debacleAsking around... Has somebody experience with client certificates (0178)? If so, which server, which client? I need "something" to get started, but no drugs please, just a hint.
debacleAsking around... Has somebody experience with client certificates (XEP-0178)? If so, which server, which client? I need "something" to get started, but no drugs please, just a hint.
Sam WhitedI just recently started an implementation of this if you have specific questions. I haven't done the verification properly because I want to upstream that into the X509 library I'm using, but I think I've done most of the XMPP specific bits
KevM-Link and Swift both do cert auth. M-Link doesn't help you much I guess, but Swift might.
debacleSam Whited Kev So far I'm probably just too stupid to configure ejabberd properly to accept a cert login from Gajim. But I'll try with Swift - at least that would make it easier to find the culprit.
debacleKev OK, it doesn't work with neither Gajim nor Swift, so the under-educated server admin (myself) is probably to blame.
debacleI probably totally misconfigured ejabberd. Now I'll try to totally misconfigure prosody.
lovetoxdebacle, i once wanted to test Gajims impl and set up my server with certs and client certs
lovetoxshit is too complicated
debaclelovetox Yes, I wouldn't ask my aunt to do it ;-)
debacleSo you did not succeed?
lovetoxi removed client cert support from Gaim, i hope that answers your question
debaclelovetox I hope it comes back one day.
lovetoxif you succeed in setting up a test server it might :D
debaclelovetox I'm not sure yet ;-)
mathieuilovetox, prosody with mod_client_certs works, afaik
mathieui(but that’s for XEP-0257)
mathieuiusing client certs work in slixmpp afaik, I implemented it in poezio a long time ago
moparisthebestbut does anyone use it
moparisthebestdo browsers still support client cert authentication? I only know that existed because startssl did it, anyone remember that?
mathieuiI don’t know, but it seems like a nice alternative to passwords, though it would be nice if you could specify an access model
mathieuimoparisthebest, they certainly do
moparisthebestonly service I've ever known to do it
lovetoxmathieui, setting up the server is only half the task
lovetoxyou also need to generate valid certs
lovetoxfor the client
lovetoxwho the fuck knows how to do that :)
mathieuilovetox, not really, afair XEP-0257 does not care about what’s in the cert if I remember correctly
mathieuilovetox, not really, afair XEP-0257 does not care about what’s in the cert
mathieuiAlso, yes, X.509 authentication in browser is still very much used in corporate land
mathieui(the product we sell at work has X.509 browser authentication, and we will never drop it because clients actually care)
moparisthebestI thought all corporate world today did was fancy microsoft-azure-single-sign-on stuff
mathieui(the product we sell at work has X.509 browser authentication, and we will never drop it because customers actually care)
KevYes, people definitely do still do cert-based authentication - but they're generally not people logging in to their personal chat account on the Internet :)
debacleI like to use client certificates for XMPP IoT stuff, the "other" IoT, the one *with* security