-
Arne
Hey, because of coming letsencrypt next year does anyone can recommend a certificate for xmpp and websites?
-
Ge0rG
Arne: letsencrypt
-
Arne
so keep letsencrypt?
-
Arne
I thought about buying a cert
-
Ge0rG
Arne: to achieve what?
-
Arne
to avoid compatibilty problems
-
Ge0rG
with Android < 7?
-
Ge0rG
Arne: have you seen https://github.com/xsf/xmpp.org/pull/836/commits/a305cbcdcd41b715bd6c90e61ad0c22f0966c11d
-
Arne
yes. Thanks, didn't see this
-
mjk
Arne: > to avoid compatibilty problems This time around? CA certs do expire sooner or later, that's what certs do. You can postpone the switch from DST (which expires september '21) with an option in certbot
-
Ge0rG
mjk: from January to September, yes.
-
Ge0rG
I'm pretty sure the number of outdated Android devices won't move significantly down from 33%
-
mjk
Yep. But maybe it would make Arne feel better :)
-
mjk
And, more importantly, give time for users to solve the issue (e.g. installing the ISRG cert)
-
Ge0rG
mjk: which is why we are going to recommend that in the XMPP Newsletter
-
mjk
Right.
-
Arne
> mjk schrieb: > Arne: > This time around? CA certs do expire sooner or later, that's what certs do. > You can postpone the switch from DST (which expires september '21) with an option in certbot Thats not the problem. I wrote an automation script for that. I was just worried about > Let's Encrypt announced to [switch away from their Root CA certificate cross-signed by IdenTrust](https://letsencrypt.org/2020/11/06/own-two-feet.html). This means that old client devices (especially the roughly one third of Android phones running Android 7.0 and older) will consider Let's Encrypt certificates issued after January 11th 2021 as untrustworthy. This problem will not go away, as the IdenTrust cross-signed certificate will expire in September, but there are some possible mitigations: > - For users: it is possible, but not very straight-forward to [add the new Root CA certificate to the system trust store](https://stackoverflow.com/a/22040887/) > - Client developers can bundle the new [ISG Root X1](https://letsencrypt.org/certificates/) certificate with the app, or implement a manual CA approval mechanism like [MemorizingTrustManager](https://github.com/ge0rg/MemorizingTrustManager) > - Server operators can use the ["alternate" option](https://community.letsencrypt.org/t/transition-to-isrgs-root-delayed-until-jan-11-2021/125516) between January and September to obtain certificates signed by the old IdenTrust-based root.
-
mjk
Arne: right, and I was suggesting you can (and probably should) postpone the switch from IdenTrust (DST) to ISRG for the chain of trust of _your_ certs (until the DST cert expires too 8 months later), by using an option in your acme client (probably certbot). The details of configuration elude me, but the xsf article has a link to LE's docs.
-
Martin
> Arne: > This time around? CA certs do expire sooner or later, that's what certs do. > You can postpone the switch from DST (which expires september '21) with an option in certbot A switch which is not in busters certbot. 😉
-
mjk
Great
-
Arne
ah I understand. I'm not using certbot but I guess I can do it somehow nevertheless. Btw. are there any advantages of an bought certificate?
-
Ge0rG
no
-
Ge0rG
well, there are some advantages for the CA that you gave money
-
Ge0rG
the business model is indistinguishable from extortion
-
Arne
:D
-
Arne
Alright, thanks for these informations!
-
tom
Arne: if it helps a lot of browsers have support for importing cacerts themselves if you just link to the file. Firefox for sure
-
Ge0rG
tom: but browsers don't do xmpp
-
tom
No I don't think there are any advantages to getting a paid cert, unless you pay for an Extended Validation cert which costs extra money and requires a thorough background check that usually only banks get
-
tom
Ge0rG: XMPP clients use the system certificate store, Which some browsers are able to append to
-
Ge0rG
tom: this is news to me, unless you are speaking of MSIE
-
tom
I have not explored the idea fully, I knot MSIE is one such browser that is used that way, and have personally used it to allow corporate clients to connect to a company ca signed VPN and IRC network
-
Ge0rG
that's because MSIE is part of the OS ;)
-
tom
Firefox can do this too, you click on a link to a ca .pem file it opens up a special dialog, but i don't know if it places the cert in a user home directory version of /etc/ca-certificates or only is accessible to firefox
-
jonas’
the latter
-
Licaon_Kter
Do this? https://www.stoutner.com/lets-encrypt-isrg-root-x1-and-privacy-browser/
-
TMakarios
> tom wrote: > XMPP clients use the system certificate store... Don't some clients (e.g., Conversations and derivatives) have the option of using DANE instead? But this might not be enough if some of your users are using clients that don't support DANE, and those that do might need to flip a switch in "expert settings".
-
tom
I think that's really just down to the tls crypto implementation
-
tom
Being used
-
tom
Though about DANE, not related to the topic at hand but I don't think DANE is very good. At least not used solely alone. It just changes the root of trust from certificate authorities to domain registrars, which are often less trustworthy than CAs