Asking around... Has somebody experience with client certificates (0178)? If so, which server, which client? I need "something" to get started, but no drugs please, just a hint.✎
debacle
Asking around... Has somebody experience with client certificates (XEP-0178)? If so, which server, which client? I need "something" to get started, but no drugs please, just a hint. ✏
oibaloshas joined
Sam Whited
I just recently started an implementation of this if you have specific questions. I haven't done the verification properly because I want to upstream that into the X509 library I'm using, but I think I've done most of the XMPP specific bits
asterixhas left
asterixhas joined
marmistrzhas left
Kev
M-Link and Swift both do cert auth. M-Link doesn't help you much I guess, but Swift might.
oibaloshas left
adityaborikarhas left
adityaborikarhas joined
fade123has left
fade123has joined
debacle
Sam Whited Kev So far I'm probably just too stupid to configure ejabberd properly to accept a cert login from Gajim. But I'll try with Swift - at least that would make it easier to find the culprit.
belonghas left
belonghas joined
adityaborikarhas left
oibaloshas joined
adityaborikarhas joined
debacle
Kev OK, it doesn't work with neither Gajim nor Swift, so the under-educated server admin (myself) is probably to blame.
debacle
I probably totally misconfigured ejabberd. Now I'll try to totally misconfigure prosody.
marmistrzhas joined
belonghas left
belonghas joined
Yagizаhas left
lovetox
debacle, i once wanted to test Gajims impl and set up my server with certs and client certs
lovetox
shit is too complicated
debacle
lovetox Yes, I wouldn't ask my aunt to do it ;-)
debacle
So you did not succeed?
lovetox
i removed client cert support from Gaim, i hope that answers your question
adityaborikarhas left
florettahas left
sonnyhas left
sonnyhas joined
belonghas left
adityaborikarhas joined
debacle
lovetox I hope it comes back one day.
lovetox
if you succeed in setting up a test server it might :D
debacle
lovetox I'm not sure yet ;-)
belonghas joined
adityaborikarhas left
mathieui
lovetox, prosody with mod_client_certs works, afaik
mathieui
(but that’s for XEP-0257)
mathieui
using client certs work in slixmpp afaik, I implemented it in poezio a long time ago
moparisthebest
but does anyone use it
oibaloshas left
adityaborikarhas joined
moparisthebest
do browsers still support client cert authentication? I only know that existed because startssl did it, anyone remember that?
mathieui
I don’t know, but it seems like a nice alternative to passwords, though it would be nice if you could specify an access model
mathieui
moparisthebest, they certainly do
moparisthebest
only service I've ever known to do it
lovetox
mathieui, setting up the server is only half the task
lovetox
you also need to generate valid certs
lovetox
for the client
lovetox
who the fuck knows how to do that :)
mathieui
lovetox, not really, afair XEP-0257 does not care about what’s in the cert if I remember correctly✎
mathieui
lovetox, not really, afair XEP-0257 does not care about what’s in the cert ✏
mathieui
Also, yes, X.509 authentication in browser is still very much used in corporate land
mathieui
(the product we sell at work has X.509 browser authentication, and we will never drop it because clients actually care)✎
moparisthebest
interesting, thanks!
moparisthebest
I thought all corporate world today did was fancy microsoft-azure-single-sign-on stuff
mathieui
(the product we sell at work has X.509 browser authentication, and we will never drop it because customers actually care) ✏
oibaloshas joined
Kev
Yes, people definitely do still do cert-based authentication - but they're generally not people logging in to their personal chat account on the Internet :)
marmistrzhas left
Wojtekhas left
marmistrzhas joined
debacle
I like to use client certificates for XMPP IoT stuff, the "other" IoT, the one *with* security