-
ibikk
Establishing a secure connection from jotwewe.de to p2.siacs.eu failed. Certificate hash: 6bb89cc5fa534e6c5cf98416c2ffe73b9d67691c. Error with certificate 0: certificate has expired.
-
ibikk
Holger?
-
mimi89999
Establishing a secure connection from lebihan.pl to p2.siacs.eu failed. Certificate hash: ae938b9fda5f1fd4c74303f94259fb7fb930f1434b50d72d745a5b3ecf15cce1. Error with certificate 0: certificate has expired.
-
Holger
ibikk, mimi89999: I'm not involved with p2.siacs.eu; anyway to me it looks like the actual certificate is fine, it's just that the LE chain that's cross-signed by the expired DST Root CA X3 is included.
-
Licaon_Kter
But why would mimi89999 ibikk see this now and not on Sep 30?
-
Holger
He should probably change that, but I guess it's been that way all the time?
-
Holger
Yeah, weird.
-
Holger
I (a) hate hate hate LE for that stunt and (b) personally just enable Dialback for such reasons so I keep having a hard-time motivating myself with spending lots of time on this crap ;-P
-
MattJ
But what breaks when that root is included? Only old/buggy software, right?
-
MattJ
E.g. old OpenSSL
-
mjk
> Certificate hash: 6bb89cc5fa534e6c5cf98416c2ffe73b9d67691c > Certificate hash: ae938b9fda5f1fd4c74303f94259fb7fb930f1434b50d72d745a5b3ecf15cce1 Interesting.
-
Holger
MattJ: That's my understanding, yes.
-
Holger
mjk: What are those hashes?
-
Holger
Ah from above.
-
mjk
Curious why it's sha1 in one case and sha256(?) in the other
-
Holger
My servers are happy with p2.siacs.eu, FWIW.
-
Martin
Mine not.
-
ibikk
MattJ, Holger: the machine in question (hopefully) is not running old/buggy software, at least not an old openssl. debian 10 with its openssl 1.1.1d. So what can I do about it?
-
Martin
> Nov 17 09:25:01 s2sout56138c1a9f80 info Outgoing s2s stream mdosch.de->p2.siacs.eu closed: Your server's certificate has expired
-
Holger
Just to double check, this means mdosch.de is saying p2's certificate is expired, not vice-versa, right?
-
mjk
> Your server's certificate has expired Aha. I suspected the difference in the hashes is because it's p2 that rejects the certs
-
Holger
FWIW I did this to check: $ openssl s_client -showcerts -starttls xmpp-server -connect ganymede.siacs.eu:5269 -xmpphost p2.siacs.eu > /tmp/p2-chain.pem < /dev/null && openssl x509 -text -in /tmp/p2-chain.pem | less ```
-
mjk
The logging could be more clear about whose cert it's about
-
Martin
> Just to double check, this means mdosch.de is saying p2's certificate is expired, not vice-versa, right? I think it's p2 complaining. Does it run on a very old android? 😲
-
Holger
p2 is also happy with my server's certs, so it's not that p2's clock is totally off or something.
-
Martin
Incoming s2s from p2 worked now.
-
mjk
Martin: > Does it run on a very old android? 😲 Very old androids _wouldn't_ complain, that was the point of leaving the old root in the certs! :))
-
Martin
Maybe it stumbles on the isrg one which old androids don't recognize afaik.
-
Holger
Martin: The problem is new? No such complaints in yesterday's logs?
-
Holger
"expired" doesn't sound like stumbling over the new root.
-
mjk
Hmm. Is something trying to mitm p2.siacs.eu? :)
-
Martin
Only today.
-
Holger
mjk: The attacker got everything right except using the wrong LE chain!!!
-
mjk
Hah
-
Martin
BTW, why is p2.siacs.eu IPv4 only?
-
Holger
To not add even more complexity/uncertainty to such issues? 😂
-
Holger
(No idea.)
-
jonas’
Holger, and exclude users on v6-only services? :)
-
Holger
Those actually exist?
-
jonas’
I anticipate hetzner offering IPv6-only servers soon-ish, given that they now increased prices for all cloud boxes because of IPv4 shortage
-
jonas’
Holger, digital ocean smallest tier only comes with IPv6, too.
-
Holger
I guess once your support department is done responding to all your v4-only customers they should talk to the p2 operator :-)
-
jonas’
Holger, I *think* that my friends&family server would do just fine without IPv6.✎ -
jonas’
Holger, I *think* that my friends&family server would do just fine without IPv4. ✏
-
jonas’
… not once the people leave their home, but still.
-
Martin
Not offering IPv6 seems like a weird choice in 2021. :(
-
jonas’
Martin, I guess the choice wasn't made in 2021 ;)
-
Martin
Not sure whether it was less weird in 2015 or so…
-
Holger
T-DSL is v4-only, for example. They have a few users in .de.
-
jonas’
Holger, is it?
-
Holger
But sure for family & friends you might be lucky.
-
Holger
Yes it is (I'm a customer myself).
-
jonas’
what is this, then? 2003:c2:7f19:8f00:74e0:7bda:f4cc:44/128
-
Martin
I don't understand v4 only arguments as nobody suggests you to drop v4. :D
-
Holger
Martin: I came up with an argument above.
-
jonas’
(is this the difference between DSL and VDSL? :))
- Martin uses Telekom himself and has v6 o.O
-
Ge0rG
Holger: maybe your router is v4 only?
-
Holger
But sure once there are v6-only services supporting those certainly makes sense :-)
-
Ge0rG
The literally only good thing one can say about DTAG is that they were fast to deploy IPv6
-
jonas’
though, my f&f server doesn't care about p2., because they're all running snikket anyway (and that *does* have v6 on its push servers)
-
Maranda
most Italy's soho/sb internet offers don't provide IPv6 by default.
-
Maranda
That's entirely still optional
-
Ge0rG
I had to fight my ISP hard to get IPv4
-
Martin
OH✎ -
Martin
Oh… ✏
-
Martin
So, without fighting for v4 no Github for you. :P
-
Ge0rG
Martin: well, I had DS-Lite by default.
-
Maranda
But that's to say TIM owns Sparkle and Seabone so Italy has huge IPv4 address space allocations.
-
Ge0rG
Also why would I want github? All they serve is a nuclear waste dump called npm.
-
Link Mauve
Holger, I have quite a few IPv6-only instances, but then I don’t use Conversations.
-
Link Mauve
Although now that I have installed Android on some device, I could actually start testing this client!
-
Martin
Ge0rG: Dosn't yaxim live there too?
-
Holger
jonas', Martin, Ge0rG, hah interesting, web search says you're totally right. I'll try to figure out why _I_ don't have v6 then :-)
-
Holger
Link Mauve: I'm just assuming that you'll easily stumble over v4-only users if your instance isn't small/private.
-
Ge0rG
Holger: because you are using this?
-
Ge0rG
https://upload.wikimedia.org/wikipedia/commons/thumb/a/a8/Acoustic_modem_and_phone_plugged.jpg/220px-Acoustic_modem_and_phone_plugged.jpg
-
Martin
State of the art in Berlin…
-
Holger
Yes Bavaria doesn't pay us good enough for modern tech.
-
Holger
These days I'm just using a boring FRITZ!Box like the rest of the country. Docs sound like I need to enable v6 explicitly? In that case I'd be back to my assumption that half .de will be v4-only :-P
-
Holger
But I'll try not to spam this room with my router config issues.
-
Martin
We can't pay you more. Two years without Oktoberfest. Where shall the money come from if we can't loot the wallets of American, Australian and Italian tourists?
-
Martin
I have a Fritzbox too. Don't remember whether v6 was enabled per default…
-
Maranda
Martin: I thought we were more "looting" on the wallets of German tourists than the other way around 🤣
-
Holger
``` $ who am i holger pts/11 Nov 17 12:09 (2003:d3:171e:9b00:3fa3:22f2:a701:3b5f) ``` \o/
-
Holger
Glad we talked about this.
-
Licaon_Kter
Holger: _you are not your IP_
-
Holger
Sure I am!
-
Holger
So can we disable v4 everywhere now?
-
jonas’
Holger, yep, let's start with github.com
-
Martin
Maranda: If you look at the Oktoberfest there are more tourists from all over the world than germans.
-
Martin
Except the middle weekend, the so called "italian weekend" when most people are … italians. :)
-
MattJ
*cough* topic *cough*
-
Holger
MattJ: Cought a cold?
- Martin gives MattJ a grog.
-
moparisthebest
It's ok we are gonna update/replace all networking equipment on the internet to free up a few more IPv4 addresses but still not to support IPv6 https://www.ietf.org/id/draft-schoen-intarea-unicast-127-00.html
-
rozzin
> This document redefines the IPv4 local loopback network as consisting only of the 65,536 addresses 127.0.0.0 to 127.0.255.255 (127.0.0.0/16). It asks implementers to make addresses in the prior loopback range 127.1.0.0 to 127.255.255.255 fully usable for unicast use on the Internet. Wow.
-
moparisthebest
guys... if we don't do this amazon might run out of IPs, won't someone think of the children !!!!
-
rozzin
> IPv6, despite its vastly larger pool of available address space, allocates only a single local loopback address (::1) [RFC4291]. This appears to be an architectural vote of confidence in the idea that Internet protocols ultimately do not require millions of distinct loopback addresses.
-
rozzin
Explicitly acknowledged in that RFC is that "many deployed systems" are going to need to have their handling of Martians changed.
-
rozzin
moparisthebest: you might think "well if you're going to upgrade all of your equipment and networking code anyway, why not just start using IPv6?"..., but I guess it's significantly easier to get people to change an 8 to a 16 than to get them to finally learn about IPv6. I have to admit, it's been decades and I still don't understand IPv6.
-
rozzin
So..., anyone here actually using localnet addresses other than 1 and 0? 🤷 The have been some interesting "local" XMPP applications I've seen, but not using *that* addressing scheme.
-
Link Mauve
rozzin, ntpd does, for instance.
-
Link Mauve
It defaults to 127.127.x.x, see https://gist.github.com/edro15/c3fbaaabfe31ecb799363ffab587f336
-
Link Mauve
I’m sure other software or systems do as well.
-
moparisthebest
rozzin, I mean it's identical to ipv4, just a different address space
-
rozzin
moparisthebest: and there's no NAT, and it's not even obvious how to parse the addresses for someone who just knows IPv4.
-
rozzin
moparisthebest: ?
-
moparisthebest
there can be NAT
-
moparisthebest
if you had thousands of IPv4 addresses you wouldn't use NAT either
-
rozzin
moparisthebest: I sure would if it meant that I wouldn't have to learn or think about how packets get routed into my LAN nodes from outside, that I could just avoid being confronted by all of the weird new IPv6-specific flags in OpenWRT, etc.
-
moparisthebest
if you don't want to think, that's what ISP-provided wifi routers are for :D
-
moparisthebest
if you have your own IPv4 network set up though, setting up IPv6 is just like setting up another one
-
moparisthebest
you can absolutely set it up exactly the same way, 1 public IPv6, NAT to all the rest, now ipv6 folks might scream at you but meh
-
moparisthebest
otherwise it's 1 firewall rule to say "only allow connections initiated from my lan devices to the outside first, not vice versa" to get the same "security" effect as NAT with globally routable addresses instead
-
moparisthebest
:FORWARD DROP [0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lan -j ACCEPT
-
moparisthebest
oops 2 rules
-
mjk
https://http.xmpp.xyz:5281/upload/UcASGg_Rl7JJL_C7/QOkd1DrLQdiEDgw_TZN2WA.png
-
mjk
To _really_ close the drinking topic ↑
-
mjk
moparisthebest: > otherwise it's 1 firewall rule to say "only allow connections initiated from my lan devices to the outside first, not vice versa" to get the same "security" effect as NAT with globally routable addresses instead That was (happy-)eye-opening, TIL, thanks!
-
mjk
rozzin: > So..., anyone here actually using localnet addresses other than 1 and 0? Yup, I remember doing some strange things with ssh port forwarding. And/or openvpn
-
mjk
But yes, I hope the draft of the prolong-the-throes-of-the-IPv4-zombie standard won't get much farther