interop - 2010-12-08

  1. Florob has left
  2. Zash has left
  3. sjoerd.simons has joined
  4. steve.kille has left
  5. steve.kille has joined
  6. steve.kille has left
  7. steve.kille has joined
  8. steve.kille has left
  9. steve.kille has joined
  10. steve.kille has left
  11. steve.kille has joined
  12. steve.kille has left
  13. steve.kille has joined
  14. steve.kille has left
  15. steve.kille has joined
  16. steve.kille has left
  17. steve.kille has joined
  18. sjoerd.simons has left
  19. sjoerd.simons has joined
  20. steve.kille has left
  21. steve.kille has joined
  22. steve.kille has left
  23. steve.kille has joined
  24. steve.kille has left
  25. steve.kille has joined
  26. sjoerd.simons has left
  27. sjoerd.simons has joined
  28. steve.kille has left
  29. steve.kille has joined
  30. steve.kille has left
  31. steve.kille has joined
  32. steve.kille has left
  33. steve.kille has joined
  34. steve.kille has left
  35. steve.kille has joined
  36. sjoerd.simons has left
  37. steve.kille has left
  38. steve.kille has joined
  39. steve.kille has left
  40. steve.kille has joined
  41. Tobias has joined
  42. remko has joined
  43. tuomas has joined
  44. Flo has joined
  45. steve.kille has left
  46. steve.kille has joined
  47. MattJ has joined
  48. Sjoerd has joined
  49. Tobias has left
  50. Dave Cridland has left
  51. Dave Cridland has joined
  52. Sjoerd has left
  53. sjoerd.simons has joined
  54. Dave Cridland has left
  55. Dave Cridland has joined
  56. Kev Right, yes, DNS. fippo / Dave Cridland: What were the records you were suggesting adding yesterday?
  57. Dave Cridland Yesterday [20:56:49] [Isode Unclassified] Dave Cridland: [[Isode Unclassified]] Kev, When you're back, then, I have (5222/5269) servicing - feel free to give it a random hostname, like, say, :-)
  58. Kev Please check it's now right.
  59. Dave Cridland Kev, No A/AAAA records, but the SRV looks OK.
  60. Dave Cridland A is, AAAA is 2001:470:1f09:882:c0c8:f9ff:fec0:d982
  61. Kev Relly?
  62. Kev *really
  63. Kev IN A
  64. Kev That *looks* right to me.
  65. Kev Ah, no, because I'm a twit.
  66. Dave Cridland "."
  67. Kev mlinktrunk IN A
  68. Kev Should be happier now.
  69. Dave Cridland If I hadn't cached the duff records.
  70. Kev Oh, I'd assumed you'd be querying athena.
  71. Dave Cridland Can you stick in the AAAA as well, in case anyone's doing IPv6 interop too?
  72. Kev Done
  73. Dave Cridland Marv.
  74. Dave Cridland Can any server developers confirm that the service is reachable now?
  75. fippo it is - but it does not seem to do tls anymore?
  76. Tobias has joined
  77. Dave Cridland fippo, No, that's okay, haven't done that bit yet - doing that now. Thanks.
  78. bear I have a draft post for a very brief "day one" report of the interop - still chewing thru the logs for details but I wanted to get a post going
  79. bear could someone take a quick look for a review (I'm also going to post to comm team list)
  80. Dave Cridland Mail a draft to the interop mailing list?
  81. bear ah
  82. bear yes
  83. Dave Cridland should now have TLS-lovelyness.
  84. badlop has joined
  85. bear draft posted to list
  86. Dave Cridland bear, Matthew Wild was/is operating the CA.
  87. bear k
  88. fippo dave: works with with dialback-after-tls, that boring sasl thing and d-w-d
  89. Dave Cridland bear, And you're mixing both company names (Isode, Collabora) and product names (ejabberd, SAFEchat)
  90. bear I pulled from the wiki, hmm, guess I should also update/correct that then
  91. Dave Cridland bear, I think both are useful, but you're listing "SAFEchat" as a client developer (it's a client, the developers are BoldonJames) and Isode as a server (Whereas our server is called M-Link)
  92. bear oh - I see. that's a personal glitch of mine - I can never remember m-link and have always called your software Isode
  93. bear will beat that out of himself later
  94. Dave Cridland bear, Quite. Or Will will.
  95. bear eeek
  96. Dave Cridland OK, I've flipped my server into only accepting strong authentication (ie, TLS with a verifiable certificate) for anything within
  97. bear ok, text adjusted - sending new version to list
  98. fippo turns off tls and tests again
  99. Dave Cridland I'll do something similar for mlinkrelease in a moment. I'll require a valid cert, although mlinkrelease will accept dialback as sufficient and won't do CRL checking.
  100. Dave Cridland Actually, mlinkrelease will even accept no TLS at all, so I may not bother.
  101. fippo works - I get a policy violation dialback error
  102. Dave Cridland 12/ 8 12:12:29 xmppd 32268 (root ) D-MBOX-Auth Rejecting (require tls peer control) connect from server
  103. Dave Cridland fippo, Ah, yes, dialback errors too. :-)
  104. Dave Cridland fippo, Posh, aren't we?
  105. fippo you might want to put a <required/> into starttls :-)
  106. waqas has joined
  107. Tobias has left
  108. Dave Cridland fippo, Oh, isn't it there? I thought I'd got that as long as you sent a from (so it can look for the peer control) or if it's global (which it isn't on that server)
  109. Dave Cridland Oh. No, we don't - I carefully set a flag and then never use it. Well, that's an easy fix.
  110. fippo :-)
  111. fippo mh... I have a problem reaching trunk from -sasl
  112. fippo you don't offer external
  113. Zash has joined
  114. Dave Cridland 12/ 8 12:38:53 xmppd 32268 (root ) I-MBOX-Info Verifying certificate 12/ 8 12:38:53 xmppd 32268 (root ) I-MBOX-Info certificate (subject emailA,OU=XMPP Department,O=Your Organisation,L=The Inter net,C=DE,, detail (email=fippo\\,ou =XMPP Department,o=Your Organisation,l=The Internet,c=DE,cn=psyced-dwd.xmpptest. com) error revocation status unknown for this certificate 12/ 8 12:38:53 xmppd 32268 (root ) N-MBOX-Notice TLS certificate verificat ion failed 12/ 8 12:38:53 xmppd 32268 (root ) D-MBOX-Auth Rejecting (require strong a uth peer control) connect from server
  115. Dave Cridland AH... I wonder if Matt's updated his CRL...
  116. fippo back to debugging x509 stuff :-)
  117. Dave Cridland No, it's just that Matt's not updated the CRL, so it's expired.
  118. Dave Cridland Hence M-Link can't tell if the CRL simply hasn't been updated, or if it's been replayed to conceal your certificate being revoked.
  119. Tobias has joined
  120. Zash So, who's winning? :)
  121. Tobias has left
  122. Florian right ...
  123. Florian MattJ: can I send you my CSR?
  124. MattJ Sure,
  125. Kev Zash: I'll be writing some suggested tests shortly.
  126. MattJ Florian, ah, got your PM, thanks
  127. Kev So at least there's some guidance on what to test :)
  128. MattJ set the topic to XMPP Interop Event | 6th - 11th December 2010 |
  129. Florian :)
  130. Florian is there anything I need to do? Anything broken in Tigase that I should report back?
  131. Dave Cridland MattJ, Can you update the CRL fiole on the website?
  132. MattJ Dave Cridland, yes, I realised I hadn't done that this morning
  133. MattJ I regenerated it, but something distracted me from uploading
  134. MattJ There's a reason to use https for CRLs - an attacker could serve an old CRL over HTTP with nothing more than DNS poisoning
  135. Kev Florian: As nothing much as been tested yet ...
  136. Dave Cridland MattJ, No, because CRLs expire, so a replay attack has limited value.
  137. MattJ Aha
  138. steve.kille Technically, CRLs indicate when a new one will be issued, which is advisory rather than a hard expiration date, although it is generally treated as an expiration date
  139. MattJ This one's in date for a year, so have fun while you can
  140. fippo Kev: ah, I missed that dns question earlier. I would like a srv record for pointing to "."
  141. Florian lol
  142. Kev fippo: Ok. Why, though?
  143. MattJ I second the request
  144. MattJ don't ask questions :)
  145. fippo Kev: servers should stop attempting to connect that domain
  146. Kev Oh, should they?
  147. Dave Cridland Kev, Yes.
  148. MattJ They should, see the recent discussion on the list
  149. Kev Permanently?
  150. MattJ for as long as they would cache a normal SRV lookup
  151. Kev Oh, well, that's no time at all presumably :)
  152. Kev (For clients, anyway)
  153. MattJ it's better than pointing your records to and waiting for $TCP_TIMEOUT
  154. MattJ this is a definitive way of saying "There is no XMPP service at this domain, give up"
  155. Dave Cridland Kev, Well, you *can* argue that it's the TTL, however I don't think that anything other than caching resolvers should actually cache.
  156. Kev no.such now has an entry of .
  157. MattJ Thanks
  158. MattJ Dave Cridland, why do you think that?
  159. Kev Although the results look a whole lot like they do for an entry that just doesn't exist.
  160. fippo mattj: old jabberd tried to cache itself - it was a bad idea
  161. Kev bear: I'll read your post in a moment, thanks.
  162. MattJ fippo, why? (you may guess by now that Prosody caches)
  163. Dave Cridland MattJ, Because it's just as fast to run a caching nameserver on the same machine, and that's more likely to be written by people who know about DNS.
  164. bear no worries kev - I need to give it a couple hours to let other TZ's a chance to respond
  165. MattJ Fair enough
  166. fippo mattj: iirc it did not expire those records properly
  167. MattJ :)
  168. MattJ We fixed that bug a long time ago :)
  169. Zash has left
  170. Dave Cridland So presumably, if the CRL's been updated, then everyone should now be able to connect to (and everything else)?
  171. louiz’ has joined
  172. MattJ Does OpenSSL do CRL checking automatically? It's likely I could connect to you all along :)
  173. remko no
  174. Dave Cridland MattJ, No, don't think so. We don't use it for that, anyway. (I think it can parse CRLs, etc, but I don't think it'll fetch them for you)
  175. remko if you look at the manual, you'll see that it has error codes for CRL, but that they are "Unused by OpenSSL"
  176. MattJ Lovely
  177. Kev Right, so, tests.
  178. Kev I'll put stuff on the wiki, but I'm thinking that something like this is sensible:
  179. Kev * Check a server can receive an iq response to a ping to each server, with whatever configuration.
  180. remko mattj: i'm wrong i think
  181. Kev * Set some of the servers (all that support it) to require TLS on s2s, test iq still works.
  182. Kev * Set servers to require TLS with identity verification, test iq still works.
  183. remko MattJ: i take everything back. I should have known better than to trust on openssl documentation
  184. Kev That tests a base level of interop using s2s and TLS, I think.
  185. MattJ :)
  186. Kev * If any of the servers allow turning off dialback completely, doing that, and repeating.
  187. Kev (Dialback isn't bad, but relying on it is)
  188. Kev * Setting up a vhost on one of the servers, issuing and revoking a cert, and checking it can't then connect to any servers.
  189. MattJ and everyone fails that except M-Link? :)
  190. Dave Cridland Kev, SO you want me to drop the TLS/strong-auth requirements for mlinktrunk?
  191. Kev I have no idea.
  192. Kev Dave Cridland: I think that'd be sensible for today.
  193. Kev First establishing that everyone will interop without TLS seems sensible.
  194. Kev Even though we know that'll work.
  195. MattJ Fine by me
  196. Kev What else do people want to test? I think just checking TLS+s2s this week is sensible, as a baseline and a first effort at an interop event.
  197. Dave Cridland That's fine by me. Do we want to check reachability to MUC domains as well?
  198. Kev For the clients, I think checking that they'll all connect ok to a server. Checking they'll all connect to a server with only TLS. Checking they won't connect to a server without TLS and with PLAIN. Revoking a cert and checking they warn the user (Swift will fail this). Logging in with a user cert.
  199. Kev Dave Cridland: Each of the listed domains would be sensible, yes.
  200. Dave Cridland DO we know if all the servers are configured with an Interop CA cert?
  201. Kev I guess we'll discover that when we try testing identity verification :)
  202. Kev Will someone volunteer to set up a vhost with a self-signed cert, and one with a revoked cert?
  203. MattJ Dave Cridland, the last outstanding CSR is Florian's, which I'm now processing (just sent badlop's)
  204. Kev I'm happy to set up both of those vhosts, actually.
  205. Dave Cridland Kev, I can do that.
  206. Dave Cridland Kev, Oh, or you can, great.
  207. MattJ Florian's has no SANs... should we allow this? :)
  208. Kev Dave Cridland: Disadvantage of that is that it needs to be yet another server for you - as you can't vhost either of your existing ones?
  209. Dave Cridland Kev, Sure I can, can't I?
  210. Kev Not if you want to test interop between that server and the denied domains.
  211. Dave Cridland Ah. Well, yes. I couldn't test between other domains on the same server, no.
  212. Dave Cridland Okay, I've reconfigured.
  213. Dave Cridland Shall I run through first?
  214. Kev I think there's no harm in it.
  215. Tobias has joined
  216. Dave Cridland So, mlinkrelease I get a pong.
  217. Dave Cridland (Which is just as well, frankly)
  218. Dave Cridland This all from mlinktrunk, BTW.
  219. Dave Cridland tigasetrunk, ping.
  220. Dave Cridland ejabberd21, ping.
  221. Florian SANs?
  222. Dave Cridland prosody8, ping.
  223. Dave Cridland psyced-db ping.
  224. Kev Florian: Subject alt names.
  225. Tobias i see you guys found the 'topic' feature ;)
  226. Dave Cridland psyced-dwd ping, psyced-sasl ping.
  227. fippo kev: would you put that list on the wiki please?
  228. Kev fippo: I'm doing so at the moment, yes.
  229. Dave Cridland So I think that's it from mlinktrunk. All success.
  230. MattJ Florian, the only domain you have listed is in the cn field, which isn't recommended
  231. Dave Cridland FWIW, I can even turn off checking that.
  232. Dave Cridland MattJ, You can add in other SANs before signing, though.
  233. Florian yeh
  234. MattJ I can? Oh yes...
  235. MattJ That was staring me in the face
  236. fippo dave: that was with optional starttls? It might be worth repeating with tls disabled
  237. Dave Cridland RIght, just setting up a test account for mlinkrelease.
  238. Dave Cridland fippo, What, disabling TLS at my end?
  239. fippo yes. so we see that it fails with servers that <require/> tls
  240. Dave Cridland I think that's one to do later.
  241. Kev fippo: My intention is to do TLS requirements later.
  242. fippo wfm
  243. MattJ Florian, do you have a MUC domain?
  244. Kev fippo: I'll set up vhosts with invalid certs (self-signed, mismatch, and revoked) and test that s2s doesn't work.
  245. Florob has joined
  246. fippo kev: add an expired one
  247. Florian muc.*
  248. Kev fippo: Do you hate my time that much? :)
  249. Dave Cridland Okay, so from mlinkrelease, this time.
  250. fippo kev: and one that does not contain the vhostname
  251. fippo kev: :-)
  252. Kev Or my DSA setup, for that matter.
  253. Kev Yes, I said I'd add one with a host mismatch.
  254. fippo ah
  255. Dave Cridland mlinktrunk, ping
  256. Dave Cridland ejabberd21 ping
  257. Dave Cridland prosody8 ping
  258. Dave Cridland psyced-db ping
  259. Dave Cridland psyced-dwd ping
  260. Dave Cridland psyced-sasl ping.
  261. MattJ since XMPP implementations should recognise both xmppAddr and SRVName, only one of them should be necessary in a cert, right?
  262. Dave Cridland In principle... But in principle they'll recognise a URI one as well.
  263. MattJ .
  264. Dave Cridland In practise, most will rely on xmppAddr, and maybe sRVName.
  265. Dave Cridland tigasetrunk ping.
  266. Dave Cridland So full house from both.
  267. Dave Cridland As a general note to folk, you will need to bounce your servers, or force them to disconnect S2S some other way prior to running these tests.
  268. Dave Cridland Otherwise you may just be reusing connections.
  269. Dave Cridland (I say this because I only just remembered to do it)
  270. Dave Cridland So, who wants to go next?
  271. Dave Cridland Anyone?
  272. fippo just doing...
  273. Dave Cridland 12/ 8 14:38:03 xmppd 32680 (root ) I-MBOX-Info certificate (subject,OU=hangtime department,O=hangtime,L=The Internet,C=DE,, detail (email=fippo\\,ou=hangtime department,o=hangtime,l=The Internet,c=DE, error revocation status unknown for this certificate I shouldn't be seeing that, I don't think.
  274. Dave Cridland wonders if he's caching the CRL for some reason.
  275. Kev
  276. fippo full house from psyced-db to anyone with tls, two failures without tls (psyced-dwd and psyced-external, but they enforce tls so that is expected)
  277. Kev fippo: It'd be great if you cut put that in terms of my test numbers for me, please.
  278. Dave Cridland psyced-sasl, surely?
  279. fippo kev: will do on the wiki
  280. fippo dave: yes
  281. Florian has left
  282. Kev fippo: Or that, thanks. I'm happy to put it in the wiki, if you paste something here, equally.
  283. Dave Cridland BTW, as far as I remember, all servers supported XEP-0199, and gave a positive result (ie, not an error).
  284. fippo and all servers support the good old jabber:iq:version (I prefer that to ping somehow)
  285. fippo Kev: arr, your test structure conflicts with my host setup
  286. Kev fippo: I think it just means that some of your hosts don't participate in some tests.
  287. fippo yeah
  288. Kev e.g. ones that require TLS don't do test 1, they wait until test 2.
  289. Dave Cridland Well, we've not disabled TLS, so those ones should also work, still, surely?
  290. Kev Well, true.
  291. fippo yeah
  292. fippo they will fail with tigase, but that is expected
  293. MattJ Kev, it says notls is not yet set up - feel free to point that at me
  294. MattJ I can set up a vhost with no c2s/s2s TLS
  295. Kev MattJ: On the same host, or a different one?
  296. Kev The problem with you using a vhost on one of the test systems is that you then can't test those.
  297. Dave Cridland MattJ, On a different server to prosody8, so you can test?
  298. MattJ Good point
  299. MattJ Kev, point it to
  300. Kev Ta.
  301. MattJ brb
  302. MattJ btw, I think everyone has certs now - shout if I missed a request
  303. Dave Cridland ANyone editing the Wiki now? If not, I'll stick my other results in.
  304. Kev I'll be requesting more certs shortly, and then asking you to revoke one of them :)
  305. Kev Dave Cridland: I am not.
  306. fippo dave: I just edited
  307. Dave Cridland Right, as did I, but quickly enough apparently.
  308. Kev "they will fail with tigase, but that is expected"
  309. Kev Expected because...?
  310. fippo Kev: because tigase does not do tls, so if it meets a server that enforces tls it should fail
  311. Kev So, server people, are there any basic s2s interop tests that we should be adding that I haven't yet done?
  312. Kev fippo: It will never do TLS over s2s?
  313. fippo kev: afaik no
  314. stpeter has joined
  315. Dave Cridland asks Florian.
  316. Dave Cridland Anyway - who's next on doing the tests?
  317. fippo I am not seing a version attribute on the stream headers either
  318. Dave Cridland MattJ, ?
  319. MattJ back
  320. MattJ I'm next I think
  321. Dave Cridland OK.
  322. Dave Cridland stpeter, Are there any other server implementors we could bring in, do you think?
  323. Florian has joined
  324. stpeter have we pinged Openfire and jabberd2?
  325. Florian as a response to Dave's question: [15:04:05] <Artur> no, this is what I am working on right now :-)
  326. Florian (TLS on S2S)
  327. Kev stpeter: In as much as we pinged the relevant XSF lists, and I assume they listen to them.
  328. stpeter rightio
  329. Kev Pinging them directly would not be a horrible idea.
  330. Dave Cridland stpeter, Who would we ping for those?
  331. stpeter I haven't seen a reply to the last message I sent to some Openfire folks
  332. MattJ Coversant?
  333. Dave Cridland MattJ, Good point.
  334. stpeter Tomasz Serna is the jabberd2 contact --
  335. fippo Dave: if time permits (and that is a large if) I'll try to setup jabberd14
  336. MattJ stpeter, poked in jdev
  337. stpeter heh ok
  338. stpeter MattJ: Tomasz is there?
  339. MattJ smoku
  340. stpeter right
  341. stpeter that's the one :)
  342. stpeter I'll ping Jason Frankel at Coversant
  343. Dave Cridland I was just writing a mail to Dave Richards.
  344. Dave Cridland But two won't hurt.
  345. stpeter yep
  346. stpeter email sent to Jason
  347. MattJ Dave Cridland, did you ping manually?
  348. Dave Cridland MattJ, Once a year, yes.
  349. MattJ .
  350. MattJ writes a script
  351. Dave Cridland MattJ, No, I used Gajim.
  352. MattJ s/writes/adopts/
  353. Dave Cridland MattJ, Started a chat to each server and typed /ping
  354. MattJ Now there's an idea
  355. Dave Cridland MattJ, I'm full of 'em.
  356. MattJ I didn't say it was a good one
  357. stpeter I wonder if we need to cull the list of XMPP servers at
  358. MattJ Works, amazing
  359. MattJ stpeter, email them all, if they don't respond - remove them? :)
  360. bear stpeter - I was thinking of suggesting that after N rounds of interops we could start making active/inactive categories
  361. Dave Cridland stpeter, It might be interesting, if we can get these interop sessions to happen reasonably frequently, so say that in order to be listed to need to at least particpate in interop.
  362. stpeter MattJ: even better, ask them to participate in interop, if they don't participate then remove 'em
  363. MattJ Heh
  364. stpeter heh
  365. stpeter GMTA
  366. MattJ and I thought I was being harsh
  367. Dave Cridland steve.kille, Fools seldom differ.
  368. stpeter quarterly interop week
  369. Dave Cridland stpeter, rather.
  370. Florian has left
  371. Dave Cridland Didn't look at what "st<TAB>" gave me.
  372. stpeter brb
  373. MattJ or we make it a requirement to run a server at * :)
  374. bear also
  375. MattJ In the Prosody early days we had a test script that pinged each server there daily
  376. Dave Cridland MattJ, I'm not mad keen on constantly running an interop test server, to be honest. Unused/unwatched servers tend to develop embarrassing failures at the worst moment.
  377. MattJ bear, just point at, thanks ;)
  378. Kev I'm inclined to leave the DNS in place ready for next event, and to have the CA kept around ready to run up, but I don't think it's very valuable to have them up between events.
  379. MattJ Anyway, the server would be watched by me
  380. Kev Plus it increases the value of the interop events :)
  381. bear kev +1
  382. MattJ Interop events are inconvenient, there's little reason I need all of you here to do what I'm doing right now
  383. Dave Cridland MattJ, It's a social thing. We're all going out to drink beer afterward, right?
  384. MattJ Orange juice for me please
  385. Dave Cridland MattJ, Sure. Pay no attention to this bottle of vodka.
  386. MattJ I wish Gajim would let you inspect the server cert
  387. MattJ as a client
  388. Florian has joined
  389. MattJ Bouncing prosody8
  390. MattJ mlinktrunk: OK
  391. MattJ mlinkrelease: OK
  392. MattJ ejabberd21: OK
  393. MattJ pscyed-db: OK
  394. MattJ pscyed-sasl: FAIL
  395. Dave Cridland Fail?
  396. MattJ psyced-dwd: FAIL
  397. Dave Cridland Did you disable your cert (or TLS)?
  398. MattJ Going to check
  399. fippo verify result 34
  400. fippo ah... that critical extension thing
  401. MattJ Looks like they hung up on me
  402. Dave Cridland Ah - MattJ, you'll need to make yourself a new cert.
  403. MattJ Aha
  404. Kev How could they?
  405. fippo they're evil
  406. Kev Natch.
  407. Florian has left
  408. Kev Can someone confirm whether I've screwed up DNS for, please?
  409. Kev It looks to me like I have.
  410. Kev Oh.
  411. Kev ;; AUTHORITY SECTION: 3600 IN SOA 2010120803 14400 3600 604800 43200
  412. Dave Cridland 0 IN A
  413. Kev That means it's using the serial that's two older than the current (05)
  414. Dave Cridland zero-TTL?
  415. Kev The intention was 1hour
  416. Dave Cridland Oh, no, that's opendns being crap.
  417. Florian has joined
  418. Dave Cridland SOA serial : 2010120803
  419. MattJ Bouncing prosody8
  420. MattJ Dave Cridland, why did M-Link not fail?
  421. Dave Cridland Also direct to Athena.
  422. Dave Cridland MattJ, Not configured to mandate TLS or strong-auth, so it'll have done dialback.
  423. MattJ Now my client can't log in - "no shared cipher" :(
  424. MattJ Hmm
  425. MattJ Key/cert mismatch I think
  426. MattJ Dec 08 15:32:12 s2smanager debug has no SRV records, falling back to A
  427. MattJ Grr
  428. Kev o_O
  429. Florian has left
  430. Dave Cridland MattJ, It seems to...
  431. Florian has joined
  432. MattJ $ host -t srv Host not found: 3(NXDOMAIN)
  433. Dave Cridland _tcp
  434. MattJ oops
  435. Florian has left
  436. MattJ Ok
  437. fippo and you pinged pscyed, not psyced
  438. Dave Cridland Ah, yes...
  439. MattJ Grr
  440. MattJ All work
  441. Kev Ok, DNS is confusing me.
  442. Dave Cridland Why?
  443. Kev We're up to 2010120806, but I'm still getting 2010120803 from athena.
  444. Florob Isn't it reassuring if your software works better then you do :)
  445. Dave Cridland Have your reloaded bind, and, if so, is there anything in its logs about why it's refusing to load the zone?
  446. MattJ Florob, :)
  447. Kev I'm not even sure where bind logs.
  448. MattJ daemon.log for me, as named
  449. bear IIRC it's the default syslog output - /var/log/messages or somesuch
  450. Kev Ta.
  451. Kev Ah.
  452. Kev no.such IN A . Isn't a valid line.
  453. MattJ wiki updated
  454. MattJ but the other servers accept it?
  455. MattJ Wait - shouldn't that be SRV?
  456. Kev I was just asked to put a line with '.' in for '', so I assumed it was A that was wanter.
  457. Kev s/wanter/wanted/
  458. MattJ No, SRV, sorry
  459. Tobias Kev: the one that fippo mentioned was a SRV record IIRC
  460. MattJ the target is just .
  461. Kev Ok, working fine now, ta.
  462. MattJ Council in 15?
  463. Kev So I can get onto setting up the invalid TLS domains now :)
  464. Kev Yep.
  465. Tobias jup
  466. prefiks has joined
  467. prefiks has left
  468. prefiks has joined
  469. prefiks has left
  470. Kev expiredcert, mismatchcert and revokedcert are all up - albeit without the certs they claim to have.
  471. Florob has left
  472. Florian has joined
  473. Florian has left
  474. badlop i've installed the cert in ejabberd21, enabled TLS in c2s and s2s, it connected with TLS to all the other 7 Interop servers except, which apparently couldn't setup TLS
  475. Kev badlop: Is that with TLS required, or simply allowed?
  476. Dave Cridland badlop, Oh. Curious. One sec.
  477. badlop allowed, becayse ejabberd first attempts TLS, if anything fails it attempts non-TLS
  478. Dave Cridland I see it working, which is confusing. One sec, let me bounce my server and we'll have another go - it's mlink release, not trunk, right?
  479. Dave Cridland 12/ 8 19:20:37 xmppd 07463 (root ) N-MBOX-Notice Peer authenticates via TLS. 12/ 8 19:20:37 xmppd 07463 (root ) I-MBOX-Info successful setup originating db connection from to
  480. Dave Cridland And I'm getting all that kind of stuff on mlinkrelease, which looks like it should be working.
  481. Dave Cridland And I can indeed ping ejabberd21 after a restart, too, from mlinkrelease.
  482. badlop and do you get the exact same report with mlinktrunk?
  483. Dave Cridland Ah. No. CRL failure. But, it still sets up a session.
  484. Dave Cridland Yup, pings there too.
  485. Florian has joined
  486. Dave Cridland badlop, When you say "connected with TLS", and "couldn't setup TLS", do you mean TLS itself, or EXTERNAL?
  487. badlop the logs don't explicit, so i imagine it's TLS
  488. badlop i'll check the source now
  489. badlop so, don't worry yet about what ejabberd reports
  490. bear has left
  491. bear has joined
  492. Tobias has left
  493. Florob has left
  494. Florian has left
  495. Dave Cridland has left
  496. Dave Cridland has joined
  497. Dave Cridland badlop, Well, we're seeing TLS setup but the CRL fail.
  498. Dave Cridland Looking into that, it seems the CRL DP has a PEM-encoded CRL, whereas the standard mandates a DER-encoded one. Our software is being picky. I'll figure out some instructions for MattJ
  499. Dave Cridland No, indeed, the PEM one does crl.pem in PEM, and the DER one does crl.crl in DER.
  500. Dave Cridland Ooops. Wrong window.
  501. Dave Cridland Although right conversation, bewilderingly.
  502. bear :)
  503. bear I figured you were just continuing your outloud debugging
  504. Dave Cridland MattJ, Can you export the CRL in DER format - that'll generate a crl.crl for you to put on that website.
  505. MattJ Overwrite the PEM one?
  506. Dave Cridland Yes. Standards says DER.
  507. MattJ Try now
  508. Florian has joined
  509. Tobias has joined
  510. badlop Dave Cridland: right now, ejabberd -- mlinkrelease: s2s with TLS works
  511. Florian/Der Graf has joined
  512. tuomas has left
  513. Tobias has left
  514. Zash has joined
  515. Kanchil/Der Graf has joined
  516. Kanchil/Der Graf/Der Graf has joined
  517. Kanchil/Der Graf/Der Graf has left
  518. MattJ/Der Graf has joined
  519. MattJ/Der Graf has left
  520. remko has left
  521. remko has joined
  522. Asterix has joined
  523. Florian/Der Graf has joined
  524. remko has left
  525. Florian has left
  526. badlop umm, ejabberd -> tigase doesn't work with TLS, because tigase response doesn't include stream:features: <?xml version='1.0'?> <stream:stream xmlns:stream='' xmlns='jabber:server' xmlns:db='jabber:server:dialback' to='' version='1.0'> </stream:stream> <stream:stream xmlns:stream='' xmlns='jabber:server' xmlns:db='jabber:server:dialback' id='f1cf3e1a-8405-4146-82d7-454d3cfb2105'> </stream:stream>
  527. Dave Cridland badlop, Right, Tigase doesn't do TLS over S2S.
  528. Kev That's not just not doing TLS, though - that's not doing XMPP 1.0, is it?
  529. Kev (Yes, I realise TLS is a requirement for XMPP 1.0 as well)
  530. badlop well, tigase doesn't advertise supporting xmpp 1.0, so tigase doesn't lie
  531. Kev Heh, true enough.
  532. Florian has joined
  533. remko has joined
  534. remko has left
  535. remko has joined
  536. steve.kille has left
  537. remko has left
  538. remko has joined
  539. Dave Cridland RIght, so something's up with the CRL checking code at the moment, so I've disabled that in mlinktrunk. :-(
  540. remko has left
  541. remko has joined
  542. Zash has left
  543. zash has joined
  544. Florian/Der Graf has left
  545. Tobias has joined
  546. Tobias has left
  547. steve.kille has joined
  548. remko has left
  549. Tobias has joined
  550. Tobias has left
  551. steve.kille has left
  552. steve.kille has joined
  553. sjoerd.simons has left
  554. sjoerd.simons has joined
  555. sjoerd.simons has left
  556. Sjoerd has joined
  557. Sjoerd has left
  558. sjoerd.simons has joined
  559. remko has joined
  560. Tobias has joined
  561. remko has left
  562. stpeter Dave Cridland: I did hear back from some folks at Coversant
  563. Kev Excellent.
  564. Kev Whatsaythey?
  565. stpeter they said they'll check into it :)
  566. stpeter BTW, as to the 6-month schedule, perhaps it would be good to schedule the interop weeks something like mid-way between Summits
  567. stpeter e.g., April/May and then October/November
  568. stpeter just a thought
  569. remko has joined
  570. sjoerd.simons has left
  571. sjoerd.simons has joined
  572. sjoerd.simons has left
  573. Kev Yes, we could do. Or could do it in the lead up to summits, both have merit.
  574. stpeter true
  575. stpeter well, one interop week at a time :)
  576. stpeter the lead-up makes quite a bit of sense -- raise issues that need to be hammered out
  577. Kev This is our first interop week, and it's showing things that need doing next time around, etc, so I think these will be iterative.
  578. stpeter that's good
  579. Kev Some responsibilities were clear in advance, some not so.
  580. Kev That the iteam should sort out certs and dns was decided, and obvious.
  581. Kev Who should be responsible for cajoling vendors into participating was left somewhat in the air, as was who should be deciding on what gets tested.
  582. Kev I've appointed myself the latter, as Council Chair makes some sense.
  583. Kev In the absense of any group decision.
  584. Kev Next time around it'd be good to have DNS/Certs/Test plans in advance :)
  585. sjoerd.simons has joined
  586. stpeter nice:
  587. stpeter yes, agreed
  588. Dave Cridland MattJ, You about?
  589. Dave Cridland Or alternately, can anyone get me the certificate off openssl's s_client isn't quite clever enough to grab it.
  590. fippo dave: I told you to get my patched version :-)
  591. Dave Cridland fippo, We have starttls xmpp, but it sends the hostname not the domain.
  592. fippo dave: so your patch is similar to the crippled one the openssl people accepted for c2s :-p (shall I start a rant about openssl and how to get a feature patch accepted?)
  593. remko there's xmpp starttls support in openssl?
  594. zash There is
  595. fippo there is - c2s, without support for servers that actually use srv records
  596. remko handy
  597. Dave Cridland fippo, Your patch is better?
  598. zash In, 0.9.8g and above IIRC
  599. fippo dave: you can specify starttls to+from indepently on the commandline
  600. zash no, later
  601. Dave Cridland fippo, Oh, cool. Where is it again?
  602. remko oh, *without* srv
  603. Dave Cridland zash, Not later. Now!
  604. zash Dave Cridland: Later version of openssl :/
  605. Dave Cridland zash, Oh... Right.
  606. remko has left
  607. Kev has left
  608. fippo badlop: do you see any hints why a host named 'fippo.testing.openssl' is not offered tls (or version 1.0) from
  609. fippo typically, that tool works with ejabberd
  610. Dave Cridland fippo, Ah, yes, same for me. (With that tool, nice).
  611. fippo dave: it works with -connect -starttls_to
  612. Dave Cridland fippo, WOrks against mlinktrunk, too.
  613. badlop fippo: how can i reproduce that problem myself?
  614. Tobias has left
  615. Dave Cridland badlop, Can you send me the certificate?
  616. fippo dave: already gave you a link
  617. Flo has left
  618. badlop Dave Cridland: if that link doesn't help, ask me again the cert
  619. Dave Cridland badlop, No, I missed the link.
  620. Dave Cridland badlop, All sorted now.
  621. Asterix has left
  622. Tobias has joined
  623. Tobias has left
  624. zash has left
  625. Florob has joined
  626. waqas has left