logo
IRC Archive / Freenode / #mumble / 2010 / January / 28 / 2
pcgod
slicer: yes it was a quick hack and doesn't work if your server cert is not the ca cert ;)
(or you concat them in the correct order...)
slicer
Atritas: As far as I can see from that patch, it should restrict users to the CA the server uses.
DireFog
Atritas: you'd have to somehow modify the SSL context it's all based on to use a different certificate store, I guess Qt just uses the default
can't find anything on cert store configuration in Qt
slicer
DireFog: First read patch, then comment. Not vice versa :)
Atritas
slicer: Well i tried passing along another valid cert including its CA in the client, which also resulted in a successful login.
DireFog
slicer: I read the patch
pcgod
DireFog: there is a way to change the CA cert store in Qt (and we are doing that already) ;)
Atritas
slicer: So it seems (at least to my understanding), that the server takes the CA provided in the client PKCS12 file as well.
DireFog
ah that
Atritas
(or any CA in /etc/ssl/certs/ca-certificates.crt)
slicer
Atritas: No, it should only allow those you have configure in your murmur.ini file.
Atritas
slicer: That's my server cert.
slicer: My CA has no FQN as CN.
metalfan_
hi
Atritas
*FQDN
But ok, other way 'round :-) Is something like this scenario planned/realistic for private servers?
pcgod
(It should work if your server cert is signed by the CA and you add the CA cert to the server cert... but I never tried if it does)
Atritas
pcgod: Order important?
DireFog
"It can be moodified prior to the handshake (...)"  SSL error: Feeling blue ;_;
pcgod
Atritas: yes
Atritas
pcgod: Nope, sorry... It either doesn't work at all with the error (The root certificate of the certificate chain is self-signed, and untrusted (10)) or if i disable this error it allows login with both a certs from "my" CA and any other PKCS12 certificate which provides its own CA client-side.
I don't get the error, though... The root certificate (eg. CA) is self-signed by design, isn't it?
DireFog
should be
the only alternative would be unsigned roots
Atritas
...or using intermediate CAs, which would cause more trouble than it it's worth i presume.
*If* you stop checking the chain at this point that is ...
But still... I don't understand why a client-provided CA supercedes the one on the server.
DireFog
the *root* certificate can't really have a different signer according to the definition of "root"
Atritas
granted :)
Still, i just can't seem to enforce one particular CA only... Any more ideas?
CIA-9
slicer * r8b90d2e56b50 /src/mumble/ (5 files): Show tooltip warning in rich text editor when over message limits
DireFog
Atritas: judging by source code I'm now reading for the first time ever, using that hack and appending the CA cert to the server cert file should do the trick
(Action) *so* does not like hungarian prefix notation
MorgyN
Hmm, whats the software you use to find offsets?
for the positional plugins
Atritas
DireFog: No, unfortunately it doesn't. I still either get the "self-signed cert in chain" error message when "case QSslError::SelfSignedCertificateInChain:" is commented in Server.cpp. If i remove the comments, login is allowed, but also for users who provide their own CA when importing in the client.
DireFog
openssl documentation is so ugly
"Currently no detailed documentation on how to use the X509_STORE object is available."
great
ahhh Atritas, are you sure you get all necessary certs for verification from the client?
Atritas
DireFog: Well, pretty... I generated them for testing, one PKCS12 with the full chain up to the CA, one without.
2 sets of certs, one with my CA, one with another test-CA (which should be rejected)
DireFog
I found an old-ish and apparently unfixed OpenSSL bug that results in a self-signed cert error under some circumstances, but that's only for the s_client part of the commandline tool
Atritas
The "good" CA is also in /etc/ssl/certs/ca-certificates.crt (or the MS-Store whatever its called). The "bad" CA is in neither store.
As far as i know "s_client" is only for testing/connecting to SSL/TLS enabled services.
Thing is as soon as only the client has a CA its seen as a valid cert by the server as far as i can deduct from the behaviour.
DireFog
the library error that the self-signed error maps to is probably "the certificate chain could be built up using the untrusted certificates but the root could not be found locally. "
I guess it's time to do print debugging on qlCA ;-)
Atritas
According to http://qt.nokia.com/doc/4.6/qsslerror.html i'm falling through trapdoor number 10 on the unmodified patch.
DireFog
yep
Atritas
Allowing that one renders every CA as valid.
DireFog
and with OpenSSL, that likely maps to http://www.openssl.org/docs/apps/verify.html#item_19 on the library level
still, if I read the code correctly, the server should add *all* certificates in the server cert file to the SSL certificate store, and make them locally trusted
Atritas
Neither reversing the order of CA and server cert nor adding the CA to the global store changes this behaviour.
DireFog
order shouldn't matter. the server looks for the cert that the server key belongs to and uses that pair, the rest goes into qlCA
Atritas
Could it be because of the "add/setCaCertificates" part?
DireFog
if you use set, it should trust the (root) certs in the server config
Atritas
It is "set" now.
pcgod
there is a sslca option, but it only adds to the default cert store... you could try to change the cert store to an empty dir (i think we have a compile time option to change the cert store) and then add your own ca cert via sslca ...
Atritas
During the SSL handshake the client sends its certificate. Does it send its CA (if bundled) also and is it possible that the server incorporates that CA (by accident or on purpose)?
pcgod
(and revert the add -> setcacert part of the patch)
Atritas
There is? Undocumented i presume :-)
DireFog
just found it too
with NO_SYSTEM_CA_OVERRIDE defined, you apparently nuke the code handling the system cert store
Tecfan
dD0T, you run MD on windows?
pcgod
... and use qt's builtin default cert store :)
DireFog
that has one too?!?
I guess in murmur/main.cpp you could just replace the call to MumbleSSL::addSystemCA() by a call to QSslSocket::setDefaultCaCertificates with an empty list
MulderSSL: I want to believe!
QSslSocket::setDefaultCaCertificates(QList<QSslCertificate>()); // and see if it still believes in anything
Dessous
if I have sslCert=cer, sslKey=key and certrequired=True in murmur.ini, is all traffic between the clients and my server then encrypted in SSL?
DireFog
it's always encrypted, your setup also enforces authentication
Dessous
Really? I did not know that
DireFog
Feature Request: Steal Kopete contact list with inline user comments
kRush
anyone care to write a native munin plugin? or is there one that I missed?
Atritas
DireFog: It seems that murmur doesn't believe in packaged CAs anymore, bute the Option sslCA=... doesn't seem to be honored, too.
DireFog
I guess it's both hell to maintain
wits OS cert store you usually get updates
with*
Atritas
Well... For me only one CA counts to keep the server private and access-control maintainable, but optimally i guess it would make sense to have some sort of On/Off switch.
Unfortunately adding the CA to the server cert doesn't work, too. So i think we officially broke the handshake :-)
DireFog
post a feature request to add an option like "sslTrustSystemCAs" that disables the system store and just accepts certs signed by the same CA as the server cert
dunno, I just started looking at the source an hour ago
Atritas
hehe... That would have been my next question: Is it even realistic that such a feature would be implemented?
Anyway... I'd like to express my thanks to all of you who tried to help, made suggestions and had ideas. Thank you very much!
Ogoor
set some channel modes to allow only authed clients to join
_KaszpiR_
of rlag to block channel ctcp
AnnuitCoeptis
does murmur support IPv6? if so, can I put both an IPv4 and IPv6 address in the murmur.ini?
pcgod
AnnuitCoeptis: yes
AnnuitCoeptis
pcgod: thank you! What format do I put both addresses in? separated with a semi-colon?
I am really excited to do IPv6 mumble!
Comcast is rolling out IPv6 (beta) very soon they say
and our hosting company is implementing IPv6 at the end of this month
pcgod
AnnuitCoeptis: host= is space seperated
AnnuitCoeptis
space separated, excellent!
thank you
slicer
AnnuitCoeptis: Note that IPv6 uses considerably more bandwidth :)
_KaszpiR_
hmm i cant get styles nor html links to work in murmur motd
pcgod
_KaszpiR_: What happens?
_KaszpiR_
changing motd via ice and it shows in client as lain text, only bold works
The_SLain_MAn
slicer: why does it use more bandwidth?
slicer
The_SLain_MAn: IPv6 headers are much longer :)
pcgod
_KaszpiR_: make sure that all tags are closed
_KaszpiR_
pcgod if they would be broken thnen bold would not work either
pcgod
_KaszpiR_: which client version?
The_SLain_MAn
slicer: ahh, forgot that, how much difference is it?
_KaszpiR_
E817EE
teid also previous build
*ried
slicer
The_SLain_MAn: IIRC, the IPv6 header is 40 bytes vs 20 for IPv4. At 100 packets/sec, that adds up :)
pcgod
_KaszpiR_: could you post the text that doesn't work?
_KaszpiR_
http://kaszpir.ampaste.net/m273b028f
fwaggle
pcgod: host= is space seperated, can i bind to multiple ips that way?
multiple ipv4s that is
_KaszpiR_
lol guys you got typo in the README file
it is sourcforge
missing e letter ;D
pcgod
fwaggle: should work, yes
_KaszpiR_: http://imgur.com/dnQuV.png
(font sizes are different in a browser but everything else seems to work)
_KaszpiR_
hm
fwaggle
pcgod: doesn't seem to work on a 1.1 server :(
pcgod
fwaggle: I think it's 1.2.x only
_KaszpiR_
pcgod motd on 1.1.x works okay, but i got problems with 1.2.1
server 1.2.2
jan 19 2010
pcgod
_KaszpiR_: 1.2.2 server and latest snapshot client here
_KaszpiR_
same
fwaggle
pcgod: it does however completely solve my solution with 1.2 servers
thanks a ton for your unintentional help ;D
_KaszpiR_
in addition, after server restart, polish special chars in comments are improperly displayed, again
moreover i got note about the open file descriptors limit when user is unlimited
(but i gotta check that in more detail, maybe i have set up some stuff in kernel anyway)
Polarina
When is 1.2.2 to be released?
_KaszpiR_
when its released
kurwa ja pierdole fejs palm
az chce sie wyjsc z kina
Polarina
In the .ini file, would: hosts=::1 127.0.0.1 work?
pcgod
_KaszpiR_: If I copy your welcome message to a comment and restart the server, everything still looks the same
_KaszpiR_
channel comments, not motd
pcgod
(maybe because it has all special chars html encoded...)
fwaggle
Polarina: i would think that would work
_KaszpiR_
hmm maybe i should paste motd to murmur.ini instead of using icedemo.php ;)
Polarina
fwaggle, :D
pcgod
_KaszpiR_: I used Ice to set the welcome message (but not icedemo.php) :)
maybe the php script changes " to \" ...
_KaszpiR_
now pasted motd to murmur.ini, sme problem
and i have changed php script to stripslashes
icedemo.php for murmur 1.1.x and murmur 1.2.x is just not very differnet
changes due to slice layout and forcing certain values to int, and thats all
but i have noticed that i had to add stripslashes to the new 1.2.x code, otherwise it was stuffed with excessive slashed
`Zuko
slicer: can you add "those" lines - http://isports.pl/~zuko/syf/screenshot1264713651.jpg , to default skin - http://isports.pl/~zuko/syf/screenshot1264713632.jpg ?
pcgod
`Zuko: Those lines are drawn depending on Qt's style engine and the Vista style has no lines (because every native treeview also has no lines)