XSF Discussion - 2020-11-16

Hello everyone, mid of month again - just reminding you to drop your project news to the last XMPP newsletter release in this year! (Publish on 8th of December!) 📡 You can create a pull request or place a comment here: https://github.com/xsf/xmpp.org/pull/830 Looking forward!

emus: did you write something down for the LEcalypse?

Ge0rG: Nope, no sufficient understanding, but PR is welcome

-ENOTIME

what?

emus: Error, insufficient time

ok

I mean, I dont expect something long. If one can summarise the cirumstance in 1-3 sentences that is enough

emus: if I write you a paragraph of markdown here in the room, would you integrate it?

Ge0rG: yes

emus: cool!

just write it, not formatting

Let's Encrypt announced to [switch away from their Root CA certificate cross-signed by IdenTrust](https://letsencrypt.org/2020/11/06/own-two-feet.html). This means that old client devices (especially the roughly one third of Android phones running Android 7.0 and older) will consider Let's Encrypt certificates issued after January 11th 2021 as untrustworthy. This problem will not go away, as the IdenTrust cross-signed certificate will expire in September, but there are some possible mitigations: - For users: it is possible, but not very straight-forward to [add the new Root CA certificate to the system trust store](https://stackoverflow.com/a/22040887/) - Client developers can bundle the new [ISG Root X1](https://letsencrypt.org/certificates/) certificate with the app, or implement a manual CA approval mechanism like [MemorizingTrustManager](https://github.com/ge0rg/MemorizingTrustManager) - Server operators can use the ["alternate" option](https://community.letsencrypt.org/t/transition-to-isrgs-root-delayed-until-jan-11-2021/125516) between January and September to obtain certificates signed by the old IdenTrust-based root.

emus: ^

Ge0rG: Thank you very much

emus: at your service :)

oh wow

that is .. indeed an apocalypse

The question to me is, can we identify affected clients somehow?

before or after the fallout?

the main issue is very old Android devices, and clients which use the system certificate store (i.e. pretty much all of them).

Shell, Android 7.0 is not very old in my book.

I still think that most Android clients will have some sort of manual certificate approval built in from the times before LE

Because most people had rotten SSL certs before LE came

So you weren't even able to log in into most self-host servers from a normal Android app

But maybe my view is skewed because I'm the developer of the only Android client that survived over a decade.

I’m afraid that might be the case

except for Xabber

https://github.com/redsolution/xabber-android/blob/cdf34f44b42f2b9d4de027e06086afbab4a8a0b4/xabber/src/main/java/com/xabber/xmpp/smack/XMPPTCPConnection.java#L775 looks like it supports something in that direction, but no idea where the config class is implemented

oh, it's smack's

jonas’: looks like you are right, Xabber will fail.

oh wait. https://github.com/redsolution/xabber-android/blob/cdf34f44b42f2b9d4de027e06086afbab4a8a0b4/xabber/src/main/java/com/xabber/android/data/connection/ConnectionBuilder.java#L57-L63

TIL github search won't search for substrings

Conversations also comes with some sort of MTM.

Are there any other relevant Android clients?

Alex (et al.): Is Memberbot supposed to talk to me (holger@jabber.fu-berlin.de) right now?

Alex: It worked right after you added(?) my JID a few days ago, but seems it does no longer.

Holger: will check in some minutes when I get back to my office

Thanks (no hurries!).

looks like memberbot terminated. Should be up and running again now

Yes, thank you!

Ge0rG: the expire in September... 2021 ? ✏

comments welcome: https://github.com/xsf/xmpp.org/pull/836

emus: yes, from the le article