interop - 2010-12-10

  1. steve.kille has left
  2. steve.kille has joined
  3. steve.kille has left
  4. steve.kille has joined
  5. Florob has joined
  6. Florob has left
  7. MattJ Bouncing prosody8
  8. MattJ fippo, awake?
  9. MattJ psyced-sasl doesn't like me
  10. MattJ Everything else seems to work
  11. MattJ Dec 10 01:44:05 s2souta052b68 debug Received[s2sout_unauthed]: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> Dec 10 01:44:05 debug SASL EXTERNAL with succeeded
  12. MattJ but I don't receive a pong
  13. MattJ Ah
  14. MattJ It would help if I trusted the interop CA cert, wouldn't it? :)
  15. Zash This host does not serve
  16. Zash 3600 IN A
  17. Zash ^^
  18. Zash no srv
  19. MattJ Ah yes, thanks for reminding me
  20. MattJ !uptime
  21. MattJ !slap Kanchil
  22. Kanchil slaps Kanchil with large trout
  23. MattJ Actually I don't need to restart
  24. Zash !version
  25. Kanchil Zash: Kanchil is running Riddim version alpha on an unknown platform
  26. Zash MattJ: btw, that reminds me, Riddim has no !uptime plugin yet
  27. Zash !slap MattJ
  28. Kanchil slaps MattJ with large trout
  29. Zash And can do that ;)
  30. MattJ I'll have more time for even Riddim soon :)
  31. Zash Bot interop event! \o/ ... ;P
  32. Zash has left
  33. Zash has joined
  34. Zash has left
  35. Zash has joined
  36. Zash has left
  37. Zash has joined
  38. Zash has left
  39. MattJ has left
  40. steve.kille has left
  41. steve.kille has joined
  42. steve.kille has left
  43. remko has joined
  44. remko has left
  45. tuomas has joined
  46. remko has joined
  47. Kev Right then, Friday.
  48. remko and still need to set up the servers of thursday :)
  49. Kev So, today's plan. Make servers require TLS, and require trusted and valid certs.
  50. Kev And if MattJ hasn't done notls yet, that still needs doing.
  51. Kev remko: Just notls?
  52. remko yes, and i still need an account on tigase (Florian?)
  53. Kev So the failures machines are all in place apart from expiredcert, which is presenting the wrong cert (although it's also expired), and notls.
  54. steve.kille has joined
  55. steve.kille Kev: I would have thought that expiredcert should be valid in every way, except that it has expired??
  56. Kev Yes.
  57. Kev That's why I said expiredcert isn't in place yet.
  58. Tobias has joined
  59. steve.kille ah yes - can parse your sentence now!
  60. Flo has joined
  61. badlop has joined
  62. Kev has left
  63. Kev has joined
  64. Kev expiredcert is in place now too.
  65. badlop yes, and ejabberd connects using tls to all of them :S
  66. Kev Well, that's one up from connecting without TLS to them :)
  67. Dave Cridland Right, I'll give it a run though.
  68. Kev We still don't have notls, but that's largely just interesting for the clients^h testing.
  69. Kev Given that we have Tigase.
  70. Kev tigasetrunk, rather
  71. steve.kille why do we need notls in addition to Tigase?
  72. Kev steve.kille: It would be good to test it against an XMPP server not offering TLS, as well as the legacy protocol.
  73. Kev But largely, it's so that the clients can test correct handling of not having TLS when PLAIN is the only available mech.
  74. Dave Cridland Okay, that's odd. I seem to be able to connect to everything except Tigase, and NoTls. So I suspect my settings are out, but I thought I'd checked them...
  75. Kev I haven't verified that the expired cert is actually expired, or that the revoked cert is actually revoked, mind.
  76. Dave Cridland It was yesterday.
  77. Dave Cridland And the expiredcert being expired forced us into using SodiumCA instead of OpenSSL to build the PKCS#12, if you recall.
  78. Kev Yes.
  79. Dave Cridland 12/10 10:44:39 xmppd 21382 (root ) I-MBOX-Info Verifying certificate 12/10 10:44:39 xmppd 21382 (root ) I-MBOX-Info certificate (subject emailA,OU=XMPP Department,O=Your Organisation,L=Th e Internet,C=GB,, detail (email=xmpp\\40revokedcert.,ou=XMPP Department,o=Your Organisation,l=The Internet,c=GB,cn=revok error certificate has been revoked (unspecified reason) 12/10 10:44:39 xmppd 21382 (root ) N-MBOX-Notice TLS certificate verificat ion failed 12/10 10:44:39 xmppd 21382 (root ) I-MBOX-Info successful setup of a recei ving db connection from to
  80. Dave Cridland Right, so this is acting as if strong auth isn't required, which isn't right.
  81. Dave Cridland Re-running gives me the (internal) errors I'd expect. So we may have a bug with reloading, since I suspect the option simply didn't take.
  82. Dave Cridland SO I'm not getting a connection (TCP level) to fippo's psyced-db or psyced-dwd at the moment. I'll give those another go later.
  83. Dave Cridland Otherwise, prosody8, ejabberd21, mlinkrelease, psyced-sasl all work, the rest fail.
  84. Dave Cridland Okay, psyced-db now works, but -dwd still gives me a connection refused.
  85. fippo psyced-db works? it should not currently
  86. fippo as both -db and -dwd are down
  87. Dave Cridland 12/10 11:15:37 xmppd 21687 (root ) I-MBOX-Info Verifying certificate 12/10 11:15:37 xmppd 21687 (root ) I-MBOX-Info certificate (subject emailA,OU=hangtime department,O=hangtime,L=The Internet,C =DE, verified ok
  88. Dave Cridland Pretty sure it's the right server I'm talking to.
  89. fippo oh wait... my bad
  90. fippo it's supposed to be down
  91. Dave Cridland Okay. COnnecting securely to servers that aren't actually online would be quite a trick.
  92. fippo badlop: would you mind sending a from in the stream header?
  93. badlop yes, show me an example of problematic stream header
  94. Florob has joined
  95. badlop ok, patch applied and verified
  96. fippo thanks
  97. badlop yet another patch from interop to next release :)
  98. fippo that might even increase the chance of using sasl on the public network from 5% to 15%
  99. Tobias heh
  100. Dave Cridland badlop, I've a bunch of those too, now.
  101. Dave Cridland has left
  102. Dave Cridland has joined
  103. fippo too
  104. Dave Cridland fippo, Reminds me - you should be seeing tls as <required/> by mlinktrunk now?
  105. Kev I'd say that would justify claiming the interop week has been a success, then.
  106. Dave Cridland In as much as we've got most things to work and fixed a bunch of bugs.
  107. fippo and we have a better plan how to organize the next interop event
  108. steve.kille What might be test targets in the next event?
  109. Dave Cridland steve.kille, Well, we still have a day on this one. I'm aiming to spend this afternoon seeing if I can get XEP-0288 to work with fippo's servers.
  110. fippo dave: whoop!
  111. steve.kille \o/
  112. Dave Cridland fippo, DO you have a XEP-0288 that'll accept non-TLS connections from anywhere? It'll speed up my testing.
  113. steve.kille Are these extras getting recorded in the Wiki?
  114. fippo dave: i'll change the config of -dwd so it doesn't require tls
  115. fippo dialback without dial-back worked quite well, too. So we just need someone to write it up :-)
  116. Dave Cridland steve.kille, The extras are getting recorded, but I've not written up the '198 testing that Matt and I did yesterday, mostly because I didn't stay to see it complete. But we certainly got close.
  117. Dave Cridland fippo, Yes. Don't you have a draft XEP?
  118. Dave Cridland fippo, I should have probably mentioned that mlinktrunk does dialback without dialback as well. I don't know if anyone actually used it, though.
  119. Zash has joined
  120. fippo dave: i think psyced-db should have been using it the last two days
  121. Dave Cridland fippo, Ah, good.
  122. Flo has left
  123. Bob (BJ) has joined
  124. Dave Cridland Right. So it must be time to implement XEP-0288, then.
  125. will.thompson has joined
  126. Florian has left
  127. will.thompson has left
  128. Zash !xep 288
  129. Kanchil Zash: XEP-0288: Bidirectional Server-to-Server Connections is Standards Track (Experimental, 2010-10-04) See:
  130. Zash Yes, it's already a week old, clearly it's time to implement it!! :D
  131. MattJ has joined
  132. will.thompson has joined
  133. will.thompson Dave Cridland: your implementation of google:queue works perfectly. It did highlight that our keepalive pings are *way* too frequent though :p
  134. Tobias google:queue?
  135. Dave Cridland Tobias, Evil closed standard thing. But a good idea, so I've implemented it and started to draft a XEP.
  136. Bob (BJ) Anyone care to give me an account on their server so I can test my client?
  137. MattJ Does google:queue have client-facing controls?
  138. Tobias Dave Cridland: is that draft already published as a XEP?
  139. Dave Cridland MattJ, Yes,
  140. Dave Cridland Tobias, No.
  141. Tobias k
  142. will.thompson
  143. Dave Cridland Tobias, I need to write up both Google's implementation and a more standardsish one.
  144. MattJ Oh well, I have an implementation minus any controls
  145. will.thompson we hacked it into Gabble for the N900. It's particularly important on GTalk because, unless you engage it, they whitespace-ping you every 30 seconds, so even if you have a sensible interval between pings... you still wake up all the time
  146. MattJ Heh
  147. Tobias ahh, this thing, i remember it now :)
  148. MattJ Bob (BJ),, password xmpptest
  149. MattJ Kev, notls should be working since last night
  150. Kev Ah, gerat.
  151. Kev remko: ^
  152. Bob (BJ) You got an IP address for that. I don't seem to be able to resolve via DNS.
  153. MattJ Bob (BJ), does your client support SRV records?
  154. MattJ If not, interop failure #1 :)
  155. will.thompson Dave Cridland: ah, one catch. the version of Gabble on the N900 only looks for google:roster to trigger queue, not google:queue. (Google doesn't actually advertise the latter; I guess we only added that speculative check in a later version.) Annoying.
  156. MattJ Dave Cridland, fippo, anyone: any familiarity with "unhandled critical CRL extension"?
  157. Dave Cridland MattJ, I can ask the X.509 people. Any idea what the extension in question *is*?
  158. MattJ Looking at the certs, my suspicion is CRLissuer
  159. MattJ which is present in all the certs
  160. MattJ and OpenSSL prints <unknown> as its value when it prints the cert
  161. Dave Cridland I'll look into it - I suspect this is an issue with what Sodium's putting into the certs.
  162. MattJ Thanks
  163. MattJ How does it work for you? :)
  164. MattJ OpenSSL source comment:
  165. MattJ /* See if we have any critical CRL extensions: since we * currently don't handle any CRL extensions the CRL must be * rejected.
  166. Bob (BJ) has left
  167. Dave Cridland MattJ, We don't use OpenSSL for CRL checking, so we'd be affected in entirely different ways (if at all).
  168. MattJ Ah, ok
  169. Dave Cridland So if it's complaining about the CRL itself, then it has to be the CRL, not the certs.
  170. fippo mattj: I can look into that when I found out who _removed_ my crl code
  171. remko Kev, MattJ: thanks, i'll see if i can't connect to notls tonight
  172. MattJ Dave Cridland, no, I think it's the certs
  173. MattJ let me check
  174. Bob (BJ) has joined
  175. MattJ Ah no, you may be right
  176. Kev remko: Well, you shouldn't be able to connect to it :)
  177. remko right
  178. Bob (BJ) has left
  179. Bob (BJ) has joined
  180. Dave Cridland MattJ, Okay, so Sodium CA is inserting an extension into the CRL incorrectly.
  181. MattJ Yay
  182. Dave Cridland MattJ, If I understand correctly, the extension "MUST NOT" be there because the CRL is being issued directly by the CA, but as far as I can tell it's mandatory in every other case, so OpenSSL could run into issues potentially with other CAs.
  183. MattJ So it seems
  184. MattJ You can disable the check (which is what I've done for now), but that's clearly not ideal :)
  185. Bob (BJ) has left
  186. fippo mattj: verify error code 36?
  188. Bob (BJ) has joined
  189. MattJ Yes, 36
  190. fippo I get that too (but at least revokedcert. fails properly
  191. MattJ but so do all the other certs, no?
  192. fippo yes, but revokedcert fails with X509_V_ERR_CERT_REVOKED at least
  193. Bob (BJ) has left
  194. MattJ fippo, what version of OpenSSL are you using?
  195. Bob (BJ) has joined
  196. fippo mattj: it claims to be 0.9.8g but is probably debian pimped
  197. Dave Cridland MattJ, The only extension in the CRL itself that's critical is the Issuing DP - but that's optionally generated by Sodium CA. Just uncheck the box on the "Generate CRL..." dialog.
  198. MattJ Ok, thanks
  199. MattJ fippo, they changed the code in OpenSSL 1.x
  200. MattJ that comment now reads:
  201. MattJ /* The rules changed for this... previously if a CRL contained * unhandled critical extensions it could still be used to indicate * a certificate was revoked. This has since been changed since * critical extension can change the meaning of CRL entries. */
  202. Kev So, is there anything people need of me today?
  203. Kev Is there anything else we should have on the test plan? I'm fairly comfortable with both the server and client tests.
  204. MattJ Looks fine
  205. Kev MattJ: Just checking - is notls set to only offer PLAIN?
  206. MattJ Aha, good point - Prosody won't offer PLAIN on unencrypted connections either
  207. MattJ I'll set it to offer just PLAIN
  208. fippo Kev: for the next time I have some dialback failures - but I need to write them up and think about how to test them
  209. Kev fippo: That'd be great, thanks.
  210. Kev We can start planning the tests for next time as soon as we're done here, if you want.
  211. MattJ We should set up more tricky DNS situations next time
  212. Zash mixed A and SRV?
  213. MattJ Like testing correct SRV target selection
  214. Kev That's hard, but sure.
  215. MattJ and IDNA
  216. Zash and make a SRV query return a CNAME ?
  217. MattJ Kev, it's not really hard, is it?
  218. Kev Zash: That's not an interesting test, I think.
  219. Kev Something working against invalid input isn't as interesting as it failing against valid :)
  220. fippo zash: I wanted to test that, but bind won't do it anymore
  221. Kev Or am I missing a security consideration why that's worth testing?
  222. Zash Iduno, but I have a CNAME catch-all thingy :)
  223. Zash But IDN and IPv6
  224. Kev Both worth testing.
  225. Dave Cridland Zash, IDN with X.509 is particularly interesting. I know we fail that one right now.
  226. fippo IDN + x509 sounds like fun!
  227. Zash !ping nödåtgä
  228. MattJ +1
  229. Zash aw
  230. Kanchil Zash: Pong from nödåtgä in 7.021 seconds
  231. MattJ :D
  232. MattJ UTF8 processing overhead? :)
  233. Kev BTW Zash / MattJ, I upgraded Kanchil
  234. Zash !version
  235. Kanchil Zash: Kanchil is running Riddim version alpha on an unknown platform
  236. Zash Kev: You say?
  237. MattJ I guess I should go and fix verse, riddim and clix to squish with the latest Prosody repo
  238. Zash :)
  239. Zash Also, latest says "I am running .."
  240. Kev Zash: Well, I should have updated.
  241. Kev I certainly tried to.
  242. MattJ did you hg pull -u? :)
  243. MattJ I think git updates the working copy by default when you pull
  244. MattJ hg doesn't
  245. Kev Gotcha.
  246. Zash MattJ: git, true
  247. MattJ hg up
  248. Zash hg pull says you should do hg up iirc
  249. MattJ Bouncing prosody8
  250. Bob (BJ) has left
  251. MattJ fippo, have you broken -db and -dwd? :)
  252. MattJ I can't see the stream header you send, but Prosody is rejecting your stream:features, with "unbound prefix"
  253. fippo mattj: -db is down and I just changed sth in -dwd (which is mostly for dave)
  254. MattJ Apt
  255. Zash wants a SRV aware netcat :/
  256. MattJ Zash, "clix raw"
  257. MattJ kind of
  258. fippo mattj: -dwd should work again
  259. fippo (not sure how it behaves in that test though :-)
  260. Zash MattJ: ohrly
  261. MattJ Zash, it does XMPP auth for you, then acts as telnet
  262. Zash MattJ: But, for testing non-xmpp things :)
  263. MattJ How would SRV help then? :)
  264. Dave Cridland (14:32:34) Send (217) <?xml version='1.0'?><stream:stream xmlns='jabber:server' xmlns:db='jabber:server:dialback' xmlns:stream='' to='' from='' version='1.0'> (14:32:34) Recv (222) <stream:features><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/><switch xmlns=''><scheme>psyc</scheme></switch><dialback xmlns='urn:xmpp:features:dialback'><errors/></dialback></stream:features> (14:32:34) Send (102) <stream:error><bad-format xmlns='urn:ietf:params:xml:ns:xmpp-streams'/></stream:error></stream:stream>
  265. fippo dave: fixed already
  266. Dave Cridland fippo, No, still like that.
  267. MattJ +1
  268. fippo ah... restarted the wrong server
  269. MattJ Heh
  270. MattJ I'm terrified I'm going to bounce by mistake before the day is out
  271. Dave Cridland MattJ, Yeah, I'm glad I'm far, far away from
  272. MattJ Bouncing prosody8, this time with mod_dialback unloaded just to make sure :)
  273. MattJ Dave Cridland, M-Link does dialback even with EXTERNAL?
  274. Dave Cridland MattJ, I just noticed that. :-)
  275. Dave Cridland MattJ, But the answer si that M-Link doesn't really overly care about how it authenticates to you, or indeed how you want to authenticate to it - it'll just care that it can authenticate you.
  276. MattJ You mean as long as I have a valid cert I could say <message><body>Hey, I'm</body></message>? :)
  277. MattJ if I remove dialback from the stream header will it use EXTERNAL?
  278. Dave Cridland It will. But I've swapped around the processing order for features, so I'll update it shortly to use EXTERNAL.
  279. MattJ ok
  280. MattJ There's something up
  281. MattJ I'm not getting any pongs for my pings to mlinktrunk
  282. MattJ but Prosody reckons both s2s streams are up and running
  283. Dave Cridland I just bounced it, actually.
  284. Dave Cridland Now supporting a (very weakly tested) XEP-0288 Bidi.
  285. Dave Cridland As well as (I think) preferring to do EXTERNAL over dialback. Although that's obviously slower, so perhaps I should switch back.
  286. MattJ Eh? :)
  287. Dave Cridland EXTERNAL has more round-trips.
  288. MattJ Are you sure?
  289. Dave Cridland MattJ, With d-w-d, then yes.
  290. MattJ Cheat
  291. Dave Cridland MattJ, You say "cheat", I say "optimized".
  292. MattJ I'm still getting no pong
  293. MattJ Maybe it's my fault, same with ejabberd
  294. fippo I still get pongs from trunk
  295. Dave Cridland Just bouncing it to clear everything, then I'll try.
  296. Dave Cridland OK, something really odd going on... I've got to do the school run again, but we'll figure it out when I get back.
  297. MattJ k
  298. MattJ The world falls apart without dialback :)
  299. fippo it doesn't without EXTERNAL :-)
  300. MattJ Quite :)
  301. fippo so the path is clear
  302. MattJ Plus d-w-d should be trivial to implement
  303. fippo btw: if you're bored you could implement bidi
  304. MattJ I'd like to get 198 working first
  305. MattJ then I shall
  306. Dave Cridland MattJ, Most of my bidi implementation time was thinking "But that can't be all it is..."
  307. MattJ Dave Cridland, I do think it should be really easy to implement, especially in Prosody
  308. MattJ all our code sends stanzas to the the incoming s2s stream
  309. MattJ just Prosody redirects it at the last minute
  310. MattJ bidi would just turn off the redirection
  311. fippo dave: same for me
  312. fippo there is a tricky thing about not sending db:verify on the same connection where I am not sure if this works as expected - but you should not have that problem
  313. fippo since you're doing dialback-3
  314. Dave Cridland OK, I think I've fixed that issue.
  315. Dave Cridland MattJ, You should be able to ping me now. Turns out that once it'd done the stream restart, it basically sat waiting, instead of deciding the stream was setup.
  316. MattJ Dialback is enabled again so I can test 198
  317. MattJ it should be enabling on outgoing streams now
  318. Dave Cridland MattJ, I'm doing EXTERNAL again, or should be.
  319. Dave Cridland Just bouncing that server yet again - I've been meaning to apply a patch that should stop an irritating crash.
  320. stpeter has joined
  321. Dave Cridland Oh, gosh, that's odd. :-)
  322. Dave Cridland So, I'm now doing EXTERNAL again, and actually carrying on, only I'm *also* doing dialback. Whoops. :-)
  323. MattJ :)
  324. Dave Cridland *sigh* I'm still doing that. Which is very annoying. But on the plus side, you're still not enabling 198, so I don't feel quite so bad.
  325. stpeter heh
  326. fippo dave: the solution is to remove any EXTERNAL related code :-)
  327. Dave Cridland fippo, I know, I know. I'll make it an option, soon enough.
  328. Dave Cridland fippo, But the standard says we must, so we must.
  329. remko has left
  330. remko has joined
  331. remko has left
  332. stpeter prepares to submit revised versions of 3920bis and xmpp-address
  333. steve.kille Dave Cridland/fippo - sounds like the standards need fixing
  334. steve.kille We have way too many handshakes as it, and getting rid of the SASL handshakes for single connection secure S2S sounds like a senisilbe standardization objective
  335. remko has joined
  336. steve.kille stpeter: what do you think?
  337. Dave Cridland steve.kille, Not so much fixing, as we need to document d-w-d properly, and ensure that it's perceived as acceptable.
  338. stpeter I think I don't want to make more changes to 3920bis at this moment for feature of introducing too many perturbations late in the process :)
  339. steve.kille Althought helpful now, I am not sure the d-w-d name will be helpful long term
  340. remko has left
  341. Dave Cridland Ah, success. Now only authenticating once.
  342. stpeter but I suggest that we complete more interop testing over the next 12 months, submit an implementation report based on the feature set in 3920bis, then rev the document again (hopefully after we have the address format fixed)
  343. Dave Cridland MattJ, So, I'm now fixed. Are you waiting until you've got a resource bound before enabling 198? That might be problematic on S2S.
  344. remko has joined
  345. steve.kille stpeter: sounds like a reasonable plan to me
  346. MattJ Dave Cridland, hmm, I don't think so - hold
  347. stpeter there are enough changes between 3920 and 3920bis that I think continued interop testing and deployment feedback will be productive
  348. stpeter while we work in parallel on those thorny internationalization issues
  349. MattJ stpeter, I suspect future versions might (reference a) document about dialback-without-dialback :)
  350. steve.kille can we have a new name for it?
  351. MattJ dwd is good, isn't it Dave? :)
  352. stpeter MattJ: that would be good, I think -- based on what little I've read about it, which is only Dave's blog post
  353. MattJ I don't think anyone else has had a XEP named after them before
  354. fippo dave: actually, what would happen if I tried to do EXTERNAL twice on a single stream (i.e. multiple authentications)?
  355. MattJ I need to figure out what protocol mattj is an acronym for
  356. stpeter has been tempted to define an extension whose acronym is "PSA" :)
  357. MattJ !xep 198
  358. Kanchil MattJ: XEP-0198: Stream Management is Standards Track (Draft, 2010-03-05) See:
  359. MattJ Dave Cridland, missing xmlns declaration - looks a lot healthier now
  360. remko has left
  361. Dave Cridland fippo, We'd drop the stream.
  362. Dave Cridland MattJ, Ew.... I've just noticed I'm requesting acks even when I'm only writing to the stream to ack... That's nasty. I'll fix that.
  363. Florob has left
  364. Florob has joined
  365. fippo Dave: damn - but that would only allow to negotiate multiple source domains anyway
  366. tuomas has left
  367. MattJ Hmm
  368. MattJ Someone doing piggybacking asking for another remote domain - I'm not sure I'd considered that
  369. fippo mattj: "target piggybacking"? haven't seen that outside my lab
  370. steve.kille has left
  371. steve.kille has joined
  372. Dave Cridland Oops. My experiment with source piggybacking is not going all that well.
  373. Dave Cridland I seem to be piggybacking my MUC domain around 6 times a second.
  374. Dave Cridland Does that make it the authentication stronger?
  375. MattJ :)
  376. MattJ Did you get my responses to your 198 message(s)?
  377. Dave Cridland MattJ, Yes, but they came through to my Gajim, of course.
  378. MattJ Dave Cridland, so all is well?
  379. fippo has left
  380. fippo has joined
  381. will.thompson has left
  382. badlop is halfway implementing cert verification in ejabberd, and hopes the (notls|expiredcert|mismatchcert|revokedcert|selfcert) servers will be up a pair of days more
  383. Tobias has left
  384. fippo badlop: selfsigned should be easy to find on public servers - CN=ejabberd is the most common certificate :-)
  385. MattJ :)
  386. MattJ Feel free to shoot on sight the admin of any server with CN="Prosody Example Certificate", that's expired, and self-signed
  387. MattJ except for me
  388. Zash Hah
  389. Tobias has joined
  390. MattJ Wait... ejabberd doesn't do EXTERNAL already?
  391. MattJ I was sure it did
  392. fippo no, it gets offered external but does not do use it yet
  393. Dave Cridland MattJ, I thought it did too - I'm sure I remember testing mine against when it was ejabberd.
  394. MattJ There was someone in jabber@ once
  395. MattJ They ran a public server using ejabberd
  396. Dave Cridland Your poetry is useless. Doesn't even rhyme.
  397. MattJ They were doing some testing on their laptop, and span up a test instance with their user db
  398. MattJ behind a firewalled NAT, they claimed their ejabberd instance had sent out unsubscribes on behalf of their domain
  399. MattJ they had the certs configured on their laptop, we put it down to EXTERNAL
  400. fippo mattj: you still want to update the wiki
  401. MattJ Mmm, yes
  402. MattJ I didn't conclude my testing because of the number of issues I had when I stopped advertising dialback :)
  403. MattJ Maybe I just shouldn't do that
  404. MattJ Heh
  405. fippo yeah... I wonder if I should have failed ejabberd actually...
  406. fippo but it was worthy enough to get offered external
  407. fippo I guess that is one of the points we should specify more cleary next time
  408. fippo wonders if we will have to test xep-0238
  409. MattJ Any 1.0 server capable of TLS can be offered external
  410. MattJ and TLS was tested yesterday, no? :)
  411. fippo well... xep 0178 has this "only offer it if it will succeed" rule
  412. MattJ Sure, but that's not a function of the implementation, but of the cert it uses
  413. fippo which is good because if the peer attempts external and this fails this will increase roundtrips
  414. Dave Cridland fippo, Right, I have a slightly better variant on my source-piggybacking attempt - can I point it at (one of the) psyced-* servers to test?
  415. stpeter has left