-
mimi89999
Establishing a secure connection from emevth.no-ip.biz to lebihan.pl failed. Certificate hash: 8f290539741489af4dd385f82c0f285ebd77751f26c1d1d3112ee361b8dfd20b. Error with certificate 0: certificate has expired.
-
Licaon_Kter
The deadliest enemy...
-
moparisthebest
Dane and never expiring certs when
-
rozzin
moparisthebest: ... when?
-
moparisthebest
rozzin: how is tomorrow looking for you?
-
rozzin
moparisthebest: 😑️
-
rozzin
moparisthebest: TBH, I look forward to tomorrow with a sense of _existential dread_ more than anything, but the reasons for that our out-of-scope for this discussion... 😜️ What I meant was that I'm having trouble parsing and understanding your last line: "Dane and never expiring certs when". Like... was that a statement with a tail that fell off before it arrived?
-
moparisthebest
Ah, in response to a certificate expiring, I was lamenting that we could have permanently solved this problem already by moving to DANE pinning public keys and issuing our own certs with 100+ year expiry dates instead, but the whole public federation of XMPP servers would have to do it together hence the half-hearted "when" :)
-
rozzin
And then rely on certificate-revocations when the newbie server operators leak their keys 6 months in, I guess?
-
rozzin
And when they wholly abandon their "maybe a running a server would be fun!" ideas after a year or 5, shut down their hosting, let the domain lapse... and then don't even bother informing their users.... Actually, revocations don't happen in that situation, so. 🤷️
-
rozzin
Not sure the expiries with something like Let's Encrypt really help that latter situation either.
-
moparisthebest
No, the "valid certs" just live in DNS at that point so no revocations required
-
moparisthebest
TTLs apply as usual
-
rozzin
I should admit that I'm really not up to speed on DANE 😅️
-
moparisthebest
The only problem is entire TLDs are stuck in the past and don't support DNSSEC at all, the biggest problem of which for XMPP is .im -.-
-
moparisthebest
So everyone just needs to abandon their .im domains first, then we can have nice things :)
-
Menel
Do really all have to change at once? Can't the server software have a check for it implemented and allows the conventional method or DANE to establish a connection?
-
rob
I think it could, no reason we couldn't at support for DANE in a given server ahead of others. But would require still supporting regular certs too
-
Menel
Yes.. But its unlikely whole established networks change stuff like that on some effective date. Be it xmpp or http or whatever
-
Menel
So it must be both methods for some time and then after a long time discontinue the "legacy" method
-
rob
Permission to quit my job so I can do fun things like implement DANE support in prosody
-
MattJ
You mean https://modules.prosody.im/mod_s2s_auth_dane ?
-
rob
Oh neat 🤓
-
rob
But can I set two certificates, one used by the dane module and the other as default
-
rob
Or I guess you could just update the tlsa records when new certs are generated
-
Martin
Broke s2s to several servers when I tested it due to broken tlsa records.
-
rob
So a nice automated update method and fairly short TTL might be good
-
rob
But does the module allow fallback when dane isn't present?
-
Licaon_Kter
The key is under a fake rock near the backdoor, as usual.
-
moparisthebest
Yea existing servers can trust DANE today, but until they all or most do, no server can sanely avoid getting a letsencrypt cert all together
-
jonas’
are muc.tigase.im operators around?
-
bung
İs blabber mucs are close?
-
neox
bung, were you living in a cave the last few months? 🤔️
-
bung
No, ı say room
-
bung
Not server
-
neox
bung, well blabber mucs were on the blabber server, so ?✎ -
neox
bung, well blabber mucs were on the blabber server, so? ✏
-
bung
> neox wrote: > bung, well blabber mucs were on the blabber server, so? No
-
neox
bung, what do you mean by "blabber mucs" then ?
-
bung
> neox wrote: > bung, what do you mean by "blabber mucs" then ? Blabber support and dev room
-
neox
bung, ok : as I said it was xmpp:blabber-dev@conference.blabber.im?join and xmpp:blabber@conference.blabber.im?join (so located on blabber.im server)
-
neox
These mucs are now down forever, and I don't know if there are new rooms elsewhere
-
MattJ
xmpp:support@room.pix-art.de?join
-
MattJ
Is the new support room for the app
-
bung
But not working with my Phone
-
bung
I people
-
bung
Resolved