XMPP Service Operators - 2020-11-17


  1. Arne

    Hey, because of coming letsencrypt next year does anyone can recommend a certificate for xmpp and websites?

  2. Ge0rG

    Arne: letsencrypt

  3. Arne

    so keep letsencrypt?

  4. Arne

    I thought about buying a cert

  5. Ge0rG

    Arne: to achieve what?

  6. Arne

    to avoid compatibilty problems

  7. Ge0rG

    with Android < 7?

  8. Ge0rG

    Arne: have you seen https://github.com/xsf/xmpp.org/pull/836/commits/a305cbcdcd41b715bd6c90e61ad0c22f0966c11d

  9. Arne

    yes. Thanks, didn't see this

  10. mjk

    Arne: > to avoid compatibilty problems This time around? CA certs do expire sooner or later, that's what certs do. You can postpone the switch from DST (which expires september '21) with an option in certbot

  11. Ge0rG

    mjk: from January to September, yes.

  12. Ge0rG

    I'm pretty sure the number of outdated Android devices won't move significantly down from 33%

  13. mjk

    Yep. But maybe it would make Arne feel better :)

  14. mjk

    And, more importantly, give time for users to solve the issue (e.g. installing the ISRG cert)

  15. Ge0rG

    mjk: which is why we are going to recommend that in the XMPP Newsletter

  16. mjk

    Right.

  17. Arne

    > mjk schrieb: > Arne: > This time around? CA certs do expire sooner or later, that's what certs do. > You can postpone the switch from DST (which expires september '21) with an option in certbot Thats not the problem. I wrote an automation script for that. I was just worried about > Let's Encrypt announced to [switch away from their Root CA certificate cross-signed by IdenTrust](https://letsencrypt.org/2020/11/06/own-two-feet.html). This means that old client devices (especially the roughly one third of Android phones running Android 7.0 and older) will consider Let's Encrypt certificates issued after January 11th 2021 as untrustworthy. This problem will not go away, as the IdenTrust cross-signed certificate will expire in September, but there are some possible mitigations: > - For users: it is possible, but not very straight-forward to [add the new Root CA certificate to the system trust store](https://stackoverflow.com/a/22040887/) > - Client developers can bundle the new [ISG Root X1](https://letsencrypt.org/certificates/) certificate with the app, or implement a manual CA approval mechanism like [MemorizingTrustManager](https://github.com/ge0rg/MemorizingTrustManager) > - Server operators can use the ["alternate" option](https://community.letsencrypt.org/t/transition-to-isrgs-root-delayed-until-jan-11-2021/125516) between January and September to obtain certificates signed by the old IdenTrust-based root.

  18. mjk

    Arne: right, and I was suggesting you can (and probably should) postpone the switch from IdenTrust (DST) to ISRG for the chain of trust of _your_ certs (until the DST cert expires too 8 months later), by using an option in your acme client (probably certbot). The details of configuration elude me, but the xsf article has a link to LE's docs.

  19. Martin

    > Arne: > This time around? CA certs do expire sooner or later, that's what certs do. > You can postpone the switch from DST (which expires september '21) with an option in certbot A switch which is not in busters certbot. 😉

  20. mjk

    Great

  21. Arne

    ah I understand. I'm not using certbot but I guess I can do it somehow nevertheless. Btw. are there any advantages of an bought certificate?

  22. Ge0rG

    no

  23. Ge0rG

    well, there are some advantages for the CA that you gave money

  24. Ge0rG

    the business model is indistinguishable from extortion

  25. Arne

    :D

  26. Arne

    Alright, thanks for these informations!

  27. tom

    Arne: if it helps a lot of browsers have support for importing cacerts themselves if you just link to the file. Firefox for sure

  28. Ge0rG

    tom: but browsers don't do xmpp

  29. tom

    No I don't think there are any advantages to getting a paid cert, unless you pay for an Extended Validation cert which costs extra money and requires a thorough background check that usually only banks get

  30. tom

    Ge0rG: XMPP clients use the system certificate store, Which some browsers are able to append to

  31. Ge0rG

    tom: this is news to me, unless you are speaking of MSIE

  32. tom

    I have not explored the idea fully, I knot MSIE is one such browser that is used that way, and have personally used it to allow corporate clients to connect to a company ca signed VPN and IRC network

  33. Ge0rG

    that's because MSIE is part of the OS ;)

  34. tom

    Firefox can do this too, you click on a link to a ca .pem file it opens up a special dialog, but i don't know if it places the cert in a user home directory version of /etc/ca-certificates or only is accessible to firefox

  35. jonas’

    the latter

  36. Licaon_Kter

    Do this? https://www.stoutner.com/lets-encrypt-isrg-root-x1-and-privacy-browser/

  37. TMakarios

    > tom wrote: > XMPP clients use the system certificate store... Don't some clients (e.g., Conversations and derivatives) have the option of using DANE instead? But this might not be enough if some of your users are using clients that don't support DANE, and those that do might need to flip a switch in "expert settings".

  38. tom

    I think that's really just down to the tls crypto implementation

  39. tom

    Being used

  40. tom

    Though about DANE, not related to the topic at hand but I don't think DANE is very good. At least not used solely alone. It just changes the root of trust from certificate authorities to domain registrars, which are often less trustworthy than CAs