jdev - 2020-03-29

  1. debacle has left

  2. Alex has left

  3. Alex has joined

  4. strar has left

  5. Alex has left

  6. strar has joined

  7. strar has left

  8. strar has joined

  9. larma has left

  10. larma has joined

  11. DebXWoody has joined

  12. DebXWoody has left

  13. DebXWoody has joined

  14. paul has joined

  15. paul has left

  16. paul has joined

  17. lovetox has joined

  18. lovetox has left

  19. lovetox has joined

  20. tsk has joined

  21. moparisthebest has left

  22. Guus has left

  23. Guus has joined

  24. tsk has left

  25. kikuchiyo has left

  26. debacle has joined

  27. pulkomandy has left

  28. pulkomandy has joined

  29. kikuchiyo has joined

  30. Alex has joined

  31. rion has left

  32. rion has joined

  33. pulkomandy has left

  34. pulkomandy has joined

  35. kikuchiyo has left

  36. kikuchiyo has joined

  37. Marc has joined

  38. goffi has joined

  39. asterix has joined

  40. paul has left

  41. pulkomandy has left

  42. paul has joined

  43. lovetox

    how does auth with client cert work?

  44. lovetox

    is there a rfc or xep on that?

  45. Link Mauve

    XEP-0257 might tell you about it.

  46. Link Mauve

    Maybe more XEP-0178.

  47. pulkomandy has joined

  48. lovetox


  49. kikuchiyo has left

  50. kikuchiyo has joined

  51. lovetox

    ok i want to test that on my server, what would i use to create a CA cert on the server then sign a user cert with it?

  52. kikuchiyo has left

  53. kikuchiyo has joined

  54. lovetox

    i guess i can do this with openssl

  55. pep.

    Creating a CA cert yes for sure. Have a look into easy-something, what was it again, I think it comes packaged with openvpn

  56. pep.

    Helpers to create self-signed CA etc.

  57. pep.


  58. pep.

    https://github.com/OpenVPN/easy-rsa. Or ride the openssl like a warrior

  59. Jeybe has joined

  60. alexis has left

  61. alexis has joined

  62. Jeybe has left

  63. Jeybe has joined

  64. asterix has left

  65. kikuchiyo has left

  66. Jeybe has left

  67. Jeybe has joined

  68. asterix has joined

  69. Jeybe has left

  70. Jeybe has joined

  71. Jeybe has left

  72. Jeybe has joined

  73. Ge0rG has left

  74. pulkomandy has left

  75. tsk has joined

  76. kikuchiyo has joined

  77. pulkomandy has joined

  78. asterix has left

  79. asterix has joined

  80. Jeybe has left

  81. Jeybe has joined

  82. Martin has left

  83. lovetox has left

  84. asterix has left

  85. asterix has joined

  86. asterix has left

  87. asterix has joined

  88. Jeybe has left

  89. Jeybe has joined

  90. Martin has joined

  91. mathieui has joined

  92. Ge0rG has joined

  93. Jeybe has left

  94. Jeybe has joined

  95. pulkomandy has left

  96. pulkomandy has joined

  97. asterix has left

  98. asterix has joined

  99. asterix has left

  100. asterix has joined

  101. kikuchiyo has left

  102. kikuchiyo has joined

  103. Jeybe has left

  104. Jeybe has joined

  105. kikuchiyo has left

  106. Jeybe has left

  107. Jeybe has joined

  108. Jeybe has left

  109. Jeybe has joined

  110. kikuchiyo has joined

  111. Jeybe has left

  112. Jeybe has joined

  113. asterix has left

  114. asterix has joined

  115. asterix has left

  116. asterix has joined

  117. Jeybe has left

  118. Jeybe has joined

  119. Jeybe has left

  120. Jeybe has joined

  121. pulkomandy has left

  122. adrien has joined

  123. SouL has left

  124. asterix has left

  125. asterix has joined

  126. adrien

    Hello, I'm pending some time on a little xmpp client project to do my own pubsub explorer. Actually, I'm able to connect to my server and I'm working with libxml2++. libxml2++ is a bit hard to use, because almost every object of this libxml2 wrapper isn't copyable. So, I'm looking for another XML parser and I've found that some people use directly XML Schema to automatically parse and create c++ objects (see https://codesynthesis.com/products/xsd/). Do you think, that's a good option to work directly with rfc/xep provided xsd files ?

  127. pulkomandy has joined

  128. Syndace

    Hi adrien, sorry to disappoint you but the XSD's are not always accurate and are not normative either. You will most probably run into issues when using them.

  129. tsk has left

  130. Syndace

    Also, do you write the pubsub explorer for fun or because you need it for something else?

  131. lovetox has joined

  132. Link Mauve

    adrien, in xmpp-parsers (https://crates.io/crates/xmpp-parsers) I’ve been trying to automatically create parsers and serialisers for all relevant XMPP stanzas and payloads.

  133. Link Mauve

    I couldn’t use schemas because they aren’t strict enough for Rust in their types.

  134. Alex has left

  135. mathieui

    lovetox, Link Mauve told me you were trying to setup a CA and stuff for SASL EXTERNAL; I have never done it for poezio because the supported use case was only use with custom certs through XEP-0257

  136. mathieui

    if you really need it I could find generatl documentation as I have to fiddle with CAs and X.509 certs at work too

  137. lovetox

    mathieui, that would be great, otherwise i dont know how long i have to spend to get this right, never created a cert

  138. lovetox

    Gajim supports that forever

  139. lovetox

    i just need to test it now to see if it even works

  140. serge90 has left

  141. serge90 has joined

  142. Alex has joined

  143. adrien

    @Syndace that's for fun to try to write application with modern c++

  144. adrien

    Thanks, for the advice about the xsd, so I won't try to use them directyl

  145. mathieui

    lovetox, I think I have this https://gist.github.com/mtigas/952344 that should cover most of what you want

  146. asterix has left

  147. asterix has joined

  148. mathieui

    (for XEP-0257 setups you only need to generate a self-signed cert, that’s easier, but if you have the server setup with a CA and everything, that page should cover most of it)

  149. Link Mauve

    adrien, maybe have a look at Swiften, it also has such XMPP parsers and is written in modern C++.

  150. Jeybe has left

  151. lovetox

    thanks mathieui

  152. lovetox

    just to be correct, gajim does not support 257, the cert management stuff

  153. lovetox

    i just want to connect using a client cert

  154. pep.

    lovetox, have you looked into easy-rsa?

  155. mathieui

    ok, then either you need the server setup, or you use another client supporting 0257 to set your cert, then use gajim to connect

  156. lovetox

    ok maybe i misunderstand something, i thought i can just add a cert to the trust store on the server

  157. lovetox

    and if some client auths with a cert that was signed by that cert

  158. lovetox

    the server says: ok

  159. lovetox

    so i thought i create a self signed cert, add it to the server

  160. lovetox

    then sign another cert, and give it to the user

  161. lovetox

    is that not how it works?

  162. mathieui

    lovetox, on prosody I guess you can just use https://modules.prosody.im/mod_auth_ccert.html and add your CA to the server, then connect using a client signed with it, I don’t know how much of https://xmpp.org/extensions/xep-0178.html is implemented in there

  163. mathieui

    For 0257 auth there is https://modules.prosody.im/mod_client_certs.html

  164. lovetox

    yes exactly thats what im planning to do

  165. lovetox

    but does your doc also cover that?

  166. lovetox

    so i need to create a CA cert, then sign one other cert

  167. lovetox

    is a CA cert in any way special? or is it just a cert that signed another cert

  168. Zash

    A CA cert is a self-signed cert.

  169. pep.

    Zash, "it depends"? Somewhere on top of the chain there is a self-signed cert :p

  170. Zash


  171. Zash

    I guess you could call the intermediate certs CA certs too

  172. pep.

    Yes and they wouldn't be self-signed :-°

  173. Zash

    There's an CA:TRUE flag in the cert data structure on the root certs

  174. mathieui

    lovetox, yes, it is a self signed-cert

  175. mathieui

    FYI for XMPP you might need to use a .cnf similar to the one in https://modules.prosody.im/mod_client_certs.html to generate the CSR

  176. Zash

    Does the client cert get sent encrypted yet?

  177. SouL has joined

  178. debacle has left

  179. asterix has left

  180. asterix has joined

  181. moparisthebest has joined

  182. Marc has left

  183. Marc has joined

  184. defanor

    GnuTLS's certtool is handy for that too: `certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem` and answering a few questions to generate a CA certificate, then `certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem` to generate a client certificate signed with it, if you're okay with setting `certificate_match = "email"` for

  185. defanor

    Prosody's ccert.

  186. tsk has joined

  187. pulkomandy has left

  188. pulkomandy has joined

  189. lovetox

    but it says --load-privkey ca-key.pem

  190. lovetox

    so i need first to generate that or?

  191. Zash

    mod_auth_ccert works with CA-issued client certificates, not self-signed, so yes, you need a CA

  192. Zash

    also no password auth at all iirc

  193. pep.

    ca-key.pem is probably easily generated with `openssl genrsa -out ca-key.pem 2048 or 4096`

  194. pep.

    Or other key types

  195. defanor

    Indeed, or `certtool --generate-privkey --outfile ca-key.pem`

  196. defanor

    (Likewise with key.pem.)

  197. lovetox

    ok, i went with mathieui link and seems to work fine thanks for all the suggestions

  198. lovetox

    ok last thing can somebody help with that

  199. lovetox

    it is encapsulated as an id-on-xmppAddr Object Identifier ("xmppAddr"), i.e., a subjectAltName entry of type otherName with an ASN.1 Object Identifier of "id-on-xmppAddr"

  200. lovetox

    so i need to add this to the openssl req?

  201. lovetox

    but how exactly, sounds lot more complicated than it probably is

  202. Zash

    lovetox: https://modules.prosody.im/mod_client_certs.html#generating-your-certificate

  203. Zash

    That has example conf

  204. Zash

    Just gotta figure out how to do that in a CA scenario instead of self-signed

  205. lovetox


  206. lovetox

    hm interesting, so the server should bind the jid thats in the cert

  207. lovetox

    so if the client selects another cert he has suddenly a different jid in the client

  208. lovetox

    seems troublesome

  209. Zash

    lovetox: If you're using CA-issued certs then the CA would be responsible for checks checking that the certificate identity matches.

  210. lovetox

    matches a account on the server

  211. lovetox

    i think from a client point of view

  212. Zash

    Doesnt't strictly have to be the JID in the cert, as long as the server can match it with a local account.

  213. lovetox

    and what this means for the UI if the user can just change the jid with selecting another cert

  214. Zash

    Assuming here the CA issues them multiple certs

  215. Zash

    Having multiple accounts would mean multiple certs. No different from having multiple accounts with different passwords.

  216. lovetox

    yes, but that means i should only allow the user to set the cert in the account creation workflow in the client

  217. lovetox

    and not as a kind of setting within the account to chnage the cert

  218. lovetox

    or if, then only if the new cert matches the jid of the old

  219. Zash

    You'd need some way to replace it when the cert expires and gets renewed

  220. pulkomandy has left

  221. lovetox

    ok so i have to have that check

  222. lovetox

    if he selects one with another jid, i tell him go to account creation wizard and add another account

  223. lovetox

    is this something companys use?

  224. Zash

    Don't know for sure, but that seems likely.

  225. lovetox

    and on the pros are listed user has to type no password

  226. lovetox

    are such certs issued usually without password?

  227. Zash

    They might need to unlock the private key somehow

  228. flow

    hopefully they do

  229. lovetox

    so no password is the standard

  230. lovetox

    but i have to expect one that needs a password

  231. flow

    you wouldn't want your private ssh key unprotected on disk either

  232. lovetox

    but the argument is, you issue per device certs than

  233. lovetox

    but the argument is, you issue per device certs then

  234. lovetox

    and if you lose the cert you deactivate it

  235. flow

    right, but hopefully the per device cert is also protected on the device

  236. Zash

    you'd revoke it or someuch

  237. flow

    and be it android's full device encryption

  238. lovetox

    just saying if the user has a password for the cert, then why not just use that password to login into the account

  239. lovetox

    why the hassle with the certs

  240. flow

    so in any scenario, "no password" shouldn't true, it just depends on when and how often you enter the password

  241. flow

    lovetox, well 1. per device tokens 2. stronger couplying with the TLS layer

  242. flow

    lovetox, well 1. per device tokens 2. stronger coupling with the TLS layer

  243. flow

    and on (modern) android devices, the private key would be protected by the device's hardware-backed keystore

  244. pulkomandy has joined

  245. flow

    which, one may argue, provides better security

  246. lovetox

    The XEP allows to add no xmpp addr into the cert

  247. lovetox

    not sure i can impl that

  248. lovetox

    hm but even with cert i still have to bind the jid

  249. asterix has left

  250. lovetox

    hm no we can only bind a resource

  251. asterix has joined

  252. lovetox

    not the full jid

  253. lovetox

    so i have to check if the server returned bound the jid i expected

  254. lovetox


  255. flow

    lovetox, that is *always* the case

  256. jonas’

    I *think* there’s been cases in the past where the server bound you to a different JID than your SASL username + domain

  257. lovetox

    i dont know how clients deal with that, if i read the rfcs it seems the client should not expect any specific JID

  258. flow

    lovetox, from a protocol POV the SASL username and your JID are unrelated

  259. lovetox

    yeah ..

  260. flow

    lovetox, why do clients have to deal with it?

  261. lovetox

    im not sure this was taken into account in all parts of the code

  262. flow

    in smack, when we need to persist data related to a JID, we only create the persistent store after the connection was authenticated at least once

  263. lovetox

    in Gajim i have a account name, and its not the JID

  264. lovetox

    so thats good

  265. lovetox

    data are mostly stored under that account name

  266. lovetox

    but i just have to look through the codebase if somewhere i depend on the JID beeing always bound to the same account

  267. lovetox

    at least gajim has anonymous login support, and with anonymous you get a different jid on every connect

  268. lovetox

    so if that works it looks at least good

  269. tsk has left

  270. lovetox

    but for example with omemo i publish keys to my pep node which is linked to the JID

  271. lovetox

    so it would make no sense to save the omemo related keys and data under an Account Name that is not tied to a JID

  272. lovetox

    but i know i fucked up when i named the database file for omemo after the JID

  273. lovetox

    probably JIDs can have chars that are not supported as filename

  274. asterix has left

  275. asterix has joined

  276. amnesia has joined

  277. amnesia has left

  278. amnesia has joined

  279. pulkomandy has left

  280. asterix has left

  281. asterix has joined

  282. asterix has left

  283. asterix has joined

  284. pulkomandy has joined

  285. amnesia has left

  286. asterix has left

  287. asterix has joined

  288. asterix has left

  289. asterix has joined

  290. strar has left

  291. strar has joined

  292. Zash

    Filenames on Linux tend to be opaque binary data with the only restrictions that they can't contain '/' or '\0'

  293. Zash

    Windows and Mac will have opinions tho

  294. jonas’

    plus length restrictinos

  295. Ge0rG

    Luckily python has solved the filename to unicode string mapping in an easy and compatible way.

  296. Ge0rG walks himself out

  297. Zash

    The Mercurial developers would like a word

  298. jonas’

    Ge0rG, IIRC we figured out that was true

  299. jonas’

    (for a recent enough python 3)

  300. Ge0rG

    jonas’: yes, but only by applying a very sophisticated hack

  301. Ge0rG

    where you do a bijective mapping of all non-utf8 byte sequences into a reserved unicode block, or somesuch

  302. Zash

    what the

  303. asterix has left

  304. asterix has joined

  305. Ge0rG

    Zash: https://www.python.org/dev/peps/pep-0540/

  306. Ge0rG

    or rather, https://www.python.org/dev/peps/pep-0383/

  307. kikuchiyo has left

  308. kikuchiyo has joined

  309. jonas’

    into a unicode block reserved for this purpose

  310. kikuchiyo has left

  311. kikuchiyo has joined

  312. kikuchiyo has left

  313. kikuchiyo has joined

  314. strar has left

  315. strar has joined

  316. paul has left

  317. paul has joined

  318. kikuchiyo has left

  319. kikuchiyo has joined

  320. debacle has joined

  321. alexis has left

  322. amnesia has joined

  323. asterix has left

  324. asterix has joined

  325. amnesia has left

  326. asterix has left

  327. asterix has joined

  328. asterix has left

  329. asterix has joined

  330. asterix has left

  331. asterix has joined

  332. asterix has left

  333. asterix has joined

  334. amnesia has joined

  335. asterix has left

  336. asterix has joined

  337. amnesia has left

  338. amnesia has joined

  339. amnesia has left

  340. amnesia has joined

  341. asterix has left

  342. asterix has joined

  343. asterix has left

  344. asterix has joined

  345. amnesia has left

  346. pulkomandy has left

  347. pulkomandy has joined

  348. DebXWoody has left

  349. asterix has left

  350. asterix has joined

  351. tsk has joined

  352. asterix has left

  353. asterix has joined

  354. asterix has left

  355. asterix has joined

  356. tsk has left

  357. pulkomandy has left

  358. kikuchiyo has left

  359. pulkomandy has joined

  360. amnesia has joined

  361. kikuchiyo has joined

  362. DebXWoody has joined

  363. asterix has left

  364. asterix has joined

  365. asterix has left

  366. asterix has joined

  367. DebXWoody has left

  368. amnesia has left

  369. DebXWoody has joined

  370. DebXWoody has left

  371. asterix has left

  372. asterix has joined

  373. serge90 has left

  374. serge90 has joined

  375. asterix has left

  376. asterix has joined

  377. asterix has left

  378. asterix has joined

  379. strar has left

  380. strar has joined

  381. asterix has left

  382. asterix has joined

  383. alexis has joined

  384. asterix has left

  385. asterix has joined

  386. alexis has left

  387. lovetox has left

  388. asterix has left

  389. alexis has joined

  390. alexis has left

  391. alexis has joined

  392. goffi has left

  393. kikuchiyo has left

  394. kikuchiyo has joined

  395. kikuchiyo has left

  396. kikuchiyo has joined

  397. kikuchiyo has left