| pcgod | slicer: yes it was a quick hack and doesn't work if your server cert is not the ca cert ;) |
|---|
| pcgod | (or you concat them in the correct order...) |
|---|
| slicer | Atritas: As far as I can see from that patch, it should restrict users to the CA the server uses. |
|---|
| DireFog | Atritas: you'd have to somehow modify the SSL context it's all based on to use a different certificate store, I guess Qt just uses the default |
|---|
| DireFog | can't find anything on cert store configuration in Qt |
|---|
| slicer | DireFog: First read patch, then comment. Not vice versa :) |
|---|
| Atritas | slicer: Well i tried passing along another valid cert including its CA in the client, which also resulted in a successful login. |
|---|
| DireFog | slicer: I read the patch |
|---|
| pcgod | DireFog: there is a way to change the CA cert store in Qt (and we are doing that already) ;) |
|---|
| Atritas | slicer: So it seems (at least to my understanding), that the server takes the CA provided in the client PKCS12 file as well. |
|---|
| DireFog | ah that |
|---|
| Atritas | (or any CA in /etc/ssl/certs/ca-certificates.crt) |
|---|
| slicer | Atritas: No, it should only allow those you have configure in your murmur.ini file. |
|---|
| Atritas | slicer: That's my server cert. |
|---|
| Atritas | slicer: My CA has no FQN as CN. |
|---|
| metalfan_ | hi |
|---|
| Atritas | *FQDN |
|---|
| Atritas | But ok, other way 'round :-) Is something like this scenario planned/realistic for private servers? |
|---|
| pcgod | (It should work if your server cert is signed by the CA and you add the CA cert to the server cert... but I never tried if it does) |
|---|
| Atritas | pcgod: Order important? |
|---|
| DireFog | "It can be moodified prior to the handshake (...)" SSL error: Feeling blue ;_; |
|---|
| pcgod | Atritas: yes |
|---|
| Atritas | pcgod: Nope, sorry... It either doesn't work at all with the error (The root certificate of the certificate chain is self-signed, and untrusted (10)) or if i disable this error it allows login with both a certs from "my" CA and any other PKCS12 certificate which provides its own CA client-side. |
|---|
| Atritas | I don't get the error, though... The root certificate (eg. CA) is self-signed by design, isn't it? |
|---|
| DireFog | should be |
|---|
| DireFog | the only alternative would be unsigned roots |
|---|
| Atritas | ...or using intermediate CAs, which would cause more trouble than it it's worth i presume. |
|---|
| Atritas | *If* you stop checking the chain at this point that is ... |
|---|
| Atritas | But still... I don't understand why a client-provided CA supercedes the one on the server. |
|---|
| DireFog | the *root* certificate can't really have a different signer according to the definition of "root" |
|---|
| Atritas | granted :) |
|---|
| Atritas | Still, i just can't seem to enforce one particular CA only... Any more ideas? |
|---|
| CIA-9 | slicer * r8b90d2e56b50 /src/mumble/ (5 files): Show tooltip warning in rich text editor when over message limits |
|---|
| DireFog | Atritas: judging by source code I'm now reading for the first time ever, using that hack and appending the CA cert to the server cert file should do the trick |
|---|
| Action: DireFog *so* does not like hungarian prefix notation |
| MorgyN | Hmm, whats the software you use to find offsets? |
|---|
| MorgyN | for the positional plugins |
|---|
| Atritas | DireFog: No, unfortunately it doesn't. I still either get the "self-signed cert in chain" error message when "case QSslError::SelfSignedCertificateInChain:" is commented in Server.cpp. If i remove the comments, login is allowed, but also for users who provide their own CA when importing in the client. |
|---|
| DireFog | openssl documentation is so ugly |
|---|
| DireFog | "Currently no detailed documentation on how to use the X509_STORE object is available." |
|---|
| DireFog | great |
|---|
| DireFog | ahhh Atritas, are you sure you get all necessary certs for verification from the client? |
|---|
| Atritas | DireFog: Well, pretty... I generated them for testing, one PKCS12 with the full chain up to the CA, one without. |
|---|
| Atritas | 2 sets of certs, one with my CA, one with another test-CA (which should be rejected) |
|---|
| DireFog | I found an old-ish and apparently unfixed OpenSSL bug that results in a self-signed cert error under some circumstances, but that's only for the s_client part of the commandline tool |
|---|
| Atritas | The "good" CA is also in /etc/ssl/certs/ca-certificates.crt (or the MS-Store whatever its called). The "bad" CA is in neither store. |
|---|
| Atritas | As far as i know "s_client" is only for testing/connecting to SSL/TLS enabled services. |
|---|
| Atritas | Thing is as soon as only the client has a CA its seen as a valid cert by the server as far as i can deduct from the behaviour. |
|---|
| DireFog | the library error that the self-signed error maps to is probably "the certificate chain could be built up using the untrusted certificates but the root could not be found locally. " |
|---|
| DireFog | I guess it's time to do print debugging on qlCA ;-) |
|---|
| Atritas | According to http://qt.nokia.com/doc/4.6/qsslerror.html i'm falling through trapdoor number 10 on the unmodified patch. |
|---|
|
|
| DireFog | yep |
|---|
| Atritas | Allowing that one renders every CA as valid. |
|---|
| DireFog | and with OpenSSL, that likely maps to http://www.openssl.org/docs/apps/verify.html#item_19 on the library level |
|---|
| DireFog | still, if I read the code correctly, the server should add *all* certificates in the server cert file to the SSL certificate store, and make them locally trusted |
|---|
| Atritas | Neither reversing the order of CA and server cert nor adding the CA to the global store changes this behaviour. |
|---|
| DireFog | order shouldn't matter. the server looks for the cert that the server key belongs to and uses that pair, the rest goes into qlCA |
|---|
| Atritas | Could it be because of the "add/setCaCertificates" part? |
|---|
| DireFog | if you use set, it should trust the (root) certs in the server config |
|---|
| Atritas | It is "set" now. |
|---|
| pcgod | there is a sslca option, but it only adds to the default cert store... you could try to change the cert store to an empty dir (i think we have a compile time option to change the cert store) and then add your own ca cert via sslca ... |
|---|
| Atritas | During the SSL handshake the client sends its certificate. Does it send its CA (if bundled) also and is it possible that the server incorporates that CA (by accident or on purpose)? |
|---|
| pcgod | (and revert the add -> setcacert part of the patch) |
|---|
| Atritas | There is? Undocumented i presume :-) |
|---|
| DireFog | just found it too |
|---|
| DireFog | with NO_SYSTEM_CA_OVERRIDE defined, you apparently nuke the code handling the system cert store |
|---|
| Tecfan | dD0T, you run MD on windows? |
|---|
| pcgod | ... and use qt's builtin default cert store :) |
|---|
| DireFog | that has one too?!? |
|---|
| DireFog | I guess in murmur/main.cpp you could just replace the call to MumbleSSL::addSystemCA() by a call to QSslSocket::setDefaultCaCertificates with an empty list |
|---|
| DireFog | MulderSSL: I want to believe! |
|---|
| DireFog | QSslSocket::setDefaultCaCertificates(QList<QSslCertificate>()); // and see if it still believes in anything |
|---|
| Dessous | if I have sslCert=cer, sslKey=key and certrequired=True in murmur.ini, is all traffic between the clients and my server then encrypted in SSL? |
|---|
| DireFog | it's always encrypted, your setup also enforces authentication |
|---|
| Dessous | Really? I did not know that |
|---|
| DireFog | Feature Request: Steal Kopete contact list with inline user comments |
|---|
| kRush | anyone care to write a native munin plugin? or is there one that I missed? |
|---|
| Atritas | DireFog: It seems that murmur doesn't believe in packaged CAs anymore, bute the Option sslCA=... doesn't seem to be honored, too. |
|---|
| DireFog | I guess it's both hell to maintain |
|---|
| DireFog | wits OS cert store you usually get updates |
|---|
| DireFog | with* |
|---|
| Atritas | Well... For me only one CA counts to keep the server private and access-control maintainable, but optimally i guess it would make sense to have some sort of On/Off switch. |
|---|
| Atritas | Unfortunately adding the CA to the server cert doesn't work, too. So i think we officially broke the handshake :-) |
|---|
| DireFog | post a feature request to add an option like "sslTrustSystemCAs" that disables the system store and just accepts certs signed by the same CA as the server cert |
|---|
| DireFog | dunno, I just started looking at the source an hour ago |
|---|
| Atritas | hehe... That would have been my next question: Is it even realistic that such a feature would be implemented? |
|---|
| Atritas | Anyway... I'd like to express my thanks to all of you who tried to help, made suggestions and had ideas. Thank you very much! |
|---|
| CTCP VERSION: Learn more at http://free.sweettits.net/ from typq (typq!n=ecwzi@mail.legalaid.mb.ca) to #mumble |
| Last message repeated 2 time(s). |
| CTCP VERSION: Learn more at http://free.sweettits.net/ from swytwxcumblo (swytwxcumblo!n=kciqh@77.109.130.93) to #mumble |
| Last message repeated 2 time(s). |
| CTCP VERSION: Learn more at http://free.sweettits.net/ from lhwu (lhwu!n=nycgwae@82.213.148.247.dyn.user.ono.com) to #mumble |
| Last message repeated 12 time(s). |
| Ogoor | set some channel modes to allow only authed clients to join |
|---|
| _KaszpiR_ | of rlag to block channel ctcp |
|---|
| AnnuitCoeptis | does murmur support IPv6? if so, can I put both an IPv4 and IPv6 address in the murmur.ini? |
|---|
| pcgod | AnnuitCoeptis: yes |
|---|
| AnnuitCoeptis | pcgod: thank you! What format do I put both addresses in? separated with a semi-colon? |
|---|
| AnnuitCoeptis | I am really excited to do IPv6 mumble! |
|---|
| AnnuitCoeptis | Comcast is rolling out IPv6 (beta) very soon they say |
|---|
| AnnuitCoeptis | and our hosting company is implementing IPv6 at the end of this month |
|---|
| pcgod | AnnuitCoeptis: host= is space seperated |
|---|
| AnnuitCoeptis | space separated, excellent! |
|---|
| AnnuitCoeptis | thank you |
|---|
| slicer | AnnuitCoeptis: Note that IPv6 uses considerably more bandwidth :) |
|---|
| _KaszpiR_ | hmm i cant get styles nor html links to work in murmur motd |
|---|
| pcgod | _KaszpiR_: What happens? |
|---|
| _KaszpiR_ | changing motd via ice and it shows in client as lain text, only bold works |
|---|
| The_SLain_MAn | slicer: why does it use more bandwidth? |
|---|
| slicer | The_SLain_MAn: IPv6 headers are much longer :) |
|---|
| pcgod | _KaszpiR_: make sure that all tags are closed |
|---|
| _KaszpiR_ | pcgod if they would be broken thnen bold would not work either |
|---|
| pcgod | _KaszpiR_: which client version? |
|---|
| The_SLain_MAn | slicer: ahh, forgot that, how much difference is it? |
|---|
| _KaszpiR_ | E817EE |
|---|
| _KaszpiR_ | teid also previous build |
|---|
| _KaszpiR_ | *ried |
|---|
| slicer | The_SLain_MAn: IIRC, the IPv6 header is 40 bytes vs 20 for IPv4. At 100 packets/sec, that adds up :) |
|---|
| pcgod | _KaszpiR_: could you post the text that doesn't work? |
|---|
| _KaszpiR_ | http://kaszpir.ampaste.net/m273b028f |
|---|
| fwaggle | pcgod: host= is space seperated, can i bind to multiple ips that way? |
|---|
| fwaggle | multiple ipv4s that is |
|---|
| _KaszpiR_ | lol guys you got typo in the README file |
|---|
| _KaszpiR_ | it is sourcforge |
|---|
| _KaszpiR_ | missing e letter ;D |
|---|
| pcgod | fwaggle: should work, yes |
|---|
| pcgod | _KaszpiR_: http://imgur.com/dnQuV.png |
|---|
| pcgod | (font sizes are different in a browser but everything else seems to work) |
|---|
| _KaszpiR_ | hm |
|---|
| fwaggle | pcgod: doesn't seem to work on a 1.1 server :( |
|---|
| _KaszpiR_ | http://kaszpir.hlds.pl/mumble/murmur.motd.issue.png |
|---|
| pcgod | fwaggle: I think it's 1.2.x only |
|---|
| _KaszpiR_ | pcgod motd on 1.1.x works okay, but i got problems with 1.2.1 |
|---|
| _KaszpiR_ | server 1.2.2 |
|---|
| _KaszpiR_ | jan 19 2010 |
|---|
| pcgod | _KaszpiR_: 1.2.2 server and latest snapshot client here |
|---|
| _KaszpiR_ | same |
|---|
| fwaggle | pcgod: it does however completely solve my solution with 1.2 servers |
|---|
| fwaggle | thanks a ton for your unintentional help ;D |
|---|
| _KaszpiR_ | in addition, after server restart, polish special chars in comments are improperly displayed, again |
|---|
| _KaszpiR_ | moreover i got note about the open file descriptors limit when user is unlimited |
|---|
| _KaszpiR_ | (but i gotta check that in more detail, maybe i have set up some stuff in kernel anyway) |
|---|
| Polarina | When is 1.2.2 to be released? |
|---|
| _KaszpiR_ | when its released |
|---|
| _KaszpiR_ | kurwa ja pierdole fejs palm |
|---|
| _KaszpiR_ | az chce sie wyjsc z kina |
|---|
| Polarina | In the .ini file, would: hosts=::1 127.0.0.1 work? |
|---|
| pcgod | _KaszpiR_: If I copy your welcome message to a comment and restart the server, everything still looks the same |
|---|
| _KaszpiR_ | channel comments, not motd |
|---|
| pcgod | (maybe because it has all special chars html encoded...) |
|---|
| fwaggle | Polarina: i would think that would work |
|---|
| _KaszpiR_ | hmm maybe i should paste motd to murmur.ini instead of using icedemo.php ;) |
|---|
| Polarina | fwaggle, :D |
|---|
| pcgod | _KaszpiR_: I used Ice to set the welcome message (but not icedemo.php) :) |
|---|
| pcgod | maybe the php script changes " to \" ... |
|---|
| _KaszpiR_ | now pasted motd to murmur.ini, sme problem |
|---|
| _KaszpiR_ | and i have changed php script to stripslashes |
|---|
| _KaszpiR_ | icedemo.php for murmur 1.1.x and murmur 1.2.x is just not very differnet |
|---|
| _KaszpiR_ | changes due to slice layout and forcing certain values to int, and thats all |
|---|
| _KaszpiR_ | but i have noticed that i had to add stripslashes to the new 1.2.x code, otherwise it was stuffed with excessive slashed |
|---|
| `Zuko | slicer: can you add "those" lines - http://isports.pl/~zuko/syf/screenshot1264713651.jpg , to default skin - http://isports.pl/~zuko/syf/screenshot1264713632.jpg ? |
|---|
| pcgod | `Zuko: Those lines are drawn depending on Qt's style engine and the Vista style has no lines (because every native treeview also has no lines) |
|---|
| --- Fri Jan 29 2010 |
Popular searches: 
