jdev - 2020-03-29


  1. debacle has left
  2. Alex has left
  3. Alex has joined
  4. strar has left
  5. Alex has left
  6. strar has joined
  7. strar has left
  8. strar has joined
  9. larma has left
  10. larma has joined
  11. DebXWoody has joined
  12. DebXWoody has left
  13. DebXWoody has joined
  14. paul has joined
  15. paul has left
  16. paul has joined
  17. lovetox has joined
  18. lovetox has left
  19. lovetox has joined
  20. tsk has joined
  21. moparisthebest has left
  22. Guus has left
  23. Guus has joined
  24. tsk has left
  25. kikuchiyo has left
  26. debacle has joined
  27. pulkomandy has left
  28. pulkomandy has joined
  29. kikuchiyo has joined
  30. Alex has joined
  31. rion has left
  32. rion has joined
  33. pulkomandy has left
  34. pulkomandy has joined
  35. kikuchiyo has left
  36. kikuchiyo has joined
  37. Marc has joined
  38. goffi has joined
  39. asterix has joined
  40. paul has left
  41. pulkomandy has left
  42. paul has joined
  43. lovetox how does auth with client cert work?
  44. lovetox is there a rfc or xep on that?
  45. Link Mauve XEP-0257 might tell you about it.
  46. Link Mauve Maybe more XEP-0178.
  47. pulkomandy has joined
  48. lovetox thanks
  49. kikuchiyo has left
  50. kikuchiyo has joined
  51. lovetox ok i want to test that on my server, what would i use to create a CA cert on the server then sign a user cert with it?
  52. kikuchiyo has left
  53. kikuchiyo has joined
  54. lovetox i guess i can do this with openssl
  55. pep. Creating a CA cert yes for sure. Have a look into easy-something, what was it again, I think it comes packaged with openvpn
  56. pep. Helpers to create self-signed CA etc.
  57. pep. easy-rsa
  58. pep. https://github.com/OpenVPN/easy-rsa. Or ride the openssl like a warrior
  59. Jeybe has joined
  60. alexis has left
  61. alexis has joined
  62. Jeybe has left
  63. Jeybe has joined
  64. asterix has left
  65. kikuchiyo has left
  66. Jeybe has left
  67. Jeybe has joined
  68. asterix has joined
  69. Jeybe has left
  70. Jeybe has joined
  71. Jeybe has left
  72. Jeybe has joined
  73. Ge0rG has left
  74. pulkomandy has left
  75. tsk has joined
  76. kikuchiyo has joined
  77. pulkomandy has joined
  78. asterix has left
  79. asterix has joined
  80. Jeybe has left
  81. Jeybe has joined
  82. Martin has left
  83. lovetox has left
  84. asterix has left
  85. asterix has joined
  86. asterix has left
  87. asterix has joined
  88. Jeybe has left
  89. Jeybe has joined
  90. Martin has joined
  91. mathieui has joined
  92. Ge0rG has joined
  93. Jeybe has left
  94. Jeybe has joined
  95. pulkomandy has left
  96. pulkomandy has joined
  97. asterix has left
  98. asterix has joined
  99. asterix has left
  100. asterix has joined
  101. kikuchiyo has left
  102. kikuchiyo has joined
  103. Jeybe has left
  104. Jeybe has joined
  105. kikuchiyo has left
  106. Jeybe has left
  107. Jeybe has joined
  108. Jeybe has left
  109. Jeybe has joined
  110. kikuchiyo has joined
  111. Jeybe has left
  112. Jeybe has joined
  113. asterix has left
  114. asterix has joined
  115. asterix has left
  116. asterix has joined
  117. Jeybe has left
  118. Jeybe has joined
  119. Jeybe has left
  120. Jeybe has joined
  121. pulkomandy has left
  122. adrien has joined
  123. SouL has left
  124. asterix has left
  125. asterix has joined
  126. adrien Hello, I'm pending some time on a little xmpp client project to do my own pubsub explorer. Actually, I'm able to connect to my server and I'm working with libxml2++. libxml2++ is a bit hard to use, because almost every object of this libxml2 wrapper isn't copyable. So, I'm looking for another XML parser and I've found that some people use directly XML Schema to automatically parse and create c++ objects (see https://codesynthesis.com/products/xsd/). Do you think, that's a good option to work directly with rfc/xep provided xsd files ?
  127. pulkomandy has joined
  128. Syndace Hi adrien, sorry to disappoint you but the XSD's are not always accurate and are not normative either. You will most probably run into issues when using them.
  129. tsk has left
  130. Syndace Also, do you write the pubsub explorer for fun or because you need it for something else?
  131. lovetox has joined
  132. Link Mauve adrien, in xmpp-parsers (https://crates.io/crates/xmpp-parsers) I’ve been trying to automatically create parsers and serialisers for all relevant XMPP stanzas and payloads.
  133. Link Mauve I couldn’t use schemas because they aren’t strict enough for Rust in their types.
  134. Alex has left
  135. mathieui lovetox, Link Mauve told me you were trying to setup a CA and stuff for SASL EXTERNAL; I have never done it for poezio because the supported use case was only use with custom certs through XEP-0257
  136. mathieui if you really need it I could find generatl documentation as I have to fiddle with CAs and X.509 certs at work too
  137. lovetox mathieui, that would be great, otherwise i dont know how long i have to spend to get this right, never created a cert
  138. lovetox Gajim supports that forever
  139. lovetox i just need to test it now to see if it even works
  140. serge90 has left
  141. serge90 has joined
  142. Alex has joined
  143. adrien @Syndace that's for fun to try to write application with modern c++
  144. adrien Thanks, for the advice about the xsd, so I won't try to use them directyl
  145. mathieui lovetox, I think I have this https://gist.github.com/mtigas/952344 that should cover most of what you want
  146. asterix has left
  147. asterix has joined
  148. mathieui (for XEP-0257 setups you only need to generate a self-signed cert, that’s easier, but if you have the server setup with a CA and everything, that page should cover most of it)
  149. Link Mauve adrien, maybe have a look at Swiften, it also has such XMPP parsers and is written in modern C++.
  150. Jeybe has left
  151. lovetox thanks mathieui
  152. lovetox just to be correct, gajim does not support 257, the cert management stuff
  153. lovetox i just want to connect using a client cert
  154. pep. lovetox, have you looked into easy-rsa?
  155. mathieui ok, then either you need the server setup, or you use another client supporting 0257 to set your cert, then use gajim to connect
  156. lovetox ok maybe i misunderstand something, i thought i can just add a cert to the trust store on the server
  157. lovetox and if some client auths with a cert that was signed by that cert
  158. lovetox the server says: ok
  159. lovetox so i thought i create a self signed cert, add it to the server
  160. lovetox then sign another cert, and give it to the user
  161. lovetox is that not how it works?
  162. mathieui lovetox, on prosody I guess you can just use https://modules.prosody.im/mod_auth_ccert.html and add your CA to the server, then connect using a client signed with it, I don’t know how much of https://xmpp.org/extensions/xep-0178.html is implemented in there
  163. mathieui For 0257 auth there is https://modules.prosody.im/mod_client_certs.html
  164. lovetox yes exactly thats what im planning to do
  165. lovetox but does your doc also cover that?
  166. lovetox so i need to create a CA cert, then sign one other cert
  167. lovetox is a CA cert in any way special? or is it just a cert that signed another cert
  168. Zash A CA cert is a self-signed cert.
  169. pep. Zash, "it depends"? Somewhere on top of the chain there is a self-signed cert :p
  170. Zash Semantics?
  171. Zash I guess you could call the intermediate certs CA certs too
  172. pep. Yes and they wouldn't be self-signed :-°
  173. Zash There's an CA:TRUE flag in the cert data structure on the root certs
  174. mathieui lovetox, yes, it is a self signed-cert
  175. mathieui FYI for XMPP you might need to use a .cnf similar to the one in https://modules.prosody.im/mod_client_certs.html to generate the CSR
  176. Zash Does the client cert get sent encrypted yet?
  177. SouL has joined
  178. debacle has left
  179. asterix has left
  180. asterix has joined
  181. moparisthebest has joined
  182. Marc has left
  183. Marc has joined
  184. defanor GnuTLS's certtool is handy for that too: `certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem` and answering a few questions to generate a CA certificate, then `certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem` to generate a client certificate signed with it, if you're okay with setting `certificate_match = "email"` for
  185. defanor Prosody's ccert.
  186. tsk has joined
  187. pulkomandy has left
  188. pulkomandy has joined
  189. lovetox but it says --load-privkey ca-key.pem
  190. lovetox so i need first to generate that or?
  191. Zash mod_auth_ccert works with CA-issued client certificates, not self-signed, so yes, you need a CA
  192. Zash also no password auth at all iirc
  193. pep. ca-key.pem is probably easily generated with `openssl genrsa -out ca-key.pem 2048 or 4096`
  194. pep. Or other key types
  195. defanor Indeed, or `certtool --generate-privkey --outfile ca-key.pem`
  196. defanor (Likewise with key.pem.)
  197. lovetox ok, i went with mathieui link and seems to work fine thanks for all the suggestions
  198. lovetox ok last thing can somebody help with that
  199. lovetox it is encapsulated as an id-on-xmppAddr Object Identifier ("xmppAddr"), i.e., a subjectAltName entry of type otherName with an ASN.1 Object Identifier of "id-on-xmppAddr"
  200. lovetox so i need to add this to the openssl req?
  201. lovetox but how exactly, sounds lot more complicated than it probably is
  202. Zash lovetox: https://modules.prosody.im/mod_client_certs.html#generating-your-certificate
  203. Zash That has example conf
  204. Zash Just gotta figure out how to do that in a CA scenario instead of self-signed
  205. lovetox thanks
  206. lovetox hm interesting, so the server should bind the jid thats in the cert
  207. lovetox so if the client selects another cert he has suddenly a different jid in the client
  208. lovetox seems troublesome
  209. Zash lovetox: If you're using CA-issued certs then the CA would be responsible for checks checking that the certificate identity matches.
  210. lovetox matches a account on the server
  211. lovetox i think from a client point of view
  212. Zash Doesnt't strictly have to be the JID in the cert, as long as the server can match it with a local account.
  213. lovetox and what this means for the UI if the user can just change the jid with selecting another cert
  214. Zash Assuming here the CA issues them multiple certs
  215. Zash Having multiple accounts would mean multiple certs. No different from having multiple accounts with different passwords.
  216. lovetox yes, but that means i should only allow the user to set the cert in the account creation workflow in the client
  217. lovetox and not as a kind of setting within the account to chnage the cert
  218. lovetox or if, then only if the new cert matches the jid of the old
  219. Zash You'd need some way to replace it when the cert expires and gets renewed
  220. pulkomandy has left
  221. lovetox ok so i have to have that check
  222. lovetox if he selects one with another jid, i tell him go to account creation wizard and add another account
  223. lovetox is this something companys use?
  224. Zash Don't know for sure, but that seems likely.
  225. lovetox and on the pros are listed user has to type no password
  226. lovetox are such certs issued usually without password?
  227. Zash They might need to unlock the private key somehow
  228. flow hopefully they do
  229. lovetox so no password is the standard
  230. lovetox but i have to expect one that needs a password
  231. flow you wouldn't want your private ssh key unprotected on disk either
  232. lovetox but the argument is, you issue per device certs than
  233. lovetox but the argument is, you issue per device certs then
  234. lovetox and if you lose the cert you deactivate it
  235. flow right, but hopefully the per device cert is also protected on the device
  236. Zash you'd revoke it or someuch
  237. flow and be it android's full device encryption
  238. lovetox just saying if the user has a password for the cert, then why not just use that password to login into the account
  239. lovetox why the hassle with the certs
  240. flow so in any scenario, "no password" shouldn't true, it just depends on when and how often you enter the password
  241. flow lovetox, well 1. per device tokens 2. stronger couplying with the TLS layer
  242. flow lovetox, well 1. per device tokens 2. stronger coupling with the TLS layer
  243. flow and on (modern) android devices, the private key would be protected by the device's hardware-backed keystore
  244. pulkomandy has joined
  245. flow which, one may argue, provides better security
  246. lovetox The XEP allows to add no xmpp addr into the cert
  247. lovetox not sure i can impl that
  248. lovetox hm but even with cert i still have to bind the jid
  249. asterix has left
  250. lovetox hm no we can only bind a resource
  251. asterix has joined
  252. lovetox not the full jid
  253. lovetox so i have to check if the server returned bound the jid i expected
  254. lovetox meh
  255. flow lovetox, that is *always* the case
  256. jonas’ I *think* there’s been cases in the past where the server bound you to a different JID than your SASL username + domain
  257. lovetox i dont know how clients deal with that, if i read the rfcs it seems the client should not expect any specific JID
  258. flow lovetox, from a protocol POV the SASL username and your JID are unrelated
  259. lovetox yeah ..
  260. flow lovetox, why do clients have to deal with it?
  261. lovetox im not sure this was taken into account in all parts of the code
  262. flow in smack, when we need to persist data related to a JID, we only create the persistent store after the connection was authenticated at least once
  263. lovetox in Gajim i have a account name, and its not the JID
  264. lovetox so thats good
  265. lovetox data are mostly stored under that account name
  266. lovetox but i just have to look through the codebase if somewhere i depend on the JID beeing always bound to the same account
  267. lovetox at least gajim has anonymous login support, and with anonymous you get a different jid on every connect
  268. lovetox so if that works it looks at least good
  269. tsk has left
  270. lovetox but for example with omemo i publish keys to my pep node which is linked to the JID
  271. lovetox so it would make no sense to save the omemo related keys and data under an Account Name that is not tied to a JID
  272. lovetox but i know i fucked up when i named the database file for omemo after the JID
  273. lovetox probably JIDs can have chars that are not supported as filename
  274. asterix has left
  275. asterix has joined
  276. amnesia has joined
  277. amnesia has left
  278. amnesia has joined
  279. pulkomandy has left
  280. asterix has left
  281. asterix has joined
  282. asterix has left
  283. asterix has joined
  284. pulkomandy has joined
  285. amnesia has left
  286. asterix has left
  287. asterix has joined
  288. asterix has left
  289. asterix has joined
  290. strar has left
  291. strar has joined
  292. Zash Filenames on Linux tend to be opaque binary data with the only restrictions that they can't contain '/' or '\0'
  293. Zash Windows and Mac will have opinions tho
  294. jonas’ plus length restrictinos
  295. Ge0rG Luckily python has solved the filename to unicode string mapping in an easy and compatible way.
  296. Ge0rG walks himself out
  297. Zash The Mercurial developers would like a word
  298. jonas’ Ge0rG, IIRC we figured out that was true
  299. jonas’ (for a recent enough python 3)
  300. Ge0rG jonas’: yes, but only by applying a very sophisticated hack
  301. Ge0rG where you do a bijective mapping of all non-utf8 byte sequences into a reserved unicode block, or somesuch
  302. Zash what the
  303. asterix has left
  304. asterix has joined
  305. Ge0rG Zash: https://www.python.org/dev/peps/pep-0540/
  306. Ge0rG or rather, https://www.python.org/dev/peps/pep-0383/
  307. kikuchiyo has left
  308. kikuchiyo has joined
  309. jonas’ into a unicode block reserved for this purpose
  310. kikuchiyo has left
  311. kikuchiyo has joined
  312. kikuchiyo has left
  313. kikuchiyo has joined
  314. strar has left
  315. strar has joined
  316. paul has left
  317. paul has joined
  318. kikuchiyo has left
  319. kikuchiyo has joined
  320. debacle has joined
  321. alexis has left
  322. amnesia has joined
  323. asterix has left
  324. asterix has joined
  325. amnesia has left
  326. asterix has left
  327. asterix has joined
  328. asterix has left
  329. asterix has joined
  330. asterix has left
  331. asterix has joined
  332. asterix has left
  333. asterix has joined
  334. amnesia has joined
  335. asterix has left
  336. asterix has joined
  337. amnesia has left
  338. amnesia has joined
  339. amnesia has left
  340. amnesia has joined
  341. asterix has left
  342. asterix has joined
  343. asterix has left
  344. asterix has joined
  345. amnesia has left
  346. pulkomandy has left
  347. pulkomandy has joined
  348. DebXWoody has left
  349. asterix has left
  350. asterix has joined
  351. tsk has joined
  352. asterix has left
  353. asterix has joined
  354. asterix has left
  355. asterix has joined
  356. tsk has left
  357. pulkomandy has left
  358. kikuchiyo has left
  359. pulkomandy has joined
  360. amnesia has joined
  361. kikuchiyo has joined
  362. DebXWoody has joined
  363. asterix has left
  364. asterix has joined
  365. asterix has left
  366. asterix has joined
  367. DebXWoody has left
  368. amnesia has left
  369. DebXWoody has joined
  370. DebXWoody has left
  371. asterix has left
  372. asterix has joined
  373. serge90 has left
  374. serge90 has joined
  375. asterix has left
  376. asterix has joined
  377. asterix has left
  378. asterix has joined
  379. strar has left
  380. strar has joined
  381. asterix has left
  382. asterix has joined
  383. alexis has joined
  384. asterix has left
  385. asterix has joined
  386. alexis has left
  387. lovetox has left
  388. asterix has left
  389. alexis has joined
  390. alexis has left
  391. alexis has joined
  392. goffi has left
  393. kikuchiyo has left
  394. kikuchiyo has joined
  395. kikuchiyo has left
  396. kikuchiyo has joined
  397. kikuchiyo has left