jdev - 2021-02-02

  1. debacle

    Asking around... Has somebody experience with client certificates (0178)? If so, which server, which client? I need "something" to get started, but no drugs please, just a hint.

  2. debacle

    Asking around... Has somebody experience with client certificates (XEP-0178)? If so, which server, which client? I need "something" to get started, but no drugs please, just a hint.

  3. Sam Whited

    I just recently started an implementation of this if you have specific questions. I haven't done the verification properly because I want to upstream that into the X509 library I'm using, but I think I've done most of the XMPP specific bits

  4. Kev

    M-Link and Swift both do cert auth. M-Link doesn't help you much I guess, but Swift might.

  5. debacle

    Sam Whited Kev So far I'm probably just too stupid to configure ejabberd properly to accept a cert login from Gajim. But I'll try with Swift - at least that would make it easier to find the culprit.

  6. debacle

    Kev OK, it doesn't work with neither Gajim nor Swift, so the under-educated server admin (myself) is probably to blame.

  7. debacle

    I probably totally misconfigured ejabberd. Now I'll try to totally misconfigure prosody.

  8. lovetox

    debacle, i once wanted to test Gajims impl and set up my server with certs and client certs

  9. lovetox

    shit is too complicated

  10. debacle

    lovetox Yes, I wouldn't ask my aunt to do it ;-)

  11. debacle

    So you did not succeed?

  12. lovetox

    i removed client cert support from Gaim, i hope that answers your question

  13. debacle

    lovetox I hope it comes back one day.

  14. lovetox

    if you succeed in setting up a test server it might :D

  15. debacle

    lovetox I'm not sure yet ;-)

  16. mathieui

    lovetox, prosody with mod_client_certs works, afaik

  17. mathieui

    (but that’s for XEP-0257)

  18. mathieui

    using client certs work in slixmpp afaik, I implemented it in poezio a long time ago

  19. moparisthebest

    but does anyone use it

  20. moparisthebest

    do browsers still support client cert authentication? I only know that existed because startssl did it, anyone remember that?

  21. mathieui

    I don’t know, but it seems like a nice alternative to passwords, though it would be nice if you could specify an access model

  22. mathieui

    moparisthebest, they certainly do

  23. moparisthebest

    only service I've ever known to do it

  24. lovetox

    mathieui, setting up the server is only half the task

  25. lovetox

    you also need to generate valid certs

  26. lovetox

    for the client

  27. lovetox

    who the fuck knows how to do that :)

  28. mathieui

    lovetox, not really, afair XEP-0257 does not care about what’s in the cert if I remember correctly

  29. mathieui

    lovetox, not really, afair XEP-0257 does not care about what’s in the cert

  30. mathieui

    Also, yes, X.509 authentication in browser is still very much used in corporate land

  31. mathieui

    (the product we sell at work has X.509 browser authentication, and we will never drop it because clients actually care)

  32. moparisthebest

    interesting, thanks!

  33. moparisthebest

    I thought all corporate world today did was fancy microsoft-azure-single-sign-on stuff

  34. mathieui

    (the product we sell at work has X.509 browser authentication, and we will never drop it because customers actually care)

  35. Kev

    Yes, people definitely do still do cert-based authentication - but they're generally not people logging in to their personal chat account on the Internet :)

  36. debacle

    I like to use client certificates for XMPP IoT stuff, the "other" IoT, the one *with* security