Logs for jdev
[08:33:08] * Treebilou left the chat.
[08:52:36] * Tobias joined the chat.
[08:53:22] * Tobias left the chat.
[09:06:14] * petermount joined the chat.
[09:08:24] * petermount left the chat.
[09:18:10] * Neustradamus left the chat.
[09:49:45] * Tobias joined the chat.
[11:06:11] * teo1 left the chat.
[11:06:25] * teo1 joined the chat.
[11:07:27] * teo1 left the chat.
[11:07:28] * teo1 joined the chat.
[11:22:21] * Neustradamus joined the chat.
[11:30:50] * Treebilou joined the chat.
[11:31:16] * Treebilou left the chat.
[11:31:59] * Treebilou joined the chat.
[11:37:52] * Lance joined the chat.
[11:53:37] * MattJ joined the chat.
[12:00:51] * Lance left the chat.
[12:00:53] * Lance joined the chat.
[12:35:35] * Lance left the chat.
[12:56:43] * Florob joined the chat.
[13:10:21] * Neustradamus left the chat.
[13:13:26] * Neustradamus joined the chat.
[13:18:54] * Tobias left the chat.
[14:33:01] * jcea joined the chat.
[14:44:26] * Florob left the chat.
[15:33:00] * Neustradamus left the chat.
[15:33:34] * Neustradamus joined the chat.
[15:40:12] * gnufs joined the chat.
[15:41:46] * gnufs left the chat.
[15:43:56] * Zash joined the chat.
[15:57:26] * Tobias joined the chat.
[15:58:51] <Tobias> !xmpp-core
[15:59:43] <Zash> http://tools.ietf.org/html/draft-ietf-xmpp-3920bis-17
[16:01:53] <Tobias> when I don't accept the cert provided by the initiating party how would I indicate an error? on TLS protocol level or a SASL
failure?
[16:07:46] <Tobias> xep.0178 says just to close the TCP connection which sounds a bit nasty protocol wise
[16:09:49] <MattJ> I don't see harm in <failure/> :/
[16:10:21] <MattJ> But perhaps there's no need to offer EXTERNAL if you already know the cert is not valid
[16:10:21] <Tobias> MattJ: how can you send it if the connection is closed? :P
[16:10:45] <MattJ> Does it say you mustn't send anything before closing the connection? :)
[16:10:55] <Tobias> MattJ: nope
[16:11:09] <Tobias> i've wondered whether to check the cert during the handshake
[16:11:16] <Tobias> or just pull the cert out after handshake
[16:13:13] <Tobias> probably it's enough for after the handshake
[16:25:03] * Neustradamus left the chat.
[16:25:43] * Neustradamus joined the chat.
[16:25:50] <Kev> Well, once you've sent <proceed/> you're not going to be sending more data unencrypted, are you?
[16:26:59] <MattJ> !xep 178
[16:27:00] <Kanchil> MattJ: XEP-0178: Best Practices for Use of SASL EXTERNAL with Certificates is Informational (Active, 2007-02-15) See: http://xmpp.org/extensions/xep-0178.html
[16:27:47] <Tobias> Kev: right
[16:27:48] <MattJ> No, that does seem wrong to me
[16:28:06] <MattJ> I mean - they may have an invalid cert, but perhaps you want to allow dialback?
[16:28:15] <Tobias> Kev: but what has that todo with the problem on when to fail
[16:28:20] <Tobias> and how to fail
[16:28:41] <Kev> Is <not-authorized/> appropriate?
[16:28:56] <Kev> I was just making the point that if you're going to fail, it shouldn't be done by sending it pre-TLS.
[16:29:01] <MattJ> If you only support TLS auth, yes
[16:29:14] <MattJ> Agreed, but it can't be done pre-TLS either :)
[16:29:15] <Kev> If you want to send it over the stream, you should 'accept' the cert, and then send it.
[16:29:16] * hanzz joined the chat.
[16:29:47] <hanzz> /me hoped Fabio Forno will idle here :)
[16:30:01] <Tobias> hanzz: he's online though :)
[16:30:10] <MattJ> He doesn't usually, his nick is often "ff" when he does
[16:30:38] <hanzz> Tobias, could you share JID? want to talk with him about his remote roster idea
[16:30:50] <Tobias> hanzz: sure, i'll send it in a PM to you
[16:30:53] <hanzz> thanks
[16:31:39] <Tobias> received it?
[16:32:28] <Tobias> Kev: so always accept certs at TLS level and fail afterwards if they are expired, not anchored in a trusted root CA, or you
just don't like the domain?
[16:32:49] <hanzz> yep
[16:32:50] <MattJ> Tobias, usually, yes
[16:32:51] <hanzz> thanks
[16:33:00] <Tobias> MattJ: k
[16:33:07] <MattJ> Tobias, failing during TLS isn't too nice, because it can't be recovered from
[16:33:53] <MattJ> OTOH it's more reasonable for a client to fail during TLS
[16:34:14] <MattJ> Since it really would have no more to say to the server if it is certain it's not the server it wants
[16:34:29] <MattJ> But in s2s you're verifying the other way around
[16:35:16] <Tobias> hmm...
[16:40:16] * hanzz left the chat.
[16:59:06] * Florob joined the chat.
[17:26:42] <Tobias> dwd: what's your opinion on the error handling issue with SASL EXTERNAL and invalid, not accepted certs?
[17:29:06] <MattJ> /me bows at the feet of dwd, master over OpenSSL
[17:29:17] <Tobias> heh :)
[17:29:18] * Rob Cridland joined the chat.
[17:29:43] <Tobias> i wonder whether that's something to be proud of, and whether that title comes with a lot depressions :D
[17:30:03] <MattJ> Tobias, sssh, you're spoiling the effect
[17:39:23] * Rob Cridland left the chat.
[18:06:09] <dwd> Muh?
[18:06:25] <dwd> Tobias, And that title comes with so much depression and stress you have no clue.
[18:08:09] <dwd> So, yes. EXTERNAL you offer if you trust the cert, and you think it can be used for authentication.
[18:08:41] <Tobias> and I fail with a SASL error on XMPP level, and not with some TLS error
[18:08:45] <Tobias> right?
[18:09:32] <dwd> GIven we can authenticate via other means if a certificate is presented which doesn't validate, or you can't construct a path
back to a trust anchor, then yes, just give a SASL error.
[18:09:45] <dwd> Fatal errors are a last resort.
[18:10:15] <Tobias> k
[18:11:04] <dwd> Tobias, Oh. But do have a configuration which ditches if you cannot validate the certificate, because that's currently mandated
by the RFC, I think.
[18:11:25] <Tobias> ditches?
[18:11:57] * smoku left the chat.
[18:12:02] <dwd> As in drops the connection during TLS negotiation.
[18:13:15] <Tobias> k
[18:18:53] * ermine joined the chat.
[18:19:30] * lastsky joined the chat.
[18:46:59] <Tobias> argh..even the documentation that exists of openssl is wrong :/
[18:47:17] <MattJ> /me gives Tobias 100XP
[18:47:45] <Kev> Heh
[18:48:17] <Tobias> i mean the documentation has wrong argument sequence
[18:48:29] <MattJ> You're on your way to becoming an OpenSSL sorceror
[18:48:33] <MattJ> Of course it has
[18:55:00] <Tobias> and their sample code used up the whole one letter variable name space :)
[18:55:42] <MattJ> int _i, _j;
[19:12:13] * jcea left the chat.
[19:16:25] * lastsky left the chat.
[19:16:42] * lastsky joined the chat.
[19:27:34] <Tobias> another funny part of openssl "The BOOLEAN type now takes three values." :)
[19:27:54] <MattJ> :D
[19:30:38] <Zash> WHAHAHHAAAT
[19:35:01] <Zash> "True, False, Maybe"
[19:35:49] <Florob> trinary \o/
[19:52:09] * Asterix left the chat.
[20:04:26] <Tobias> Zash: you've created a correct xmpp X.509 cert right? do you have test keys/certs available for testing?
[20:05:31] <Zash> Tobias: I think I did. dwd mentioned something about sRVNames or something.
[20:05:47] <Zash> Tobias: test keys/certs how?
[20:06:21] <Tobias> pem files for cert and key which one can use for some testing
[20:08:23] <Zash> I'm not giving you my private keys ... ;)
[20:08:53] <Tobias> i don't want them
[20:09:14] <Tobias> i just want some testing material and i'm obviously way too lazy to build them myself ;)
[20:09:36] <Zash> Bah!
[20:09:38] <Tobias> well..i can at least try
[20:13:17] <Zash> openssl genrsa $BITS > test.key; openssl req -new -key test.key -out test.csr -config http://wiki.xmpp.org/web/XMPP_Server_Certificates
[20:13:19] <Zash> sortof
[20:13:22] <Zash> was what I've used
[20:26:48] * Asterix joined the chat.
[20:29:32] <dwd> Tobias, I just use Isode's CA stuff. Makes it all rather easy.
[20:29:46] <Tobias> dwd: easy for you, i know ;)
[20:30:08] <dwd> Tobias, Sometimes it's hard to be such a genius.
[20:30:51] * Asterix left the chat.
[20:31:33] <Tobias> yeah, poor you
[20:31:35] <Tobias> ;)
[20:31:54] * ermine left the chat.
[20:50:16] <Tobias> Zash: mind pasting the output of "openssl asn1parse -i -in cert.pem" for your XMPP cert somewhere?
[20:53:18] <Zash> http://q.zash.se/66ff43a4.txt
[20:55:37] <Tobias> k, thx
[20:56:41] <Zash> [HEX DUMP]: doesn't look very helpful
[20:57:33] <Tobias> yup. guess those are the extensions openssl doens't know about
[20:59:19] * Neustradamus left the chat.
[21:13:15] * scippio_netbook left the chat.
[21:15:20] * lastsky left the chat.
[21:33:31] <MattJ> Tobias, incidentally have you found anything to back up Bruno's claim that you can't extract extensions OpenSSL doesn't know
about?
[21:34:14] <Tobias> not yet, but i'm sure there is some way to pull that info out
[21:34:31] <Tobias> maybe just in binary for or so
[21:34:42] <Tobias> *form
[21:37:00] * julm joined the chat.
[21:43:45] <dwd> MattJ, That sounds like tosh to me. OpenSSL has a generalized ASN.1/DER engine, so you can teach it how to extract new extensions
if needs be. Just like you can teach it to extract OtherNames it doesn't know about.
[21:44:24] <MattJ> Right, as I suspected would be the case
[21:44:35] <MattJ> He was claiming xmppAddr couldn't be extracted
[21:45:07] <dwd> MattJ, Erm. I do that, and I'm sure I'm not the only one.
[21:45:14] <MattJ> Good :)
[21:45:32] <dwd> MattJ, Can I claim that I can achieve the impossible, then? :-)
[21:45:35] <MattJ> Tobias and I are temporarily (I hope) forking his OpenSSL bindings for Lua
[21:45:38] <MattJ> For now you can
[21:45:43] <dwd> Marv.
[21:45:46] * Neustradamus joined the chat.
[21:46:36] <dwd> Hmmm. You'd be best off writing the xmppAddr stuff in C, though - it'd be painful indeed to provide a binding for the whole
ASN.1 gubbins. Possible, of course, but ugly. This might have been what he meant, of course.
[21:47:21] <MattJ> It's not likely he'll accept XMPP stuff in an otherwise general-purpose library
[21:47:57] <MattJ> The library does give a way to get the SSL_CTX, but he intends to remove that - on the grounds that it would be unsafe to
access it from two C libraries
[21:48:05] <dwd> Well, it's extraction of a SAN. There aren't that many defined types, just provide access to them all.
[21:48:15] <dwd> Meh?
[21:48:23] <Tobias> SAN? you mean the OID?
[21:48:36] <dwd> Tobias, SubjectAltName. Us hip and trendy folk call it a SAN.
[21:48:58] <MattJ> dwd, he worries that two different libs could be linked to two different copies of OpenSSL, or that OpenSSL relies on some
global variables
[21:49:12] <MattJ> and so considers the SSL_CTX private
[21:49:14] <dwd> Tobias, Only the OtherName SAN types have a OID.
[21:49:21] <dwd> MattJ, Well, he's a plonker then.
[21:49:32] <Tobias> !define plonker
[21:49:42] <MattJ> One option is to get the cert blob and ask OpenSSL to parse that, if the API allows it
[21:49:51] <Tobias> heh :)
[21:50:09] <MattJ> dwd, he says it's the OpenSSL devs :)
[21:50:22] <MattJ> I tried arguing, but I didn't have enough evidence that it would work
[21:50:32] <MattJ> But he won't even leave it with a warning in the docs
[21:50:41] <MattJ> which is the most annoying thing
[21:50:42] <dwd> MattJ, Well, sure you can... d2i_X509() will parse out the blob back into an X509.
[21:51:24] <dwd> I don't get how it'd be linked into two different OpenSSLs, anyway. Maybe I'm missing something.
[21:52:08] <MattJ> Prosody's code links with one OpenSSL, the bindings .so is linked with another
[21:52:26] <Tobias> couldn't one just pass the stuff openssl doesn't know how to handle to lua in binary form?
[21:52:30] <MattJ> it's possible, but unlikely, and anyone who allowed it to happen deserves the consequences
[21:52:45] <dwd> Just write a DER decoder in LUA. It'll be fun, honest.
[21:52:55] <MattJ> !LUA
[21:52:56] <Tobias> dwd: that was my first plan ;)
[21:52:58] <MattJ> !slap Kanchil
[21:52:59] <Kanchil> /me slaps Kanchil with large trout
[21:53:34] <dwd> /me pats Kanchil on the head. Nice LUAbot.
[21:54:58] <Tobias> dwd: it's just 26 pages :)
[21:55:19] <dwd> What's 26 pages?
[21:55:27] <Tobias> X.690
[21:55:40] <dwd> Oh, ASN.1, you mean?
[21:55:50] <dwd> Yeah, but the encoding rules are in a different doc.
[21:56:35] <dwd> We have a copy of BER at Isode - it's impressively chunky. Maybe 1cm thick of A4?
[21:56:55] <Tobias> ouch
[21:57:38] <dwd> Mind you, that could be all of ASN.1 and BER and DER. I'm not sure.
[21:57:50] <dwd> I know it doesn't have X.693 in it, though.
[21:57:56] <MattJ> Why didn't they just use XML? :(
[21:58:00] <dwd> (Which is XER - XML Encoding Rules)
[21:58:12] <dwd> MattJ, Oh, trust me, they used that too, once invented.
[21:58:16] <MattJ> ..
[21:58:49] <dwd> MattJ, It's possible to express all of XMPP in ASN.1, thanks to X.693. Which I can imagine we'll have to hold you back from
rushing off to do.
[21:59:00] <dwd> Be still, thy beating heart, etc.
[22:00:00] <Tobias> heh
[22:00:02] <MattJ> Not likely - who paid these people?
[22:00:25] <dwd> MattJ, The telcos, mostly.
[22:00:32] <dwd> MattJ, And some governments.
[22:00:58] <Tobias> those nasty telcos ;)
[22:02:04] <Tobias> dwd: http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf so this only describes how to encode ASN.1 as DER,
and not how DER encoding works?
[22:04:30] <Tobias> MattJ: and with depending on a fork of luasec we'd get problems with crazy distros like debian, right?
[22:04:31] <dwd> Tobias, Oh... Hmmm. Actually I'm not sure - it could be that thick wodge we have at Isode is X.680-X.699
[22:06:34] <MattJ> Tobias, that's Fedora
[22:06:45] <dwd> /me heads toward bed.
[22:06:48] <dwd> Night folkd.
[22:06:48] <Tobias> ahh :)
[22:06:50] <dwd> Folks.
[22:06:51] <Tobias> dwd: n8
[22:06:57] <MattJ> they won't have any duplicated libraries, anywhere - they won't even package LuaSec because it borrows code from LuaSocket
[22:07:02] <MattJ> 'night dwd
[22:31:55] * julm left the chat.
[22:44:20] * Tobias left the chat.
[23:22:27] * gnufs joined the chat.
[23:22:38] * gnufs left the chat.
[23:39:33] * gnufs joined the chat.
[23:57:48] * gnufs left the chat.
[00:01:07] * Lance joined the chat.
[01:00:27] * Lance left the chat.
[01:58:05] * Lance joined the chat.
[02:09:31] * Lance left the chat.
[02:20:13] * jkhii joined the chat.
[02:31:55] * MattJ left the chat.
[02:41:38] * Florob left the chat.
[03:03:46] * nicolas.alvarez joined the chat.
[03:03:46] * nicolas.alvarez left the chat.
[03:07:06] * nicolas.alvarez joined the chat.
[03:12:59] * nicolas.alvarez left the chat.
[03:34:13] * jkhii left the chat.
[04:11:35] * lastsky joined the chat.