Gajim - 2017-07-13


  1. SaltyBones x)
  2. SaltyBones trying to make my mom use the windows installer
  3. SaltyBones even installing is too complicated
  4. kent1094 hello everyone, we have some issues with http_upload module in Prosody in interop mode {different Clients, Android=Conversation, Linux=Gajim (0.16.8), iOS=ChatSecure (4.1.0) }! From conversation client to conversation client we can use the http_upload just fine. As soon as we use the other clients, we get an "cert-error". We are currently running prosody-0.10.405 on self-signed certs. Somehow gajim is responding with cert-error. Does anybody know why?
  5. kent1094 hello everyone, we have some issues with http_upload module in Prosody in interop mode {different Clients, Android=Conversation, Linux=Gajim (0.16.8), iOS=ChatSecure (4.1.0) }! From conversation client to conversation client we can use the http_upload just fine. As soon as we use the other clients, we get an "cert-error". We are currently running prosody-0.10.405 on self-signed certs. Somehow gajim is responding with cert-error. Does anybody know why
  6. Link Mauve kent1094, do you have more information than this “cert-error”?
  7. Link Mauve It sounds like your certificate isn’t valid, said like that.
  8. silvajorge782 Hello Mr and Mrs We are a special association named ' Silva Maria Finance ' and we grant loans between 1000 € to 300 000 € to individuals and we are also specialized in the allocation of international financing to the holders of serious projects, responsible and able to repay. We grant our financial services without discrimination of religion, race and sex. We finance the following projects: trade, transport, industry, hotels, real estate, crafts, SMEs, agriculture, livestock and others. We grant our financing under an interest rate of 3% a year with a possibility of granting a grace period for the reimbursement. For more details, please contact us: Enamel: mariajorgesilva782@gmail.com Thank you so much for trusting us.
  9. kent1094 @Link Mauve: sorry at the moment I'm not able to reproduce the error because of the lack of a testing machine! Will answer as soon as I've received the correct error
  10. lovetox kent1094, you can not use httpupload in gajim with self signed certs at the moment
  11. lovetox sorry
  12. Link Mauve kent1094, use Let’s Encrypt if you want a valid certificate, it’s the best solution currently.
  13. lovetox correction: you can use gajim with a self signed cert
  14. lovetox but you have to add the cert manually to your system cert trust store
  15. lovetox gajim depends on your systems trust store
  16. Link Mauve Given how easy it is to have a valid certificate that will work on the entire network, it’s not useful to bother with that imo.
  17. lovetox in generel if you have server on the internet i agree, also some servers will not talk to you if you dont have a valid cert
  18. lovetox i just dont know, maybe there are use cases in company networks
  19. lovetox where they would use self signed stuff
  20. Link Mauve Not really, no.
  21. Link Mauve At worst you will have your own CA, but with LE that’s not useful anymore.
  22. Holger I think it's often considered useful in company networks not to trust a CA you don't control. But your own CA would *usually* be in the system's trust store of course.
  23. Link Mauve Yes.
  24. kent1094 @lovetox super thanks for the answer
  25. kent1094 @Link Mauve: thx as well
  26. kent1094 yes we currently use it for company-in-house conversation only.
  27. SaltyBones actually, I think for what holger said it would make sense to explicitly set trust in gajim
  28. SaltyBones because the certs that are trusted for browsing might be many more than the ones trusted for jabber
  29. lovetox we have this system with trusting CAs so we dont have to trust each and every cert
  30. lovetox Gajim creating there own system independent cert store
  31. lovetox is total overkill in my opinion and really a super geek feature
  32. lovetox the easy solution for this would be, to aquire the cert at connection and compare with the fingerprint that the user already trusted for his server
  33. lovetox but sadly i found no way with pythons urlib lib, to get the cert or even a fingerprint when connecting to a server
  34. lovetox it might be possible, if you want to get into that :)
  35. skyfya kent1094: yesterday i had the same SaltyBones
  36. skyfya Sorry wrong Channel
  37. bot Philipp Hörist pushed 2 commits to branch _refs/heads/master_ of _gajim-plugins_ <https://dev.gajim.org/gajim/gajim-plugins>: *1336c618* <https://dev.gajim.org/gajim/gajim-plugins/commit/1336c618170cb9c5181eca98d490071edd314b84> [omemo] Pass cleaned up stanza to callback Fixes #218 *aecbfec2* <https://dev.gajim.org/gajim/gajim-plugins/commit/aecbfec2b1a8e45ee0c0ca92ce1d41e5d5b54707> [omemo] Update CHANGELOG & manifest.ini
  38. SaltyBones lovetox, can I run something by you?
  39. lovetox yeah of course
  40. SaltyBones I would like to change the ssl behavior such that there is a warning when SSL connections fail but it never connects insecurely unless an option is explicitly changed in the advanced settings.
  41. SaltyBones Right now I think the behavior is somewhat confusing and errs to much on the side of "connect anyway"
  42. SaltyBones Also, I think a connection that fails because of bad ssl should be retried instead of set to manually disconnected.
  43. SaltyBones Because that happens with all those web-sign-in hotspots.
  44. lovetox it does not connect insecure on a SSL fail
  45. lovetox where are you getting this
  46. SaltyBones well, what it does is it pops up a warning
  47. SaltyBones that has 2 checkboxes one 1 for warnings and 1 for connect anyway
  48. SaltyBones and then it also has an okay and cancel button
  49. lovetox this pops only up if "plain" is a connection type you want to consider on your account
  50. lovetox which is per default not enabled
  51. lovetox it seems you have a old config, and when we changed this, it seems the config migration did not work
  52. SaltyBones erh...what?
  53. SaltyBones no this is the git version in a new vm with a new account :)
  54. lovetox ah i know what you mean
  55. lovetox i thought with insecure you mean plain
  56. lovetox but thats a bit of a overstatement
  57. lovetox a ssl error does not mean your connection is insecure
  58. lovetox it depends what the error is
  59. lovetox so about what error are we talking?
  60. lovetox probably not valid cert
  61. SaltyBones in this case it was missing ssl
  62. lovetox you mean you didnt have pyopenssl installed?
  63. SaltyBones yeah
  64. SaltyBones But I think a regular user should not choose between different ssl errors...
  65. SaltyBones people will always click on "do it anyway" if they can
  66. lovetox people will have pyopenssl installed, as it should be a dependency in the package in the repo of your distribution
  67. lovetox but yeah its unfortunate that we have 2 ssl implementations
  68. SaltyBones we do?
  69. lovetox i still dont know what exact warning you get, maybe you can provide a screenshot
  70. lovetox https://dev.gajim.org/gajim/python-nbxmpp/blob/master/nbxmpp/tls_nb.py
  71. lovetox here nbxmpp has two wrappers
  72. lovetox one around python std lib
  73. lovetox and one around pyopenssl
  74. lovetox the std lib says its insecure
  75. SaltyBones http://imgur.com/a/uxFOo
  76. lovetox i believe this stems from very old python versions, where the ssl lib was not as good
  77. lovetox you could probably accomplish the same today with the std lib
  78. SaltyBones so this pops up even when you don't have connection plain in the allowed types
  79. SaltyBones but it probably almost never happens because people have ssl
  80. lovetox yeah tats definitly not good
  81. lovetox though im more in the favor just dont connect at all, if plain is not in allowed types, just quit with a error message
  82. lovetox what do you have in connection types?
  83. SaltyBones so we have the connection type that should prevent non-ssl connections in general, we have action_when_plaintext_connection and warn_when_insecure_password and warn_when_insecure_ssl_connection and ignore_ssl_errors...how are these all supposed to work together? :)
  84. lovetox ignore ssl erros is a list
  85. lovetox when you get a ssl error you can chose to ignore that specific error in the future
  86. lovetox then its added to the list
  87. lovetox warn when insecure ssl connection, is when you get ssl erros
  88. SaltyBones so we have the connection type that should prevent non-ssl connections in general, we have action_when_plaintext_connection and warn_when_insecure_password and warn_when_insecure_ssl_connection and ignore_ssl_errors...how are these all supposed to work together? :)
  89. lovetox what you posted is not a ssl error, its no ssl error at all
  90. SaltyBones so we have the connection type that should prevent non-ssl connections in general, we have action_when_plaintext_connection and warn_when_insecure_password and warn_when_insecure_ssl_connection and ignore_ssl_errors...how are these all supposed to work together? :)
  91. lovetox SaltyBones, you posted now 3 times the same message
  92. SaltyBones impressive
  93. lovetox this should generelly not happen
  94. lovetox did you really send it, or did you reconnect?
  95. SaltyBones that was manual
  96. lovetox ah ok
  97. SaltyBones I think...
  98. SaltyBones it didn't show
  99. SaltyBones on any of my devices
  100. SaltyBones then reconnecting failed for magical reasons
  101. SaltyBones whatever...
  102. SaltyBones so, should I just remove everything from that dialog except the ok button and change the message to something like "change in advanced config editor if you really want to connect insecurely"?
  103. lovetox does it connect if you dont have plain in your allowed types?
  104. lovetox even if you click "connect anyway"
  105. lovetox ?
  106. SaltyBones yes
  107. lovetox then i would start finding out why it ignores the chosen connection types
  108. lovetox thats the first thing we should fix
  109. SaltyBones ok
  110. lovetox because i feel its a distaster if there are code paths that can ignore the allowed types
  111. SaltyBones sure
  112. lovetox i bet it sets the config to plain on ok
  113. lovetox but would be good to know for sure
  114. SaltyBones no, it just accepts the connection
  115. lovetox ah it sets the config, when you click "dont ask me again"
  116. SaltyBones yeah, then it sets warn_when_insecure_ssl_connection to false
  117. lovetox so what do you propose we do here instead
  118. SaltyBones have to figure out how the usual connection type check works first
  119. SaltyBones actually in this case
  120. SaltyBones I d say we show an error and fail and tell people to change the advanced config if they really dont want to install ssl, right?
  121. lovetox i dont like that when the user adds then plain to his connection types
  122. lovetox thats its a gamble what gajim actually uses if both is available later
  123. lovetox what if we fail just with the error that gajim cant connect via TLS
  124. lovetox and add a checkbox unter Account -> Connection
  125. lovetox "Connect plain"
  126. lovetox if this is set gajim will always connect plain until its unchecked
  127. lovetox with that i think code will be much more simpler, just check is the option set, then no warning etc just connect plain
  128. lovetox we dont have to try tls, then fallback etc
  129. lovetox then its just TLS or Plain, depending on the checkbox, no fallbacks, no cases if thats then that etc