Logs for jabber
[00:10:53] * yuppinturic left the chat.
[00:10:53] * ╔╦╗♥ joined the chat.
[00:15:24] * Eimann left the chat.
[00:17:18] * ╔╦╗♥ left the chat.
[00:22:22] * Eimann joined the chat.
[02:25:57] * Neustradamus left the chat.
[03:46:57] * Soulmate joined the chat.
[03:47:58] * Soulmate left the chat.
[04:10:53] * darkrain left the chat.
[04:18:06] * darkrain joined the chat.
[07:20:58] * tg joined the chat.
[07:21:00] * ukl@jabber.org joined the chat.
[07:23:08] <ukl@jabber.org> empathy shows http://www.kleine-koenig.org/tmp/self-signed.png when signing on. Are you aware of that?
[07:28:02] * tg left the chat.
[07:37:43] * Magargovinda joined the chat.
[07:37:44] * Magargovinda left the chat.
[07:37:47] * Alex joined the chat.
[07:38:14] * Magargovinda joined the chat.
[07:42:54] * Magargovinda left the chat.
[08:10:58] * vilius joined the chat.
[08:21:18] <vilius> ukl@jabber.org: "self-signed" does not make much sense to me. Not sure what field of the cert corresponds to what empathy
shows in "Verified by:", but I'd guess that's the issuer field. In which case it is obvious the certificate has been issued
by StartCom to register.jabber.org (well, to the owner for the domain, to be precise), thus the cert is _not_ self-signed.
My next guess would be that your trust store does not include StartCom CA and the actual problem is an untrusted issuer, not
a self-signed cert.
But I'm not sure about my own reasoning :) as IIRC the previous cert for jabber.org (that has expired last week) was from
the same issuer, so you should have seen the same error before.
[08:22:28] * yuppinturic joined the chat.
[08:34:46] * sono left the chat.
[08:44:49] <ukl@jabber.org> vilius: "last week" sounds right
[08:46:44] <ukl@jabber.org> /me has a file called /usr/share/ca-certificates/mozilla/StartCom_Certification_Authority.crt
[08:47:11] <ukl@jabber.org> it's a pity I have to disconnect to see the warning
[08:54:08] <ukl@jabber.org> that cert doesn't seem to match the cert that verifies the jabber.org cert though
[08:58:17] <ukl@jabber.org> if I do:
openssl s_client -showcerts -connect jabber.org:5223
the output ends in:
Verify return code: 19 (self signed certificate in certificate chain)
[09:09:15] <ukl@jabber.org> /me shrugs and shuts down his machine.
[09:09:22] * ukl@jabber.org left the chat.
[09:24:34] * Eimann left the chat.
[09:34:08] * Eimann joined the chat.
[09:55:19] * Schnouki joined the chat.
[10:28:37] <vilius> even though ukl has left, for the record (if anyone else apart from me was intrigued by the error), I find the openssl s_client
error strange, because the trust chain it discovers looks basically like this:
0 register.jabber.org
1 StartCom CA
2 StartCom Intermediate CA
while in my understanding if we're travelling from leaf to the trust root the logical sequence is 0, 2, 1 and then a self-signed
trust root should not raise a flag. Which is exactly the case if I visit https://register.jabber.org using firefox, though
openssl s_client pointed to register.jabber.org:443 fails the same way.
Assuming firefox is sane, my next best guess would be that empathy's chain validation is similarly broken to s_client :)
[10:57:59] * Schnouki left the chat.
[11:32:43] * Goodcall77 joined the chat.
[11:33:51] * Goodcall77 left the chat.
[12:25:39] * yuppinturic left the chat.
[12:29:11] * yuppinturic joined the chat.
[12:58:11] * hash joined the chat.
[12:58:26] * hash left the chat.
[13:03:30] * Alex left the chat.
[13:03:30] * Alex joined the chat.
[13:39:57] * Eimann left the chat.
[14:03:11] * Alex left the chat.
[14:43:48] * aRyo joined the chat.
[14:49:35] * aRyo left the chat.
[15:00:48] * Eimann joined the chat.
[17:15:33] * yuppinturic left the chat.
[17:20:36] <Eimann> vilius: openssl s_client -showcerts -CApath /etc/ssl/certs/ -starttls xmpp -connect jabber.org:5222
[17:20:40] <Eimann> this works fine.
[17:22:04] * MattJ left the chat.
[17:22:06] * MattJ joined the chat.
[17:29:54] <Eimann> Also, RFC5246 that jabber.org got it wrong, "The sender's certificate MUST come first in the list. Each following certificate
MUST directly certify the one preceding it."
[17:30:13] <Eimann> +says
[17:30:31] * Soulmate joined the chat.
[17:31:18] * Soulmate left the chat.
[17:32:16] <vilius> Eimann: indeed, giving the CApath makes the validation successful. And the cert order seemed strange to me too. However, it
seems that ukl simply had an outdated StartCom cert?
[17:33:27] <vilius> Eimann: the other funny thing is that man s_client says: 'Currently, the only supported keywords are "smtp", "pop3", "imap",
and "ftp".', though "xmpp" seems to work :)
[17:33:42] <Eimann> according to rfc5246 section 7.4.2 the cert order is wrong
[17:34:42] <vilius> yes, I agree, but that doesn't explain the self-signed cert error
[17:34:48] * kju joined the chat.
[17:35:17] <kju> vilius: add the -CApath parameter as shown bei eimann
[17:35:27] <kju> i pointed out to him that openssl needs that to verify the root certificate
[17:35:32] <kju> otherwise you will get that error message
[17:36:17] <vilius> kju: I have, thanks. And -starttls xmpp seems to work, contrary to what is said by man page on Debian
[17:36:20] <kju> interestingly enough openssl does not complain about the wrong certificate order. probably openssl is tolerant to this error,
is probably a typical one.
[17:36:29] <kju> yes, i know. noticed that as well.
[17:38:10] <kju> the upstream source does not have it either, so they probably forgot to update the man page
[17:40:26] <kju> other than the wrong order the certificate chain of jabber.org is correct.
[17:40:42] <kju> you can compare the certificates presented with my own server which also has a startcom certificate: openssl s_client -showcerts
-starttls xmpp -connect jabber.fqdn.org:5222
[17:41:26] <vilius> that's the second important omission in a man page in two days, the other being tcpdump secretly supporting sctp in filter
expressions :)
[17:41:54] <vilius> kju: 'fqdn' is nice for a domain name :)
[17:42:38] <kju> well, yes. i registered it when it was free 12 years ago :)
[17:45:24] <kju> would have preferred fqdn.net, though.
[17:45:43] * Alex joined the chat.
[18:13:19] * nermin.h.m joined the chat.
[18:14:48] * nermin.h.m left the chat.
[18:23:35] * vilius left the chat.
[18:33:29] * MattJ left the chat.
[18:33:39] * MattJ joined the chat.
[18:35:25] * MattJ left the chat.
[18:35:37] * MattJ joined the chat.
[18:47:08] * MattJ left the chat.
[18:47:14] * MattJ joined the chat.
[18:48:32] * MattJ left the chat.
[18:48:41] * MattJ joined the chat.
[19:03:57] * kju left the chat.
[19:30:16] * Z_God joined the chat.
[20:06:13] * yuppinturic joined the chat.
[21:50:58] * Alex left the chat.
[22:17:36] * Eimann left the chat.
[22:25:30] * Eimann joined the chat.
[22:51:11] * Alex joined the chat.
[23:03:19] * Eimann left the chat.
[23:07:22] * Alex left the chat.
[23:11:18] * Z_God left the chat.