-
debacle
Asking around... Has somebody experience with client certificates (0178)? If so, which server, which client? I need "something" to get started, but no drugs please, just a hint.✎ -
debacle
Asking around... Has somebody experience with client certificates (XEP-0178)? If so, which server, which client? I need "something" to get started, but no drugs please, just a hint. ✏
-
Sam Whited
I just recently started an implementation of this if you have specific questions. I haven't done the verification properly because I want to upstream that into the X509 library I'm using, but I think I've done most of the XMPP specific bits
-
Kev
M-Link and Swift both do cert auth. M-Link doesn't help you much I guess, but Swift might.
-
debacle
Sam Whited Kev So far I'm probably just too stupid to configure ejabberd properly to accept a cert login from Gajim. But I'll try with Swift - at least that would make it easier to find the culprit.
-
debacle
Kev OK, it doesn't work with neither Gajim nor Swift, so the under-educated server admin (myself) is probably to blame.
-
debacle
I probably totally misconfigured ejabberd. Now I'll try to totally misconfigure prosody.
-
lovetox
debacle, i once wanted to test Gajims impl and set up my server with certs and client certs
-
lovetox
shit is too complicated
-
debacle
lovetox Yes, I wouldn't ask my aunt to do it ;-)
-
debacle
So you did not succeed?
-
lovetox
i removed client cert support from Gaim, i hope that answers your question
-
debacle
lovetox I hope it comes back one day.
-
lovetox
if you succeed in setting up a test server it might :D
-
debacle
lovetox I'm not sure yet ;-)
-
mathieui
lovetox, prosody with mod_client_certs works, afaik
-
mathieui
(but that’s for XEP-0257)
-
mathieui
using client certs work in slixmpp afaik, I implemented it in poezio a long time ago
-
moparisthebest
but does anyone use it
-
moparisthebest
do browsers still support client cert authentication? I only know that existed because startssl did it, anyone remember that?
-
mathieui
I don’t know, but it seems like a nice alternative to passwords, though it would be nice if you could specify an access model
-
mathieui
moparisthebest, they certainly do
-
moparisthebest
only service I've ever known to do it
-
lovetox
mathieui, setting up the server is only half the task
-
lovetox
you also need to generate valid certs
-
lovetox
for the client
-
lovetox
who the fuck knows how to do that :)
-
mathieui
lovetox, not really, afair XEP-0257 does not care about what’s in the cert if I remember correctly✎ -
mathieui
lovetox, not really, afair XEP-0257 does not care about what’s in the cert ✏
-
mathieui
Also, yes, X.509 authentication in browser is still very much used in corporate land
-
mathieui
(the product we sell at work has X.509 browser authentication, and we will never drop it because clients actually care)✎ -
moparisthebest
interesting, thanks!
-
moparisthebest
I thought all corporate world today did was fancy microsoft-azure-single-sign-on stuff
-
mathieui
(the product we sell at work has X.509 browser authentication, and we will never drop it because customers actually care) ✏
-
Kev
Yes, people definitely do still do cert-based authentication - but they're generally not people logging in to their personal chat account on the Internet :)
-
debacle
I like to use client certificates for XMPP IoT stuff, the "other" IoT, the one *with* security