ok i want to test that on my server, what would i use to create a CA cert on the server then sign a user cert with it?
kikuchiyohas left
kikuchiyohas joined
lovetox
i guess i can do this with openssl
pep.
Creating a CA cert yes for sure. Have a look into easy-something, what was it again, I think it comes packaged with openvpn
pep.
Helpers to create self-signed CA etc.
pep.
easy-rsa
pep.
https://github.com/OpenVPN/easy-rsa. Or ride the openssl like a warrior
Jeybehas joined
alexishas left
alexishas joined
Jeybehas left
Jeybehas joined
asterixhas left
kikuchiyohas left
Jeybehas left
Jeybehas joined
asterixhas joined
Jeybehas left
Jeybehas joined
Jeybehas left
Jeybehas joined
Ge0rGhas left
pulkomandyhas left
tskhas joined
kikuchiyohas joined
pulkomandyhas joined
asterixhas left
asterixhas joined
Jeybehas left
Jeybehas joined
Martinhas left
lovetoxhas left
asterixhas left
asterixhas joined
asterixhas left
asterixhas joined
Jeybehas left
Jeybehas joined
Martinhas joined
mathieuihas joined
Ge0rGhas joined
Jeybehas left
Jeybehas joined
pulkomandyhas left
pulkomandyhas joined
asterixhas left
asterixhas joined
asterixhas left
asterixhas joined
kikuchiyohas left
kikuchiyohas joined
Jeybehas left
Jeybehas joined
kikuchiyohas left
Jeybehas left
Jeybehas joined
Jeybehas left
Jeybehas joined
kikuchiyohas joined
Jeybehas left
Jeybehas joined
asterixhas left
asterixhas joined
asterixhas left
asterixhas joined
Jeybehas left
Jeybehas joined
Jeybehas left
Jeybehas joined
pulkomandyhas left
adrienhas joined
SouLhas left
asterixhas left
asterixhas joined
adrien
Hello,
I'm pending some time on a little xmpp client project to do my own pubsub explorer.
Actually, I'm able to connect to my server and I'm working with libxml2++.
libxml2++ is a bit hard to use, because almost every object of this libxml2 wrapper isn't copyable.
So, I'm looking for another XML parser and I've found that some people use directly XML Schema to automatically parse and create c++ objects (see https://codesynthesis.com/products/xsd/).
Do you think, that's a good option to work directly with rfc/xep provided xsd files ?
pulkomandyhas joined
Syndace
Hi adrien, sorry to disappoint you but the XSD's are not always accurate and are not normative either. You will most probably run into issues when using them.
tskhas left
Syndace
Also, do you write the pubsub explorer for fun or because you need it for something else?
lovetoxhas joined
Link Mauve
adrien, in xmpp-parsers (https://crates.io/crates/xmpp-parsers) I’ve been trying to automatically create parsers and serialisers for all relevant XMPP stanzas and payloads.
Link Mauve
I couldn’t use schemas because they aren’t strict enough for Rust in their types.
Alexhas left
mathieui
lovetox, Link Mauve told me you were trying to setup a CA and stuff for SASL EXTERNAL; I have never done it for poezio because the supported use case was only use with custom certs through XEP-0257
mathieui
if you really need it I could find generatl documentation as I have to fiddle with CAs and X.509 certs at work too
lovetox
mathieui, that would be great, otherwise i dont know how long i have to spend to get this right, never created a cert
lovetox
Gajim supports that forever
lovetox
i just need to test it now to see if it even works
serge90has left
serge90has joined
Alexhas joined
adrien
@Syndace that's for fun to try to write application with modern c++
adrien
Thanks, for the advice about the xsd, so I won't try to use them directyl
mathieui
lovetox, I think I have this https://gist.github.com/mtigas/952344 that should cover most of what you want
asterixhas left
asterixhas joined
mathieui
(for XEP-0257 setups you only need to generate a self-signed cert, that’s easier, but if you have the server setup with a CA and everything, that page should cover most of it)
Link Mauve
adrien, maybe have a look at Swiften, it also has such XMPP parsers and is written in modern C++.
Jeybehas left
lovetox
thanks mathieui
lovetox
just to be correct, gajim does not support 257, the cert management stuff
lovetox
i just want to connect using a client cert
pep.
lovetox, have you looked into easy-rsa?
mathieui
ok, then either you need the server setup, or you use another client supporting 0257 to set your cert, then use gajim to connect
lovetox
ok maybe i misunderstand something, i thought i can just add a cert to the trust store on the server
lovetox
and if some client auths with a cert that was signed by that cert
lovetox
the server says: ok
lovetox
so i thought i create a self signed cert, add it to the server
lovetox
then sign another cert, and give it to the user
lovetox
is that not how it works?
mathieui
lovetox, on prosody I guess you can just use https://modules.prosody.im/mod_auth_ccert.html and add your CA to the server, then connect using a client signed with it, I don’t know how much of https://xmpp.org/extensions/xep-0178.html is implemented in there
mathieui
For 0257 auth there is https://modules.prosody.im/mod_client_certs.html
lovetox
yes exactly thats what im planning to do
lovetox
but does your doc also cover that?
lovetox
so i need to create a CA cert, then sign one other cert
lovetox
is a CA cert in any way special? or is it just a cert that signed another cert
Zash
A CA cert is a self-signed cert.
pep.
Zash, "it depends"? Somewhere on top of the chain there is a self-signed cert :p
Zash
Semantics?
Zash
I guess you could call the intermediate certs CA certs too
pep.
Yes and they wouldn't be self-signed :-°
Zash
There's an CA:TRUE flag in the cert data structure on the root certs
mathieui
lovetox, yes, it is a self signed-cert
mathieui
FYI for XMPP you might need to use a .cnf similar to the one in https://modules.prosody.im/mod_client_certs.html to generate the CSR
Zash
Does the client cert get sent encrypted yet?
SouLhas joined
debaclehas left
asterixhas left
asterixhas joined
moparisthebesthas joined
Marchas left
Marchas joined
defanor
GnuTLS's certtool is handy for that too: `certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem` and answering a few questions to generate a CA certificate, then `certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem` to generate a client certificate signed with it, if you're okay with setting `certificate_match = "email"` for
defanor
Prosody's ccert.
tskhas joined
pulkomandyhas left
pulkomandyhas joined
lovetox
but it says --load-privkey ca-key.pem
lovetox
so i need first to generate that or?
Zash
mod_auth_ccert works with CA-issued client certificates, not self-signed, so yes, you need a CA
Zash
also no password auth at all iirc
pep.
ca-key.pem is probably easily generated with `openssl genrsa -out ca-key.pem 2048 or 4096`
pep.
Or other key types
defanor
Indeed, or `certtool --generate-privkey --outfile ca-key.pem`
defanor
(Likewise with key.pem.)
lovetox
ok, i went with mathieui link and seems to work fine thanks for all the suggestions
lovetox
ok last thing can somebody help with that
lovetox
it is encapsulated as an id-on-xmppAddr Object Identifier ("xmppAddr"), i.e., a subjectAltName entry of type otherName with an ASN.1 Object Identifier of "id-on-xmppAddr"
lovetox
so i need to add this to the openssl req?
lovetox
but how exactly, sounds lot more complicated than it probably is