IRC log of dig on 2012-04-03

Timestamps are in UTC.

00:10:49 [danbri]

danbri has quit (Remote host closed the connection)

02:07:56 [nunnun_away]

nunnun_away is now known as nunnun

02:16:21 [nunnun]

nunnun is now known as nunnun_away

02:37:28 [nunnun_away]

nunnun_away has quit (Ping timeout: 250 seconds)

02:41:47 [oshani]

oshani (~oshani@c-76-118-177-140.hsd1.ma.comcast.net) has joined #dig

04:26:36 [oshani]

oshani has quit (Quit: Mama nidi!)

06:21:24 [danbri]

danbri (~danbri@cpc6-aztw25-2-0-cust83.aztw.cable.virginmedia.com) has joined #dig

06:24:34 [rszeno]

rszeno has quit (Quit: Leaving.)

06:45:44 [melvster]

melvster (~melvin@p4FF96B53.dip.t-dialin.net) has joined #dig

07:43:25 [Deiu]

Deiu (~deiu@157.159.103.120) has joined #dig

07:43:25 [Deiu]

Deiu has quit (Changing host)

07:43:25 [Deiu]

Deiu (~deiu@unaffiliated/deiu) has joined #dig

08:51:51 [cheater_]

cheater_ (~cheater@p57AEB283.dip.t-dialin.net) has joined #dig

08:51:52 [cheater]

cheater has quit (Read error: Operation timed out)

09:50:28 [nunnun_away]

nunnun_away (~nunnun@2409:40:2000:1001::80:1) has joined #dig

09:51:00 [nunnun_away]

nunnun_away is now known as nunnun

09:52:22 [danbri]

danbri has quit (Remote host closed the connection)

10:27:36 [Deiu]

melvster, have you had any cases of people suddenly not being subscribed to public-rww@w3.org anymore?

10:28:03 [Deiu]

I just had to resub, after a long period of no longer receiving any mails (which was weird).

10:28:07 [melvster]

maybe occasionally yes

10:28:19 [melvster]

hmm strange ... perhaps we can report a bug

10:29:02 [Deiu]

it could be a filter on my part..so better wait and see what happens next

10:29:07 [melvster]

ok

10:29:15 [melvster]

Deiu: I'm making a list of linked data social systems

10:29:23 [melvster]

do you mind if i include yours?

10:29:37 [Deiu]

not at all, though I'm working on a total overhaul

10:29:52 [Deiu]

I guess you've already seen the "connections" part of it

10:30:01 [melvster]

yes looks really cool

10:30:07 [Deiu]

now I'm working on the profile generator

10:30:12 [melvster]

awesome

10:30:29 [melvster]

do you by any chance have a link to the source code?

10:30:39 [Deiu]

for connections?

10:31:01 [Deiu]

I will put it on github by the end of the week (I need to do some cleaning first)

10:31:13 [melvster]

just for the system .. in case others want to see how it works ... ah ok great ... ill wait till then

10:31:37 [melvster]

what id like to do is put a list in the wiki

10:31:48 [melvster]

then we can look at how the different social systems interoperate

10:32:00 [Deiu]

it's good idea

11:03:33 [bblfish]

bblfish has quit (Ping timeout: 265 seconds)

11:14:40 [RalphS]

RalphS (Ralph@30-7-118.wireless.csail.mit.edu) has joined #dig

11:15:48 [DIGlogger]

DIGlogger (~dig-logge@groups.csail.mit.edu) has joined #dig

11:15:48 [asimov.freenode.net]

topic is: Decentralized Information Group @ MIT http://dig.csail.mit.edu/

11:15:48 [asimov.freenode.net]

Users on #dig: DIGlogger RalphS nunnun cheater_ Deiu melvster tlr bergi_ manu-db amy kennyluck sandro mattl manu1 presbrey betehess Yudai__ ericP

11:29:47 [melvster]

Deiu: 2 down ... 10 to go :) http://www.w3.org/community/rww/wiki/Social_Systems

11:30:30 [Deiu]

melvster, I'm in the process of issuing new certs for my servers (and maybe relocate them to an EU hosting service)...

11:30:52 [melvster]

great

11:31:16 [Deiu]

they will probably be unavailable this week

11:31:18 [melvster]

i put Q2 2012 for a release date ... that's until the end of June ...

11:31:25 [melvster]

ah ok ... fair enough

11:31:39 [melvster]

ill maybe send out a mail next week then

11:31:59 [melvster]

i think the main system that's working right now is ODS

11:33:06 [Deiu]

Yeah, but ODS is ugly :)

11:33:34 [melvster]

getting better all the time :) kingsley showed me the next version ... looks really nice ... twitter facebook linkedin integration etc.

11:36:45 [melvster]

i forgot about ontowiki

11:43:13 [oshani]

oshani (~oshani@c-76-118-177-140.hsd1.ma.comcast.net) has joined #dig

11:48:17 [oshani]

oshani has quit (Quit: Mama nidi!)

12:00:10 [oshani]

oshani (~oshani@c-76-118-177-140.hsd1.ma.comcast.net) has joined #dig

12:16:25 [oshani]

oshani has quit (Quit: Mama nidi!)

12:30:53 [nunnun]

nunnun is now known as nunnun_away

12:34:23 [nunnun_away]

nunnun_away is now known as nunnun

12:59:54 [oshani]

oshani (~oshani@w3cdhcp66.w3.org) has joined #dig

13:08:49 [RalphS]

RalphS has quit (Read error: Connection reset by peer)

13:09:27 [RalphS]

RalphS (Ralph@30-7-118.wireless.csail.mit.edu) has joined #dig

13:14:03 [oshani]

oshani has quit (Quit: Mama nidi!)

13:43:15 [Deiu]

melvster, I've just joined RWW btw

15:20:34 [melvster]

Deiu: awesome! :)

15:23:08 [cheater_]

cheater_ has quit (Ping timeout: 240 seconds)

15:49:11 [mhausenblas]

mhausenblas (~mhausenbl@wlan-nat.fwgal01.deri.ie) has joined #dig

15:52:40 [oshani]

oshani (~oshani@w3cdhcp66.w3.org) has joined #dig

16:01:55 [cheater]

cheater (~cheater@p4FD0E888.dip.t-dialin.net) has joined #dig

16:32:52 [cheater]

cheater has quit (Ping timeout: 250 seconds)

16:46:21 [cheater]

cheater (~cheater@g231044096.adsl.alicedsl.de) has joined #dig

17:10:28 [mhausenblas]

mhausenblas has quit (Quit: brb)

17:14:54 [Deiu]

Deiu has quit (Ping timeout: 260 seconds)

17:29:22 [oshani_]

oshani_ (~oshani@30-5-10.wireless.csail.mit.edu) has joined #dig

17:29:32 [oshani_]

oshani_ has quit (Client Quit)

17:30:42 [oshani]

oshani has quit (Read error: Operation timed out)

17:31:49 [oshani]

oshani (~oshani@30-5-10.wireless.csail.mit.edu) has joined #dig

18:41:03 [oshani]

oshani has quit (Quit: Mama nidi!)

18:46:43 [oshani]

oshani (~oshani@30-5-10.wireless.csail.mit.edu) has joined #dig

18:46:43 [oshani]

oshani has quit (Remote host closed the connection)

18:46:49 [oshani]

oshani (~oshani@w3cdhcp66.w3.org) has joined #dig

18:56:48 [oshani]

oshani has quit (Quit: Mama nidi!)

19:01:12 [scor]

scor (~scor@drupal.org/user/52142/view) has joined #dig

19:01:13 [scor]

scor has quit (Excess Flood)

19:01:40 [Guest47691]

Guest47691 (~scor@dhcp-132-183-242-94.mgh.harvard.edu) has joined #dig

19:32:58 [Deiu]

Deiu (~Deiu@2a01:e35:8b67:4160:8e89:a5ff:fe2a:24ea) has joined #dig

19:32:58 [Deiu]

Deiu has quit (Changing host)

19:32:58 [Deiu]

Deiu (~Deiu@unaffiliated/deiu) has joined #dig

19:34:21 [oshani]

oshani (~oshani@w3cdhcp66.w3.org) has joined #dig

20:13:56 [rszeno]

rszeno (~rszeno@79.114.105.92) has joined #dig

20:19:39 [RalphS]

RalphS has quit ()

20:24:11 [Deiu]

presbrey, ping

20:26:01 [presbrey]

hi Deiu

20:26:29 [Deiu]

Hey

20:26:51 [Deiu]

Any chance you might have 10 mins to help with an apache config issue?

20:27:06 [Deiu]

Been at it the whole day and still can't figure out what's wrong.

20:38:50 [presbrey]

sure with?

20:38:56 [presbrey]

can you paste what you have so far?

20:39:13 [Deiu]

Well, let me tell you what I'm trying to do.

20:40:08 [Deiu]

I have a <Location /auth> SSLVerifyClient optional_no_ca </Location> in my apache ssl config

20:40:34 [Deiu]

so that in theory only if I go to /auth, the server will ask for a certificate

20:41:28 [Deiu]

unfortunately, when I try to see what happens after I send the cert, I get this: $_SERVER["SSL_CLIENT_VERIFY"] FAILED:(null)

20:41:45 [Deiu]

however, the ssl handshake in apache succeeds

20:41:55 [Deiu]

logs here: http://my-profile.eu/logs/

20:43:47 [presbrey]

are you aware of ssl renegotiation?

20:44:03 [presbrey]

also can you tell me the full URL to /auth?

20:44:44 [Deiu]

yeah

20:44:51 [Deiu]

http://my-profile.eu/auth

20:44:59 [presbrey]

do you have control of the domain?

20:45:05 [Deiu]

yes

20:45:19 [Deiu]

actually, try with http://my-profile.eu/auth/test.php

20:45:31 [Deiu]

I'm doing a phpinfo() there

20:46:16 [Deiu]

If I'm not doing renegotiation (i.e. I put SSLVerifyClient optional_no_ca outside <Location>), it works just fine

20:46:16 [presbrey]

only the hostname and port are sent with SSL channel properties

20:46:35 [presbrey]

so I would recommend either my-profile.eu:444 or auth.my-profile.eu

20:46:45 [Deiu]

hmm

20:47:00 [Deiu]

bergi has it working though

20:47:02 [presbrey]

requiring renegotation is highly client-dependent

20:48:14 [presbrey]

you can use a redirect from /auth if there are not already tokens saved for the user

20:48:58 [presbrey]

oh what Depth are you requiring?

20:49:02 [Deiu]

1

20:49:09 [Deiu]

that's the default

20:50:50 [presbrey]

I think the max (9?) is best for webid

20:51:03 [presbrey]

I am seeing SSL_CLIENT_CERT on your test page

20:51:29 [Deiu]

yeah

20:51:35 [Deiu]

that's not the problem

20:51:47 [Deiu]

and the logs show that the handshake was successful

20:52:15 [Deiu]

but somehow php doesn't agree, and it marks it as FAILED

20:52:24 [presbrey]

VERIFY should say SUCCESS or GENEROUS

20:52:27 [Deiu]

yeah

20:52:28 [presbrey]

but that comes from apache, not php

20:52:55 [Deiu]

then why does it say FAILED, with no indication in the logs?

20:53:45 [presbrey]

what does it say when you set SSLVerifyClient require?

20:54:49 [presbrey]

you can't depend on VERIFY for webid really, you need to verify it yourself

20:54:57 [Deiu]

Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.

20:54:57 [presbrey]

are you using mod_authn_webid or verifying in php?

20:55:08 [Deiu]

php verification

20:55:13 [presbrey]

https://issues.apache.org/bugzilla/show_bug.cgi?id=45054#c1

20:56:17 [presbrey]

all you need for webID checking in PHP is the SSL_CLIENT_CERT key

20:57:05 [presbrey]

https://github.com/linkeddata/data.fm/blob/master/www/inc/webid.lib.php

20:57:37 [Deiu]

so just isset for contents?

20:58:15 [danbri]

danbri (~danbri@cable-146-255-148-108.dynamic.telemach.ba) has joined #dig

20:58:49 [Deiu]

meh, another weird issue is that even if I put SSLVerifyClient optional_no_ca inside <Location /auth>, I'm still being asked for a cert outside of /auth

21:03:48 [presbrey]

https://www.ssllabs.com/ssldb/analyze.html?d=my-profile.eu

21:03:56 [presbrey]

This server is vulnerable to the BEAST attack!

21:07:50 [Deiu]

cool

21:08:38 [presbrey]

remind me which host is bergis?

21:09:18 [Deiu]

resourceme.bergnet.org

21:11:02 [Deiu]

weird, it's still vulnerable even after patching the config

21:12:01 [presbrey]

dont worry bergi's is also vulnerable to BEAST ;)

21:12:29 [Deiu]

I might be that I'm still using openssl <v.1

21:13:31 [Deiu]

even https://www.ssllabs.com is vulnerable

21:13:35 [Deiu]

screw it

21:13:40 [presbrey]

hahaha

21:13:50 [rszeno]

TLS 1.0 is default in debian, :)

21:14:12 [Deiu]

I've configured my apache install to only accept TLS1.0 +

21:14:15 [presbrey]

huh no www.ssllabs.com is not vulnerable

21:14:23 [presbrey]

are you looking at? https://www.ssllabs.com/ssldb/analyze.html?d=www.ssllabs.com

21:14:54 [Deiu]

ah no

21:15:08 [Deiu]

it was one of their servers though

21:15:27 [rszeno]

Deiu, you need TLS 1.2 for BEAST

21:15:43 [Deiu]

yeah

21:15:59 [Deiu]

well, my server still scores 87 (vs 85 of ssllabs)

21:16:07 [Deiu]

BEAST or no BEAST :)

21:16:22 [presbrey]

data.fm scores 91, no BEAST :)

21:16:30 [presbrey]

also TLS 1.0

21:16:54 [rszeno]

:)

21:17:14 [Deiu]

anyway, presbrey, any ideas why my server still asks for a cert even if it is only supposed to do it for /auth?

21:17:25 [Deiu]

it's doing it everywhere

21:17:49 [presbrey]

try putting a 'SSLVerifyClient none' in the parent virtualhost block

21:18:53 [rszeno]

htaccess? if is in main config will not ask for all subdirs in document root?

21:19:00 [presbrey]

also try using <Directory /var/www/auth> instead of the Location block

21:19:07 [Deiu]

ok

21:19:12 [Deiu]

no htaccess

21:19:35 [presbrey]

htaccess can be a good hack because its setup so late

21:22:33 [Deiu]

not working

21:22:39 [Deiu]

tried with .htaccess too

21:23:07 [Deiu]

it's either enabled for the whole domain, or it's disabled

21:24:09 [rszeno]

htaccess or ssl?

21:24:20 [Deiu]

hmm?

21:24:50 [rszeno]

'enabled for whole domain' htaccess or ssl?

21:24:59 [Deiu]

ssl

21:25:30 [presbrey]

try separate vhost: auth.my-profile.eu

21:25:42 [rszeno]

you have a specific config for ssl in /etc/apache/site-available

21:25:42 [presbrey]

do you have SNI working on your server already?

21:25:44 [Deiu]

yeah, I will

21:27:51 [Deiu]

it's not that easy...I'm on a VPS

21:29:04 [rszeno]

if is vps you have root access, why is not easy?

21:29:20 [Deiu]

need to make the vps master for the domain

21:29:28 [Deiu]

(just switched to this VPS today)

21:32:14 [Deiu]

nvm, got it

21:35:56 [Deiu]

bah

21:36:04 [Deiu]

I need a new IP as well, to set up SSL

21:39:47 [rszeno]

you need a new ip?

21:40:10 [Deiu]

the server SSL cert is only valid for my-profile.eu

21:40:57 [rszeno]

why not a new cert?

21:41:21 [presbrey]

get wildcard *.my-profile.eu, it will be good for the root domain too

21:41:27 [Deiu]

I was under the impression that each cert requires a different ip

21:41:38 [presbrey]

not with SNI, since httpd 2.2

21:41:39 [Deiu]

presbrey, that stuff's $500+

21:42:20 [presbrey]

not from startssl.com, its cheap

21:43:29 [Deiu]

yeah, I might go with startssl.com

21:43:43 [Deiu]

anyway, I'm going to go get some sleep now, too tired

21:43:46 [Deiu]

thanks a lot guys

21:45:35 [presbrey]

no problem

21:45:37 [rszeno]

thank you presbrey for links, :)

21:46:17 [Deiu]

Deiu has quit (Quit: Leaving)

22:08:12 [Guest47691]

Guest47691 has quit (Quit: Guest47691)

22:30:20 [nunnun]

nunnun is now known as nunnun_away

22:37:46 [scor]

scor (~scor@drupal.org/user/52142/view) has joined #dig

22:37:46 [scor]

scor has quit (Excess Flood)

22:45:04 [scor]

scor (~scor@drupal.org/user/52142/view) has joined #dig

22:45:06 [scor]

scor has quit (Excess Flood)

23:08:19 [melvster]

melvster has quit (Ping timeout: 252 seconds)