fippootherwise "but it works with jabber.org!!!!" is true
Simonand fix it's cipherlist
KevSimon: Nothing on that page looks incompatible with servers participating in the event.
Kevfippo: Yes, I expect we will.
fippoi wonder why jabber.orgs pubkey score is sooo low
KevBecause it bundles the root (Which is a pretty sensible thing to do)?
MattJWhy is it a sensible thing to do?
KevMattJ: Because if you're going to do leap of faith, having the root gives you a better basis for future upgrades.
SimonPresumably the root should come from outside the connections / OS /Browser.
Simonintermediate should be included though
Simonalso the cert is for conference.jabber.org.
KevThe cname is c.j.o, which isn't the same thing.
KevIt has the right SANs in it as far as I know.
fippothere is a bug for xmpp.net that it should show SANs
fippoi even have code for it but can't get the tool itself to work for me
Simonfippo: this one https://bitbucket.org/xnyhps/xmppoke/issue/3/show-certificate-subjectalternativenames ?
SimonIf anyone is looking for a well considered, peer reviewed ciphersuite, Mozilla Opsec have a good writeup: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Ciphersuite
Simonfippo: solved you cert problem a different way https://xmpp.net/result.php?domain=estos.de&type=server ?
fipposimon: huh? it has always shown as valid
fippoit just doesn't show why this one is valid :-)
Simonreread your xmpppoke issue. Makes sense now.
Simoninterestingly buddycloud.com refuses to speak to jabber.org too with the current cert.
SimonDec 15 21:34:43 s2sout22aafc0 info Beginning new connection attempt to jabber.org. ([188.8.131.52]:5269)
Dec 15 21:34:44 mod_s2s warn Forbidding insecure connection to/from jabber.org.
Dec 15 21:34:44 s2sout22aafc0 info outgoing s2s stream buddycloud.com->jabber.org. closed: stream closed
Dec 15 21:34:44 s2sout22aafc0 info sending error replies for 2 queued stanzas because of failed outgoing connection to jabber.org.
MattJI know what the issue is, there is a '.' at the end of the hostname
Simonthe cert or the contact?
MattJSomeone is trying to send something to "jabber.org."
MattJI vaguely recall something about this in the RFC
MattJYes, it's in 6122
MattJIt must be stripped, but it doesn't say where
MattJwell, it says: "this character MUST be stripped from the domainpart before the JID of which it is a part is used for the purpose of routing an XML stanza, comparing against another JID, or constructing an [XMPP‑URI]. "
MattJSo it's a client bug for allowing it and a server bug for not stripping it either I suppose
Simonserver bug for storing it in the roster table too?
MattJNot necessarily storing it
MattJI don't know if roster entries must be in normalized form
ZashLet's blame jabber.org for answering to "jabber.org."