IRC log of dig on 2013-01-03
Timestamps are in UTC.
- 00:12:08 [melvster]
- melvster has quit (Ping timeout: 252 seconds)
- 01:02:26 [scor]
- scor (~scor@drupal.org/user/52142/view) has joined #dig
- 01:23:19 [scor]
- scor has quit (Read error: Connection reset by peer)
- 01:23:27 [scor]
- scor (~scor@drupal.org/user/52142/view) has joined #dig
- 05:14:22 [scor]
- scor has quit (Quit: scor)
- 08:38:27 [trueg_away]
- trueg_away is now known as trueg
- 08:43:29 [cheater]
- cheater has quit (Quit: leaving)
- 09:32:32 [jmvanel]
- jmvanel (~jmv@73.96.114.78.rev.sfr.net) has joined #dig
- 11:36:43 [melvster]
- melvster (~melvin@94.112.34.211) has joined #dig
- 12:06:42 [melvster]
- melvster has quit (Ping timeout: 272 seconds)
- 12:14:34 [Ralph_]
- Ralph_ (RSwick@w3cvpn1.w3.org) has joined #dig
- 12:14:48 [Ralph_]
- Ralph_ is now known as RalphS
- 12:21:22 [trueg]
- trueg is now known as trueg_away
- 12:54:16 [scor]
- scor (~scor@c-98-216-39-127.hsd1.ma.comcast.net) has joined #dig
- 12:54:16 [scor]
- scor has quit (Changing host)
- 12:54:16 [scor]
- scor (~scor@drupal.org/user/52142/view) has joined #dig
- 13:02:41 [timbl]
- timbl has quit (Ping timeout: 252 seconds)
- 13:16:57 [danbri_]
- danbri_ (~danbri@146.255.148.108) has joined #dig
- 13:22:42 [jmvanel]
- jmvanel has quit (Ping timeout: 272 seconds)
- 13:32:40 [rszeno]
- rszeno has quit (Quit: Leaving.)
- 13:35:01 [jmvanel]
- jmvanel (~jmv@deductions.pck.nerim.net) has joined #dig
- 14:11:11 [trueg_away]
- trueg_away is now known as trueg
- 14:22:02 [scor]
- scor has quit (Quit: scor)
- 14:44:02 [deiu]
- deiu (~andrei@2001:470:8b2d:7d4:d4e1:d99:5a6b:f55d) has joined #dig
- 14:44:02 [deiu]
- deiu has quit (Changing host)
- 14:44:02 [deiu]
- deiu (~andrei@unaffiliated/deiu) has joined #dig
- 15:19:48 [scor]
- scor (~scor@partners-f812c7.mgh.harvard.edu) has joined #dig
- 15:19:49 [scor]
- scor has quit (Changing host)
- 15:19:49 [scor]
- scor (~scor@drupal.org/user/52142/view) has joined #dig
- 16:03:23 [trueg]
- trueg has quit ()
- 16:20:48 [jmvanel]
- jmvanel has quit (Ping timeout: 244 seconds)
- 16:25:40 [trueg]
- trueg (~trueg@HSI-KBW-46-237-238-110.hsi.kabel-badenwuerttemberg.de) has joined #dig
- 16:34:01 [jmvanel]
- jmvanel (~jmv@73.96.114.78.rev.sfr.net) has joined #dig
- 16:40:44 [amy]
- amy has quit (Quit: restart)
- 16:46:29 [amy]
- amy (~amy@2001:470:8b2d:7d4:fa1e:dfff:fed6:2b66) has joined #dig
- 16:46:33 [scor]
- deiu: looking at WebIDauth, it requires to give the PHP access to server SSL private key (server.key). this precious key is normally not accessible to any user on the server. do you typically copy it somewhere PHP can access it (but not in the web space), or do you loosen the permissions on the path to /etc/ssl/private/server.key?
- 16:46:34 [amy]
- amy has left #dig
- 16:47:40 [deiu]
- scor, it doesn't have to be the server's key
- 16:48:35 [deiu]
- it only needs to be a key pair out of which the public key is shared with other services using the IDP
- 16:49:12 [scor]
- deiu: the comment says: "// private key belonging to server's SSL certificate"
- 16:50:00 [deiu]
- hmm, I might have put that comment when I was working on it locally
- 16:50:28 [scor]
- so if what you say is true, it is good, as otherwise it would put the whole SSL layer at risk (the one used for https)
- 16:50:38 [deiu]
- btw, the key is only needed when you rung it as an IDP service
- 16:50:50 [deiu]
- run*
- 16:50:56 [scor]
- yes, like on http://auth.my-profile.eu/ right?
- 16:50:59 [deiu]
- yes
- 16:51:16 [deiu]
- the HTTP cert needs _not_ be used for the IDP
- 16:51:21 [scor]
- sure, that's what WebIDauth is for, WebIDauth is not necessary otherwise
- 16:51:37 [deiu]
- you can still use it for local auth
- 16:51:39 [scor]
- I would say SHOULD NOT :p
- 16:51:58 [scor]
- what do you mean by that?
- 16:52:46 [amy]
- amy (~amy@2001:470:8b2d:7d4:fa1e:dfff:fed6:2b66) has joined #dig
- 16:53:17 [scor]
- deiu: "the HTTP cert needs _not_ be used for the IDP" it's probably best to generate a new cert key pair for the purpose of the IDP, instead of using the one used by the server for regular https <-- this is a good summary / recommendation right?
- 16:57:22 [scor]
- deiu: what did you mean with "you can still use it for local auth" ?
- 16:57:34 [jmvanel]
- jmvanel has quit (Ping timeout: 276 seconds)
- 16:59:22 [deiu]
- yes for #1
- 16:59:53 [deiu]
- #2 I meant that you can use it to authenticate users for your app, without going through an IDP
- 17:00:33 [deiu]
- but this also means that your server will require the client cert for each request
- 17:00:39 [deiu]
- (which is not bad)
- 17:04:26 [scor]
- deiu: so to be clear, #2 is: you can use the private key of the server SSL cert if you only perform auth against that server, and not in delegate auth scenario
- 17:08:48 [scor]
- deiu: I was trying WebIDauth last night on an ubuntu 12.10 VM, and FF and Chrome were giving different errors. chrome says FATAL: [SSL Error] TLSv1 required. (found TLSv1.1) - but FF does not complain about that
- 17:28:53 [melvster]
- melvster (~melvin@p4FF97AF4.dip.t-dialin.net) has joined #dig
- 17:35:21 [danbri_]
- danbri_ has quit (Remote host closed the connection)
- 17:48:33 [deiu]
- I thought I relaxed a bit the TLS requirements
- 17:48:40 [deiu]
- I'll look at it today
- 17:49:27 [deiu]
- scor, about #2, you don't need a private key if you authenticate local requests
- 17:49:54 [deiu]
- the private key is _only_ used when WebIDauth acts as an IDP, to sign the redirect request
- 17:51:20 [scor]
- ah, so that means that if all I want is to authenticate in my WebIDauth service, I could skip the private key thing (as an exercise durin debugging)
- 17:57:15 [trueg]
- trueg is now known as trueg_away
- 18:02:58 [danbri_]
- danbri_ (~danbri@cable-146-255-148-108.dynamic.telemach.ba) has joined #dig
- 18:05:27 [scor]
- deiu: I'm trying to see why my local instance of webIDauth isn't asking me for a cert… if I point chrome to http://auth.my-profile.eu/, it offer cert selection and let me in, but if I do the same to my local VM, it just says FATAL: [Client Error] You have to provide a certificate!
- 18:07:05 [scor]
- ok, so first of all, you are saying that "FATAL: [SSL Error] TLSv1 required. (found TLSv1.1)" is just a warning and will not prevent the rest of the auth to happen, right? so I can safely ignore it for now?
- 18:21:39 [danbri_]
- danbri_ has quit (Remote host closed the connection)
- 18:30:49 [deiu]
- no, actually it's a FATAL error
- 18:31:01 [deiu]
- but that's not the issue I guess
- 18:31:12 [deiu]
- I'll remove that check for now
- 18:31:25 [deiu]
- you still need to config the web server to ask for a certificate
- 18:31:40 [deiu]
- btw, why don't you use the VM image I made for MyProfile
- 18:31:46 [deiu]
- it comes with everything preinstalled
- 18:35:28 [deiu]
- scor, http://www.cloudiway.com/download/MyProfile/MyProfile.ova
- 18:35:55 [scor]
- deiu: I didn't know about that image!
- 18:36:11 [danbri_]
- danbri_ (~danbri@cable-146-255-148-108.dynamic.telemach.ba) has joined #dig
- 18:36:42 [scor]
- ok, I managed to get my server to ask for a cert now, and I choose my MyProfile cert, and then get FATAL: No ownership! Could not verify that the client certificate's public key matches their private key
- 18:37:16 [scor]
- this cert was generated from myprofile.eu
- 18:38:32 [deiu]
- weird
- 18:38:37 [scor]
- that is with ?verbose=on of course
- 18:38:42 [deiu]
- yeah
- 18:39:01 [deiu]
- btw, are you doing this as a side project?
- 18:39:04 [scor]
- deiu: could it be that my server is not set up propertly to do SSL handshake etc.?
- 18:39:08 [scor]
- ??
- 18:39:22 [scor]
- yeah, it's not for my main work if that's what you mean
- 18:39:33 [scor]
- it's for the Drupal integration
- 18:39:46 [deiu]
- ah ok, because I can provide in-person assistance today (before I leave tomorrow)
- 18:40:06 [scor]
- ah really? I could come to your office if you have time
- 18:40:11 [scor]
- later today
- 18:40:14 [deiu]
- sure
- 18:40:20 [scor]
- ok, what time?
- 18:40:32 [deiu]
- I'll be around until 5:30-6:00pm
- 18:40:39 [deiu]
- whenever you want (even now)
- 18:40:53 [scor]
- ok, I'll come around in a couple of hours. when do you leave tomorrow?
- 18:40:55 [deiu]
- I have nothing in particular that needs doing right now
- 18:41:06 [deiu]
- in the evening
- 18:41:14 [scor]
- ok
- 18:41:29 [deiu]
- tomorrow I'll be at MIT until 6pm probably
- 18:41:40 [scor]
- great, I might come tomorrow as well :)
- 18:41:52 [deiu]
- cool
- 18:41:54 [scor]
- thanks for your help deiu and see you soon
- 18:42:01 [deiu]
- I'll try to patch WebIDauth today
- 18:42:02 [melvster]
- deiu: sounds like you had a productive visit, might be awesome to round it off with a drupal integration! :)
- 18:42:10 [scor]
- lol
- 18:42:31 [deiu]
- melvster, indeed! more stuff will be revealed soon, so stay tuned!
- 18:42:31 [scor]
- deiu: yeah, if you can fix the TLSv1 error for a start that would be great
- 18:42:47 [scor]
- I'm surprrised nobody experienced it before.
- 18:43:03 [deiu]
- scor, you're using TLSv1.1 > TLSv1
- 18:43:17 [scor]
- from the comment in the code, 1.1 should work too since it's > 1
- 18:43:27 [deiu]
- not sure
- 18:43:28 [scor]
- / check for desired protocol (TLSv1 at least)
- 18:43:30 [deiu]
- I'll look into it
- 18:43:46 [deiu]
- but actually, I don't care about it in WebIDauth
- 18:43:55 [deiu]
- the web server will do the handshake first anyway
- 18:44:08 [deiu]
- I'll just remove that check
- 18:44:38 [melvster]
- ot: http://www.wired.com/gadgetlab/2013/01/leap-motion-asus/
- 18:45:17 [deiu]
- melvster, I really want to get my hands on LEAP :)
- 18:47:05 [trueg_away]
- trueg_away is now known as trueg
- 18:49:42 [deiu]
- scor, I've removed the TLSv1 check
- 18:51:09 [scor]
- deiu: thanks
- 19:01:31 [timbl]
- timbl (~timbl@200.7.52.34) has joined #dig
- 19:17:12 [danbri_]
- danbri_ has quit (Remote host closed the connection)
- 19:55:26 [trueg]
- trueg is now known as trueg_away
- 20:04:58 [danbri]
- danbri (~danbri@cable-146-255-148-108.dynamic.telemach.ba) has joined #dig
- 20:07:11 [rszeno]
- rszeno (~rszeno@79.114.18.202) has joined #dig
- 20:21:02 [melvster1]
- melvster1 (~melvin@p5797F8D9.dip.t-dialin.net) has joined #dig
- 20:22:14 [melvster]
- melvster has quit (Ping timeout: 240 seconds)
- 20:41:29 [scor]
- deiu: on my way!
- 20:44:06 [scor]
- scor has quit (Quit: scor)
- 21:03:42 [scor]
- scor (~scor@31-33-229.wireless.csail.mit.edu) has joined #dig
- 21:03:42 [scor]
- scor has quit (Changing host)
- 21:03:42 [scor]
- scor (~scor@drupal.org/user/52142/view) has joined #dig
- 21:15:15 [danbri]
- danbri has quit (Ping timeout: 248 seconds)
- 21:17:35 [RalphS]
- RalphS has quit ()
- 21:30:59 [jmvanel]
- jmvanel (~jmv@139.239.24.109.rev.sfr.net) has joined #dig
- 21:36:59 [cheater__]
- cheater__ (~cheater@p4FD0EDBE.dip.t-dialin.net) has joined #dig
- 21:53:41 [scor]
- scor has quit (Quit: scor)
- 22:00:42 [deiu]
- deiu has quit (Quit: Leaving)
- 22:04:20 [cheater__]
- cheater__ has quit (Quit: leaving)
- 22:04:45 [cheater__]
- cheater__ (~cheater@p4FD0EDBE.dip.t-dialin.net) has joined #dig
- 23:11:34 [timbl]
- timbl has quit (Quit: timbl)