  333. Kev

    How could they?

  334. fippo

    they're evil

  335. Kev


  336. Kev

    Can someone confirm whether I've screwed up DNS for, please?

  337. Kev

    It looks to me like I have.

  338. Kev


  339. Kev

    ;; AUTHORITY SECTION: 3600 IN SOA 2010120803 14400 3600 604800 43200

  340. Dave Cridland 0 IN A

  341. Kev

    That means it's using the serial that's two older than the current (05)

  342. Dave Cridland


  343. Kev

    The intention was 1hour

  344. Dave Cridland

    Oh, no, that's opendns being crap.

  345. Dave Cridland

    SOA serial : 2010120803

  346. MattJ

    Bouncing prosody8

  347. MattJ

    Dave Cridland, why did M-Link not fail?

  348. Dave Cridland

    Also direct to Athena.

  349. Dave Cridland

    MattJ, Not configured to mandate TLS or strong-auth, so it'll have done dialback.

  350. MattJ

    Now my client can't log in - "no shared cipher" :(

  351. MattJ


  352. MattJ

    Key/cert mismatch I think

  353. MattJ

    Dec 08 15:32:12 s2smanager debug has no SRV records, falling back to A

  354. MattJ


  355. Kev


  356. Dave Cridland

    MattJ, It seems to...

  357. MattJ

    $ host -t srv Host not found: 3(NXDOMAIN)

  358. Dave Cridland


  359. MattJ


  360. MattJ


  361. fippo

    and you pinged pscyed, not psyced

  362. Dave Cridland

    Ah, yes...

  363. MattJ


  364. MattJ

    All work

  365. Kev

    Ok, DNS is confusing me.

  366. Dave Cridland


  367. Kev

    We're up to 2010120806, but I'm still getting 2010120803 from athena.

  368. Florob

    Isn't it reassuring if your software works better then you do :)

  369. Dave Cridland

    Have your reloaded bind, and, if so, is there anything in its logs about why it's refusing to load the zone?

  370. MattJ

    Florob, :)

  371. Kev

    I'm not even sure where bind logs.

  372. MattJ

    daemon.log for me, as named

  373. bear

    IIRC it's the default syslog output - /var/log/messages or somesuch

  374. Kev


  375. Kev


  376. Kev

    no.such IN A . Isn't a valid line.

  377. MattJ

    wiki updated

  378. MattJ

    but the other servers accept it?

  379. MattJ

    Wait - shouldn't that be SRV?

  380. Kev

    I was just asked to put a line with '.' in for '', so I assumed it was A that was wanter.

  381. Kev


  382. MattJ

    No, SRV, sorry

  383. Tobias

    Kev: the one that fippo mentioned was a SRV record IIRC

  384. MattJ

    the target is just .

  385. Kev

    Ok, working fine now, ta.

  386. MattJ

    Council in 15?

  387. Kev

    So I can get onto setting up the invalid TLS domains now :)

  388. Kev


  389. Tobias


  390. Kev

    expiredcert, mismatchcert and revokedcert are all up - albeit without the certs they claim to have.

  391. badlop

    i've installed the cert in ejabberd21, enabled TLS in c2s and s2s, it connected with TLS to all the other 7 Interop servers except, which apparently couldn't setup TLS

  392. Kev

    badlop: Is that with TLS required, or simply allowed?

  393. Dave Cridland

    badlop, Oh. Curious. One sec.

  394. badlop

    allowed, becayse ejabberd first attempts TLS, if anything fails it attempts non-TLS

  395. Dave Cridland

    I see it working, which is confusing. One sec, let me bounce my server and we'll have another go - it's mlink release, not trunk, right?

  396. Dave Cridland

    12/ 8 19:20:37 xmppd 07463 (root ) N-MBOX-Notice Peer authenticates via TLS. 12/ 8 19:20:37 xmppd 07463 (root ) I-MBOX-Info successful setup originating db connection from to

  397. Dave Cridland

    And I'm getting all that kind of stuff on mlinkrelease, which looks like it should be working.

  398. Dave Cridland

    And I can indeed ping ejabberd21 after a restart, too, from mlinkrelease.

  399. badlop

    and do you get the exact same report with mlinktrunk?

  400. Dave Cridland

    Ah. No. CRL failure. But, it still sets up a session.

  401. Dave Cridland

    Yup, pings there too.

  402. Dave Cridland

    badlop, When you say "connected with TLS", and "couldn't setup TLS", do you mean TLS itself, or EXTERNAL?

  403. badlop

    the logs don't explicit, so i imagine it's TLS

  404. badlop

    i'll check the source now

  405. badlop

    so, don't worry yet about what ejabberd reports

  406. Dave Cridland

    badlop, Well, we're seeing TLS setup but the CRL fail.

  407. Dave Cridland

    Looking into that, it seems the CRL DP has a PEM-encoded CRL, whereas the standard mandates a DER-encoded one. Our software is being picky. I'll figure out some instructions for MattJ

  408. Dave Cridland

    No, indeed, the PEM one does crl.pem in PEM, and the DER one does crl.crl in DER.

  409. Dave Cridland

    Ooops. Wrong window.

  410. Dave Cridland

    Although right conversation, bewilderingly.

  411. bear


  412. bear

    I figured you were just continuing your outloud debugging

  413. Dave Cridland

    MattJ, Can you export the CRL in DER format - that'll generate a crl.crl for you to put on that website.

  414. MattJ

    Overwrite the PEM one?

  415. Dave Cridland

    Yes. Standards says DER.

  416. MattJ

    Try now

  417. badlop

    Dave Cridland: right now, ejabberd -- mlinkrelease: s2s with TLS works

  418. badlop

    umm, ejabberd -> tigase doesn't work with TLS, because tigase response doesn't include stream:features: <?xml version='1.0'?> <stream:stream xmlns:stream='' xmlns='jabber:server' xmlns:db='jabber:server:dialback' to='' version='1.0'> </stream:stream> <stream:stream xmlns:stream='' xmlns='jabber:server' xmlns:db='jabber:server:dialback' id='f1cf3e1a-8405-4146-82d7-454d3cfb2105'> </stream:stream>

  419. Dave Cridland

    badlop, Right, Tigase doesn't do TLS over S2S.

  420. Kev

    That's not just not doing TLS, though - that's not doing XMPP 1.0, is it?

  421. Kev

    (Yes, I realise TLS is a requirement for XMPP 1.0 as well)

  422. badlop

    well, tigase doesn't advertise supporting xmpp 1.0, so tigase doesn't lie

  423. Kev

    Heh, true enough.

  424. Dave Cridland

    RIght, so something's up with the CRL checking code at the moment, so I've disabled that in mlinktrunk. :-(

  425. stpeter

    Dave Cridland: I did hear back from some folks at Coversant

  426. Kev


  427. Kev


  428. stpeter

    they said they'll check into it :)

  429. stpeter

    BTW, as to the 6-month schedule, perhaps it would be good to schedule the interop weeks something like mid-way between Summits

  430. stpeter

    e.g., April/May and then October/November

  431. stpeter

    just a thought

  432. Kev

    Yes, we could do. Or could do it in the lead up to summits, both have merit.

  433. stpeter


  434. stpeter

    well, one interop week at a time :)

  435. stpeter

    the lead-up makes quite a bit of sense -- raise issues that need to be hammered out

  436. Kev

    This is our first interop week, and it's showing things that need doing next time around, etc, so I think these will be iterative.

  437. stpeter

    that's good

  438. Kev

    Some responsibilities were clear in advance, some not so.

  439. Kev

    That the iteam should sort out certs and dns was decided, and obvious.

  440. Kev

    Who should be responsible for cajoling vendors into participating was left somewhat in the air, as was who should be deciding on what gets tested.

  441. Kev

    I've appointed myself the latter, as Council Chair makes some sense.

  442. Kev

    In the absense of any group decision.

  443. Kev

    Next time around it'd be good to have DNS/Certs/Test plans in advance :)

  444. stpeter


  445. stpeter

    yes, agreed

  446. Dave Cridland

    MattJ, You about?

  447. Dave Cridland

    Or alternately, can anyone get me the certificate off openssl's s_client isn't quite clever enough to grab it.

  448. fippo

    dave: I told you to get my patched version :-)

  449. Dave Cridland

    fippo, We have starttls xmpp, but it sends the hostname not the domain.

  450. fippo

    dave: so your patch is similar to the crippled one the openssl people accepted for c2s :-p (shall I start a rant about openssl and how to get a feature patch accepted?)

  451. remko

    there's xmpp starttls support in openssl?

  452. zash

    There is

  453. fippo

    there is - c2s, without support for servers that actually use srv records

  454. remko


  455. Dave Cridland

    fippo, Your patch is better?

  456. zash

    In, 0.9.8g and above IIRC

  457. fippo

    dave: you can specify starttls to+from indepently on the commandline

  458. zash

    no, later

  459. Dave Cridland

    fippo, Oh, cool. Where is it again?

  460. remko

    oh, *without* srv

  461. Dave Cridland

    zash, Not later. Now!

  462. zash

    Dave Cridland: Later version of openssl :/

  463. Dave Cridland

    zash, Oh... Right.

  464. fippo

    badlop: do you see any hints why a host named 'fippo.testing.openssl' is not offered tls (or version 1.0) from

  465. fippo

    typically, that tool works with ejabberd

  466. Dave Cridland

    fippo, Ah, yes, same for me. (With that tool, nice).

  467. fippo

    dave: it works with -connect -starttls_to

  468. Dave Cridland

    fippo, WOrks against mlinktrunk, too.

  469. badlop

    fippo: how can i reproduce that problem myself?

  470. Dave Cridland

    badlop, Can you send me the certificate?

  471. fippo

    dave: already gave you a link

  472. badlop

    Dave Cridland: if that link doesn't help, ask me again the cert

  473. Dave Cridland

    badlop, No, I missed the link.

  474. Dave Cridland

    badlop, All sorted now.