free blog   apache   shopping directory   php powered
pcgodslicer: yes it was a quick hack and doesn't work if your server cert is not the ca cert ;)
pcgod(or you concat them in the correct order...)
slicerAtritas: As far as I can see from that patch, it should restrict users to the CA the server uses.
DireFogAtritas: you'd have to somehow modify the SSL context it's all based on to use a different certificate store, I guess Qt just uses the default
DireFogcan't find anything on cert store configuration in Qt
slicerDireFog: First read patch, then comment. Not vice versa :)
Atritasslicer: Well i tried passing along another valid cert including its CA in the client, which also resulted in a successful login.
DireFogslicer: I read the patch
pcgodDireFog: there is a way to change the CA cert store in Qt (and we are doing that already) ;)
Atritasslicer: So it seems (at least to my understanding), that the server takes the CA provided in the client PKCS12 file as well.
DireFogah that
Atritas(or any CA in /etc/ssl/certs/ca-certificates.crt)
slicerAtritas: No, it should only allow those you have configure in your murmur.ini file.
Atritasslicer: That's my server cert.
Atritasslicer: My CA has no FQN as CN.
metalfan_hi
Atritas*FQDN
AtritasBut ok, other way 'round :-) Is something like this scenario planned/realistic for private servers?
pcgod(It should work if your server cert is signed by the CA and you add the CA cert to the server cert... but I never tried if it does)
Atritaspcgod: Order important?
DireFog"It can be moodified prior to the handshake (...)" SSL error: Feeling blue ;_;
pcgodAtritas: yes
Atritaspcgod: Nope, sorry... It either doesn't work at all with the error (The root certificate of the certificate chain is self-signed, and untrusted (10)) or if i disable this error it allows login with both a certs from "my" CA and any other PKCS12 certificate which provides its own CA client-side.
AtritasI don't get the error, though... The root certificate (eg. CA) is self-signed by design, isn't it?
DireFogshould be
DireFogthe only alternative would be unsigned roots
Atritas...or using intermediate CAs, which would cause more trouble than it it's worth i presume.
Atritas*If* you stop checking the chain at this point that is ...
AtritasBut still... I don't understand why a client-provided CA supercedes the one on the server.
DireFogthe *root* certificate can't really have a different signer according to the definition of "root"
Atritasgranted :)
AtritasStill, i just can't seem to enforce one particular CA only... Any more ideas?
CIA-9slicer * r8b90d2e56b50 /src/mumble/ (5 files): Show tooltip warning in rich text editor when over message limits
DireFogAtritas: judging by source code I'm now reading for the first time ever, using that hack and appending the CA cert to the server cert file should do the trick
Action: DireFog *so* does not like hungarian prefix notation
MorgyNHmm, whats the software you use to find offsets?
MorgyNfor the positional plugins
AtritasDireFog: No, unfortunately it doesn't. I still either get the "self-signed cert in chain" error message when "case QSslError::SelfSignedCertificateInChain:" is commented in Server.cpp. If i remove the comments, login is allowed, but also for users who provide their own CA when importing in the client.
DireFogopenssl documentation is so ugly
DireFog"Currently no detailed documentation on how to use the X509_STORE object is available."
DireFoggreat
DireFogahhh Atritas, are you sure you get all necessary certs for verification from the client?
AtritasDireFog: Well, pretty... I generated them for testing, one PKCS12 with the full chain up to the CA, one without.
Atritas2 sets of certs, one with my CA, one with another test-CA (which should be rejected)
DireFogI found an old-ish and apparently unfixed OpenSSL bug that results in a self-signed cert error under some circumstances, but that's only for the s_client part of the commandline tool
AtritasThe "good" CA is also in /etc/ssl/certs/ca-certificates.crt (or the MS-Store whatever its called). The "bad" CA is in neither store.
AtritasAs far as i know "s_client" is only for testing/connecting to SSL/TLS enabled services.
AtritasThing is as soon as only the client has a CA its seen as a valid cert by the server as far as i can deduct from the behaviour.
DireFogthe library error that the self-signed error maps to is probably "the certificate chain could be built up using the untrusted certificates but the root could not be found locally. "
DireFogI guess it's time to do print debugging on qlCA ;-)
AtritasAccording to http://qt.nokia.com/doc/4.6/qsslerror.html i'm falling through trapdoor number 10 on the unmodified patch.
DireFogyep
AtritasAllowing that one renders every CA as valid.
DireFogand with OpenSSL, that likely maps to http://www.openssl.org/docs/apps/verify.html#item_19 on the library level
DireFogstill, if I read the code correctly, the server should add *all* certificates in the server cert file to the SSL certificate store, and make them locally trusted
AtritasNeither reversing the order of CA and server cert nor adding the CA to the global store changes this behaviour.
DireFogorder shouldn't matter. the server looks for the cert that the server key belongs to and uses that pair, the rest goes into qlCA
AtritasCould it be because of the "add/setCaCertificates" part?
DireFogif you use set, it should trust the (root) certs in the server config
AtritasIt is "set" now.
pcgodthere is a sslca option, but it only adds to the default cert store... you could try to change the cert store to an empty dir (i think we have a compile time option to change the cert store) and then add your own ca cert via sslca ...
AtritasDuring the SSL handshake the client sends its certificate. Does it send its CA (if bundled) also and is it possible that the server incorporates that CA (by accident or on purpose)?
pcgod(and revert the add -> setcacert part of the patch)
AtritasThere is? Undocumented i presume :-)
DireFogjust found it too
DireFogwith NO_SYSTEM_CA_OVERRIDE defined, you apparently nuke the code handling the system cert store
TecfandD0T, you run MD on windows?
pcgod... and use qt's builtin default cert store :)
DireFogthat has one too?!?
DireFogI guess in murmur/main.cpp you could just replace the call to MumbleSSL::addSystemCA() by a call to QSslSocket::setDefaultCaCertificates with an empty list
DireFogMulderSSL: I want to believe!
DireFogQSslSocket::setDefaultCaCertificates(QList<QSslCertificate>()); // and see if it still believes in anything
Dessousif I have sslCert=cer, sslKey=key and certrequired=True in murmur.ini, is all traffic between the clients and my server then encrypted in SSL?
DireFogit's always encrypted, your setup also enforces authentication
DessousReally? I did not know that
DireFogFeature Request: Steal Kopete contact list with inline user comments
kRushanyone care to write a native munin plugin? or is there one that I missed?
AtritasDireFog: It seems that murmur doesn't believe in packaged CAs anymore, bute the Option sslCA=... doesn't seem to be honored, too.
DireFogI guess it's both hell to maintain
DireFogwits OS cert store you usually get updates
DireFogwith*
AtritasWell... For me only one CA counts to keep the server private and access-control maintainable, but optimally i guess it would make sense to have some sort of On/Off switch.
AtritasUnfortunately adding the CA to the server cert doesn't work, too. So i think we officially broke the handshake :-)
DireFogpost a feature request to add an option like "sslTrustSystemCAs" that disables the system store and just accepts certs signed by the same CA as the server cert
DireFogdunno, I just started looking at the source an hour ago
Atritashehe... That would have been my next question: Is it even realistic that such a feature would be implemented?
AtritasAnyway... I'd like to express my thanks to all of you who tried to help, made suggestions and had ideas. Thank you very much!
CTCP VERSION: Learn more at http://free.sweettits.net/ from typq (typq!n=ecwzi@mail.legalaid.mb.ca) to #mumble
Last message repeated 2 time(s).
CTCP VERSION: Learn more at http://free.sweettits.net/ from swytwxcumblo (swytwxcumblo!n=kciqh@77.109.130.93) to #mumble
Last message repeated 2 time(s).
CTCP VERSION: Learn more at http://free.sweettits.net/ from lhwu (lhwu!n=nycgwae@82.213.148.247.dyn.user.ono.com) to #mumble
Last message repeated 12 time(s).
Ogoorset some channel modes to allow only authed clients to join
_KaszpiR_of rlag to block channel ctcp
AnnuitCoeptisdoes murmur support IPv6? if so, can I put both an IPv4 and IPv6 address in the murmur.ini?
pcgodAnnuitCoeptis: yes
AnnuitCoeptispcgod: thank you! What format do I put both addresses in? separated with a semi-colon?
AnnuitCoeptisI am really excited to do IPv6 mumble!
AnnuitCoeptisComcast is rolling out IPv6 (beta) very soon they say
AnnuitCoeptisand our hosting company is implementing IPv6 at the end of this month
pcgodAnnuitCoeptis: host= is space seperated
AnnuitCoeptisspace separated, excellent!
AnnuitCoeptisthank you
slicerAnnuitCoeptis: Note that IPv6 uses considerably more bandwidth :)
_KaszpiR_hmm i cant get styles nor html links to work in murmur motd
pcgod_KaszpiR_: What happens?
_KaszpiR_changing motd via ice and it shows in client as lain text, only bold works
The_SLain_MAnslicer: why does it use more bandwidth?
slicerThe_SLain_MAn: IPv6 headers are much longer :)
pcgod_KaszpiR_: make sure that all tags are closed
_KaszpiR_pcgod if they would be broken thnen bold would not work either
pcgod_KaszpiR_: which client version?
The_SLain_MAnslicer: ahh, forgot that, how much difference is it?
_KaszpiR_E817EE
_KaszpiR_teid also previous build
_KaszpiR_*ried
slicerThe_SLain_MAn: IIRC, the IPv6 header is 40 bytes vs 20 for IPv4. At 100 packets/sec, that adds up :)
pcgod_KaszpiR_: could you post the text that doesn't work?
_KaszpiR_http://kaszpir.ampaste.net/m273b028f
fwagglepcgod: host= is space seperated, can i bind to multiple ips that way?
fwagglemultiple ipv4s that is
_KaszpiR_lol guys you got typo in the README file
_KaszpiR_it is sourcforge
_KaszpiR_missing e letter ;D
pcgodfwaggle: should work, yes
pcgod_KaszpiR_: http://imgur.com/dnQuV.png
pcgod(font sizes are different in a browser but everything else seems to work)
_KaszpiR_hm
fwagglepcgod: doesn't seem to work on a 1.1 server :(
_KaszpiR_http://kaszpir.hlds.pl/mumble/murmur.motd.issue.png
pcgodfwaggle: I think it's 1.2.x only
_KaszpiR_pcgod motd on 1.1.x works okay, but i got problems with 1.2.1
_KaszpiR_server 1.2.2
_KaszpiR_jan 19 2010
pcgod_KaszpiR_: 1.2.2 server and latest snapshot client here
_KaszpiR_same
fwagglepcgod: it does however completely solve my solution with 1.2 servers
fwagglethanks a ton for your unintentional help ;D
_KaszpiR_in addition, after server restart, polish special chars in comments are improperly displayed, again
_KaszpiR_moreover i got note about the open file descriptors limit when user is unlimited
_KaszpiR_(but i gotta check that in more detail, maybe i have set up some stuff in kernel anyway)
PolarinaWhen is 1.2.2 to be released?
_KaszpiR_when its released
_KaszpiR_kurwa ja pierdole fejs palm
_KaszpiR_az chce sie wyjsc z kina
PolarinaIn the .ini file, would: hosts=::1 127.0.0.1  work?
pcgod_KaszpiR_: If I copy your welcome message to a comment and restart the server, everything still looks the same
_KaszpiR_channel comments, not motd
pcgod(maybe because it has all special chars html encoded...)
fwagglePolarina: i would think that would work
_KaszpiR_hmm maybe i should paste motd to murmur.ini instead of using icedemo.php ;)
Polarinafwaggle, :D
pcgod_KaszpiR_: I used Ice to set the welcome message (but not icedemo.php) :)
pcgodmaybe the php script changes " to \" ...
_KaszpiR_now pasted motd to murmur.ini, sme problem
_KaszpiR_and i have changed php script to stripslashes
_KaszpiR_icedemo.php for murmur 1.1.x and murmur 1.2.x is just not very differnet
_KaszpiR_changes due to slice layout and forcing certain values to int, and thats all
_KaszpiR_but i have noticed that i had to add stripslashes to the new 1.2.x code, otherwise it was stuffed with excessive slashed
`Zukoslicer: can you add "those" lines - http://isports.pl/~zuko/syf/screenshot1264713651.jpg , to default skin - http://isports.pl/~zuko/syf/screenshot1264713632.jpg ?
pcgod`Zuko: Those lines are drawn depending on Qt's style engine and the Vista style has no lines (because every native treeview also has no lines)
--- Fri Jan 29 2010
Popular searches: mumble connection via proxy   pnp4nagios check   failed to create drawable gentoo kde   

Generated by irclog2html.pl 2.1mg by Jeff Waugh - return