XSF Discussion - 2020-11-16

  1. emus

    Hello everyone, mid of month again - just reminding you to drop your project news to the last XMPP newsletter release in this year! (Publish on 8th of December!) 📡 You can create a pull request or place a comment here: https://github.com/xsf/xmpp.org/pull/830 Looking forward!

  2. Ge0rG

    emus: did you write something down for the LEcalypse?

  3. emus

    Ge0rG: Nope, no sufficient understanding, but PR is welcome

  4. Ge0rG


  5. emus


  6. Ge0rG

    emus: Error, insufficient time

  7. emus


  8. emus

    I mean, I dont expect something long. If one can summarise the cirumstance in 1-3 sentences that is enough

  9. Ge0rG

    emus: if I write you a paragraph of markdown here in the room, would you integrate it?

  10. emus

    Ge0rG: yes

  11. Ge0rG

    emus: cool!

  12. emus

    just write it, not formatting

  13. Ge0rG

    Let's Encrypt announced to [switch away from their Root CA certificate cross-signed by IdenTrust](https://letsencrypt.org/2020/11/06/own-two-feet.html). This means that old client devices (especially the roughly one third of Android phones running Android 7.0 and older) will consider Let's Encrypt certificates issued after January 11th 2021 as untrustworthy. This problem will not go away, as the IdenTrust cross-signed certificate will expire in September, but there are some possible mitigations: - For users: it is possible, but not very straight-forward to [add the new Root CA certificate to the system trust store](https://stackoverflow.com/a/22040887/) - Client developers can bundle the new [ISG Root X1](https://letsencrypt.org/certificates/) certificate with the app, or implement a manual CA approval mechanism like [MemorizingTrustManager](https://github.com/ge0rg/MemorizingTrustManager) - Server operators can use the ["alternate" option](https://community.letsencrypt.org/t/transition-to-isrgs-root-delayed-until-jan-11-2021/125516) between January and September to obtain certificates signed by the old IdenTrust-based root.

  14. Ge0rG

    emus: ^

  15. emus

    Ge0rG: Thank you very much

  16. Ge0rG

    emus: at your service :)

  17. jonas’

    oh wow

  18. jonas’

    that is .. indeed an apocalypse

  19. MattJ

    The question to me is, can we identify affected clients somehow?

  20. jonas’

    before or after the fallout?

  21. Shell

    the main issue is very old Android devices, and clients which use the system certificate store (i.e. pretty much all of them).

  22. jonas’

    Shell, Android 7.0 is not very old in my book.

  23. Ge0rG

    I still think that most Android clients will have some sort of manual certificate approval built in from the times before LE

  24. Ge0rG

    Because most people had rotten SSL certs before LE came

  25. Ge0rG

    So you weren't even able to log in into most self-host servers from a normal Android app

  26. Ge0rG

    But maybe my view is skewed because I'm the developer of the only Android client that survived over a decade.

  27. jonas’

    I’m afraid that might be the case

  28. jonas’

    except for Xabber

  29. Ge0rG

    https://github.com/redsolution/xabber-android/blob/cdf34f44b42f2b9d4de027e06086afbab4a8a0b4/xabber/src/main/java/com/xabber/xmpp/smack/XMPPTCPConnection.java#L775 looks like it supports something in that direction, but no idea where the config class is implemented

  30. Ge0rG

    oh, it's smack's

  31. Ge0rG

    jonas’: looks like you are right, Xabber will fail.

  32. Ge0rG

    oh wait. https://github.com/redsolution/xabber-android/blob/cdf34f44b42f2b9d4de027e06086afbab4a8a0b4/xabber/src/main/java/com/xabber/android/data/connection/ConnectionBuilder.java#L57-L63

  33. Ge0rG

    TIL github search won't search for substrings

  34. Ge0rG

    Conversations also comes with some sort of MTM.

  35. Ge0rG

    Are there any other relevant Android clients?

  36. Holger

    Alex (et al.): Is Memberbot supposed to talk to me (holger@jabber.fu-berlin.de) right now?

  37. Holger

    Alex: It worked right after you added(?) my JID a few days ago, but seems it does no longer.

  38. Alex

    Holger: will check in some minutes when I get back to my office

  39. Holger

    Thanks (no hurries!).

  40. Alex

    looks like memberbot terminated. Should be up and running again now

  41. Holger

    Yes, thank you!

  42. emus

    Ge0rG: the expire im September... 2021 ?

  43. emus

    Ge0rG: the expire in September... 2021 ?

  44. emus

    comments welcome: https://github.com/xsf/xmpp.org/pull/836

  45. Ge0rG

    emus: yes, from the le article