XMPP Service Operators - 2022-08-09

  1. mimi89999

    Establishing a secure connection from lebihan.pl to emevth.no-ip.biz failed. Certificate hash: f23518f572dd1897e6ae2a24b5aafeac630b06337e6ec6de30eac4a4a21d7ee4. Error with certificate 0: certificate has expired. Establishing a secure connection from lebihan.pl to conference.gajim.org failed. Certificate hash: ebcda38cd840bd2cb0e3e1623004b63481129107b44aa962ce4b122258a68528. Error with certificate 0: certificate has expired.

  2. smooth_op

    down with certificates

  3. moparisthebest

    smooth_op: what do you replace them with

  4. smooth_op

    a firm handshake with eye contact

  5. Sapotaceae

    no blood pact?

  6. smooth_op

    lol. i wish there was a better way but free 3-month certs will have to do.

  7. Zash

    next step is 3-day certs

  8. jonas’

    you joke

  9. Zash

    jonas’, https://www.rfc-editor.org/rfc/rfc8739.html

  10. Zash

    convergence of certificates and oscp pretty much

  11. Zash

    convergence of certificates and ocsp pretty much

  12. Zash

    (have you ever noticed that it is *impossible* to type the acronym for Online Certificate Status Protocol correctly on the first try?)

  13. moparisthebest

    Also when you get it wrong it's the acronym for some security certification

  14. Zash

    actually nice would be to have raw public keys and DANE stapling, but nice things are of course unavailable as usual

  15. smooth_op

    ...until some consortium says even those keys need to be rotated every 3 months

  16. smooth_op

    and isn't dane+dnssec fighting a similar battle like ipv6? the Don't Break the Internet battle?

  17. Zash

    huh? unfavorable deployment characteristics of the "it won't work until everyone has it" sort, sure

  18. moparisthebest

    ah yes I hate the evil consortium that solved TLS on the internet and made most of the net encrypted and usable

  19. moparisthebest

    oh wait no I don't that would be ridiculous lol, you don't remember getting TLS certs before acme/letsencrypt? living nightmare

  20. Zash

    but only once per year!

  21. moparisthebest

    once per year and then everytime you added a new domain, also no one could afford wildcards

  22. moparisthebest

    don't forget needing to do SNI because you couldn't afford multi-domain certs

  23. Zash

    I don't remember SNI from that time

  24. smooth_op

    oh, what LE did for the internet was/is awesome. the catch was now we have to be 4 times as diligent

  25. Sapotaceae

    "just automate it"

  26. moparisthebest

    Not really, now you set it up once and it's good forever

  27. moparisthebest

    Vs forgetting the manual steps every year

  28. Zash

    dunno about you but dealing with certbot is a nightmare for me

  29. smooth_op

    because inevitably, certbot or cron stopped working but since we were smart and setup automation, we devoted less attention

  30. Zash

    "Hello, I am certbot and today I'm going to start putting your certs into example.com-0001 instead!"

  31. moparisthebest

    I took one look at certbot, saw a pile of python, went with acme.sh and haven't had a problem since

  32. ernst.on.tour

    I use getssl.sh, also no problem 🤷🏼‍♂️ Than a little bit of shell-magic and the right plugin in prosody to "curl" a msg if ssl-still-alive-time is less then 20 days. (Default ssl will be renewed if less then 30 days)

  33. Link Mauve

    Who here operates this FXTIA bot which joined every room listed?

  34. Link Mauve

    And what is its purpose?

  35. FXTIA

    me

  36. Link Mauve

    Oh, since your JID said bot I thought you were a bot. ^^

  37. FXTIA

    Lunk Mauve check your PM