XMPP Service Operators - 2018-01-08

  1. kmq

    Anyone in here from zom.im ? I have a user report strange TLS cerificates for conference.zom.im

  2. Zash

    Bunneh: certinfo conference.zom.im

  3. Bunneh

    Zash: conference.zom.im has a valid certificate issued by Let's Encrypt Authority X3

  4. Ge0rG

    curve parameters!

  5. Zash

    Curve parameters?

  6. kmq

    yeah, I checked. They received an "unknown certificate authority" error, the screen shot they sent said it's by Let's Encrypt and the certificate has different SHA256 and SHA1 from the ones I tried to verify manually

  7. Zash

    Could they at some place with a corporate MITM proxy?

  8. kmq

    It was their home wifi

  9. kmq

    I've instructed them to scroll down the popup and see if I can get the fingeprints of the CA certificate that was used

  10. kmq

    that's can't be due to a bad wifi dropping packets though. That would break the TLS connection beforehand, right ?

  11. Zash

    Why does an user see a certificate for *conference*.zom.im?

  12. kmq

    I do not know.

  13. kmq

    I'll write to zom support and ask them if they know what's up

  14. kmq

    because of this: "X509v3 Subject Alternative Name: DNS:conference.zom.im, DNS:home.zom.im"

  15. kmq

    the popup just hides a lot of the data

  16. Zash

    Huh, not just "zom.im"?

  17. kmq

    no. the account is @home.zom.im as well

  18. kmq

    was surprised also

  19. Zash

    -certinfo home.zom.im

  20. Bunneh

    Zash: home.zom.im has a valid certificate issued by Let's Encrypt Authority X3

  21. Zash

    -certsans home.zom.im

  22. Bunneh

    Zash: home.zom.im has subjectAlternativeNames: { dNSName = { "conference.zom.im"; "home.zom.im" } }

  23. Zash

    Looks like it's fine from here

  24. kmq

    looks fine from here as well. So either there is a problem in time and it happened yesterday, or in space and I'll have to swing by their wifi to see if I can reproduce.