-
lovetox
how does auth with client cert work?
-
lovetox
is there a rfc or xep on that?
-
Link Mauve
XEP-0257 might tell you about it.
-
Link Mauve
Maybe more XEP-0178.
-
lovetox
thanks
-
lovetox
ok i want to test that on my server, what would i use to create a CA cert on the server then sign a user cert with it?
-
lovetox
i guess i can do this with openssl
-
pep.
Creating a CA cert yes for sure. Have a look into easy-something, what was it again, I think it comes packaged with openvpn
-
pep.
Helpers to create self-signed CA etc.
-
pep.
easy-rsa
-
pep.
https://github.com/OpenVPN/easy-rsa. Or ride the openssl like a warrior
-
adrien
Hello, I'm pending some time on a little xmpp client project to do my own pubsub explorer. Actually, I'm able to connect to my server and I'm working with libxml2++. libxml2++ is a bit hard to use, because almost every object of this libxml2 wrapper isn't copyable. So, I'm looking for another XML parser and I've found that some people use directly XML Schema to automatically parse and create c++ objects (see https://codesynthesis.com/products/xsd/). Do you think, that's a good option to work directly with rfc/xep provided xsd files ?
-
Syndace
Hi adrien, sorry to disappoint you but the XSD's are not always accurate and are not normative either. You will most probably run into issues when using them.
-
Syndace
Also, do you write the pubsub explorer for fun or because you need it for something else?
-
Link Mauve
adrien, in xmpp-parsers (https://crates.io/crates/xmpp-parsers) I’ve been trying to automatically create parsers and serialisers for all relevant XMPP stanzas and payloads.
-
Link Mauve
I couldn’t use schemas because they aren’t strict enough for Rust in their types.
-
mathieui
lovetox, Link Mauve told me you were trying to setup a CA and stuff for SASL EXTERNAL; I have never done it for poezio because the supported use case was only use with custom certs through XEP-0257
-
mathieui
if you really need it I could find generatl documentation as I have to fiddle with CAs and X.509 certs at work too
-
lovetox
mathieui, that would be great, otherwise i dont know how long i have to spend to get this right, never created a cert
-
lovetox
Gajim supports that forever
-
lovetox
i just need to test it now to see if it even works
-
adrien
@Syndace that's for fun to try to write application with modern c++
-
adrien
Thanks, for the advice about the xsd, so I won't try to use them directyl
-
mathieui
lovetox, I think I have this https://gist.github.com/mtigas/952344 that should cover most of what you want
-
mathieui
(for XEP-0257 setups you only need to generate a self-signed cert, that’s easier, but if you have the server setup with a CA and everything, that page should cover most of it)
-
Link Mauve
adrien, maybe have a look at Swiften, it also has such XMPP parsers and is written in modern C++.
-
lovetox
thanks mathieui
-
lovetox
just to be correct, gajim does not support 257, the cert management stuff
-
lovetox
i just want to connect using a client cert
-
pep.
lovetox, have you looked into easy-rsa?
-
mathieui
ok, then either you need the server setup, or you use another client supporting 0257 to set your cert, then use gajim to connect
-
lovetox
ok maybe i misunderstand something, i thought i can just add a cert to the trust store on the server
-
lovetox
and if some client auths with a cert that was signed by that cert
-
lovetox
the server says: ok
-
lovetox
so i thought i create a self signed cert, add it to the server
-
lovetox
then sign another cert, and give it to the user
-
lovetox
is that not how it works?
-
mathieui
lovetox, on prosody I guess you can just use https://modules.prosody.im/mod_auth_ccert.html and add your CA to the server, then connect using a client signed with it, I don’t know how much of https://xmpp.org/extensions/xep-0178.html is implemented in there
-
mathieui
For 0257 auth there is https://modules.prosody.im/mod_client_certs.html
-
lovetox
yes exactly thats what im planning to do
-
lovetox
but does your doc also cover that?
-
lovetox
so i need to create a CA cert, then sign one other cert
-
lovetox
is a CA cert in any way special? or is it just a cert that signed another cert
-
Zash
A CA cert is a self-signed cert.
-
pep.
Zash, "it depends"? Somewhere on top of the chain there is a self-signed cert :p
-
Zash
Semantics?
-
Zash
I guess you could call the intermediate certs CA certs too
-
pep.
Yes and they wouldn't be self-signed :-°
-
Zash
There's an CA:TRUE flag in the cert data structure on the root certs
-
mathieui
lovetox, yes, it is a self signed-cert
-
mathieui
FYI for XMPP you might need to use a .cnf similar to the one in https://modules.prosody.im/mod_client_certs.html to generate the CSR
-
Zash
Does the client cert get sent encrypted yet?
-
defanor
GnuTLS's certtool is handy for that too: `certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem` and answering a few questions to generate a CA certificate, then `certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem` to generate a client certificate signed with it, if you're okay with setting `certificate_match = "email"` for
-
defanor
Prosody's ccert.
-
lovetox
but it says --load-privkey ca-key.pem
-
lovetox
so i need first to generate that or?
-
Zash
mod_auth_ccert works with CA-issued client certificates, not self-signed, so yes, you need a CA
-
Zash
also no password auth at all iirc
-
pep.
ca-key.pem is probably easily generated with `openssl genrsa -out ca-key.pem 2048 or 4096`
-
pep.
Or other key types
-
defanor
Indeed, or `certtool --generate-privkey --outfile ca-key.pem`
-
defanor
(Likewise with key.pem.)
-
lovetox
ok, i went with mathieui link and seems to work fine thanks for all the suggestions
-
lovetox
ok last thing can somebody help with that
-
lovetox
it is encapsulated as an id-on-xmppAddr Object Identifier ("xmppAddr"), i.e., a subjectAltName entry of type otherName with an ASN.1 Object Identifier of "id-on-xmppAddr"
-
lovetox
so i need to add this to the openssl req?
-
lovetox
but how exactly, sounds lot more complicated than it probably is
-
Zash
lovetox: https://modules.prosody.im/mod_client_certs.html#generating-your-certificate
-
Zash
That has example conf
-
Zash
Just gotta figure out how to do that in a CA scenario instead of self-signed
-
lovetox
thanks
-
lovetox
hm interesting, so the server should bind the jid thats in the cert
-
lovetox
so if the client selects another cert he has suddenly a different jid in the client
-
lovetox
seems troublesome
-
Zash
lovetox: If you're using CA-issued certs then the CA would be responsible for checks checking that the certificate identity matches.
-
lovetox
matches a account on the server
-
lovetox
i think from a client point of view
-
Zash
Doesnt't strictly have to be the JID in the cert, as long as the server can match it with a local account.
-
lovetox
and what this means for the UI if the user can just change the jid with selecting another cert
-
Zash
Assuming here the CA issues them multiple certs
-
Zash
Having multiple accounts would mean multiple certs. No different from having multiple accounts with different passwords.
-
lovetox
yes, but that means i should only allow the user to set the cert in the account creation workflow in the client
-
lovetox
and not as a kind of setting within the account to chnage the cert
-
lovetox
or if, then only if the new cert matches the jid of the old
-
Zash
You'd need some way to replace it when the cert expires and gets renewed
-
lovetox
ok so i have to have that check
-
lovetox
if he selects one with another jid, i tell him go to account creation wizard and add another account
-
lovetox
is this something companys use?
-
Zash
Don't know for sure, but that seems likely.
-
lovetox
and on the pros are listed user has to type no password
-
lovetox
are such certs issued usually without password?
-
Zash
They might need to unlock the private key somehow
-
flow
hopefully they do
-
lovetox
so no password is the standard
-
lovetox
but i have to expect one that needs a password
-
flow
you wouldn't want your private ssh key unprotected on disk either
-
lovetox
but the argument is, you issue per device certs than✎ -
lovetox
but the argument is, you issue per device certs then ✏
-
lovetox
and if you lose the cert you deactivate it
-
flow
right, but hopefully the per device cert is also protected on the device
-
Zash
you'd revoke it or someuch
-
flow
and be it android's full device encryption
-
lovetox
just saying if the user has a password for the cert, then why not just use that password to login into the account
-
lovetox
why the hassle with the certs
-
flow
so in any scenario, "no password" shouldn't true, it just depends on when and how often you enter the password
-
flow
lovetox, well 1. per device tokens 2. stronger couplying with the TLS layer✎ -
flow
lovetox, well 1. per device tokens 2. stronger coupling with the TLS layer ✏
-
flow
and on (modern) android devices, the private key would be protected by the device's hardware-backed keystore
-
flow
which, one may argue, provides better security
-
lovetox
The XEP allows to add no xmpp addr into the cert
-
lovetox
not sure i can impl that
-
lovetox
hm but even with cert i still have to bind the jid
-
lovetox
hm no we can only bind a resource
-
lovetox
not the full jid
-
lovetox
so i have to check if the server returned bound the jid i expected
-
lovetox
meh
-
flow
lovetox, that is *always* the case
-
jonas’
I *think* there’s been cases in the past where the server bound you to a different JID than your SASL username + domain
-
lovetox
i dont know how clients deal with that, if i read the rfcs it seems the client should not expect any specific JID
-
flow
lovetox, from a protocol POV the SASL username and your JID are unrelated
-
lovetox
yeah ..
-
flow
lovetox, why do clients have to deal with it?
-
lovetox
im not sure this was taken into account in all parts of the code
-
flow
in smack, when we need to persist data related to a JID, we only create the persistent store after the connection was authenticated at least once
-
lovetox
in Gajim i have a account name, and its not the JID
-
lovetox
so thats good
-
lovetox
data are mostly stored under that account name
-
lovetox
but i just have to look through the codebase if somewhere i depend on the JID beeing always bound to the same account
-
lovetox
at least gajim has anonymous login support, and with anonymous you get a different jid on every connect
-
lovetox
so if that works it looks at least good
-
lovetox
but for example with omemo i publish keys to my pep node which is linked to the JID
-
lovetox
so it would make no sense to save the omemo related keys and data under an Account Name that is not tied to a JID
-
lovetox
but i know i fucked up when i named the database file for omemo after the JID
-
lovetox
probably JIDs can have chars that are not supported as filename
-
Zash
Filenames on Linux tend to be opaque binary data with the only restrictions that they can't contain '/' or '\0'
-
Zash
Windows and Mac will have opinions tho
-
jonas’
plus length restrictinos
-
Ge0rG
Luckily python has solved the filename to unicode string mapping in an easy and compatible way.
- Ge0rG walks himself out
-
Zash
The Mercurial developers would like a word
-
jonas’
Ge0rG, IIRC we figured out that was true
-
jonas’
(for a recent enough python 3)
-
Ge0rG
jonas’: yes, but only by applying a very sophisticated hack
-
Ge0rG
where you do a bijective mapping of all non-utf8 byte sequences into a reserved unicode block, or somesuch
-
Zash
what the
-
Ge0rG
Zash: https://www.python.org/dev/peps/pep-0540/
-
Ge0rG
or rather, https://www.python.org/dev/peps/pep-0383/
-
jonas’
into a unicode block reserved for this purpose