Re: [prosody-dev] [ANN] Prosody 0.9.2 released!
Build the certs at first run and stick them in /var/prosody (or wherever prosodyctl sticks them) and use certs from /etc in preference to the ones in /var/prosody when they exist? -Etan On Fri, Jan 10, 2014 at 1:45 PM, Matthew Wild wrote: > Hi Lonnie, > > On 7 January 2014 18:51, Lonnie Abelbeck wrote: >> Hi Matthew, >> >> I built 0.9.2 and see the certs get generated. Of course we remove them >> anyway. >> >> Question, what is your reason for generating certs vs. let developers/users >> handle that outside of prosody ? Aren't you still setting-up the risk of >> private keys getting distributed ? > > Hmm, right - it's possible that packages could still generate > certificates at build time, and distribute binary packages containing > these certificates. The correct thing for packages to do is to pass > --no-example-certs to ./configure now (I've just documented this at > https://prosody.im/doc/packagers#section09 ). > > There is a balance to strike, and it's a tough one. I can't > immediately see a way to automatically prevent packagers from making > this mistake, except by removing all forms of automatic cert > generation, which would inconvenience users building from source. > Perhaps now we have prosodyctl able to generate certificates, this > isn't terrible. More thought required. > > Regards, > Matthew > > -- > You received this message because you are subscribed to the Google Groups > "prosody-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to prosody-dev+unsubscr...@googlegroups.com. > To post to this group, send email to prosody-dev@googlegroups.com. > Visit this group at http://groups.google.com/group/prosody-dev. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "prosody-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev+unsubscr...@googlegroups.com. To post to this group, send email to prosody-dev@googlegroups.com. Visit this group at http://groups.google.com/group/prosody-dev. For more options, visit https://groups.google.com/groups/opt_out.
Re: [prosody-dev] [ANN] Prosody 0.9.2 released!
On Jan 10, 2014, at 12:45 PM, Matthew Wild wrote: > Hi Lonnie, > > On 7 January 2014 18:51, Lonnie Abelbeck wrote: >> Hi Matthew, >> >> I built 0.9.2 and see the certs get generated. Of course we remove them >> anyway. >> >> Question, what is your reason for generating certs vs. let developers/users >> handle that outside of prosody ? Aren't you still setting-up the risk of >> private keys getting distributed ? > > Hmm, right - it's possible that packages could still generate > certificates at build time, and distribute binary packages containing > these certificates. The correct thing for packages to do is to pass > --no-example-certs to ./configure now (I've just documented this at > https://prosody.im/doc/packagers#section09 ). > > There is a balance to strike, and it's a tough one. I can't > immediately see a way to automatically prevent packagers from making > this mistake, except by removing all forms of automatic cert > generation, which would inconvenience users building from source. > Perhaps now we have prosodyctl able to generate certificates, this > isn't terrible. More thought required. > > Regards, > Matthew Yes, I discovered the --no-example-certs configure option shortly after I posted, which we now use to keep it simple. Perhaps --no-example-certs should be the default and --with-example-certs would generate them. You are correct, it is a tough balance. Lonnie -- You received this message because you are subscribed to the Google Groups "prosody-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev+unsubscr...@googlegroups.com. To post to this group, send email to prosody-dev@googlegroups.com. Visit this group at http://groups.google.com/group/prosody-dev. For more options, visit https://groups.google.com/groups/opt_out.
Re: [prosody-dev] [ANN] Prosody 0.9.2 released!
Hi Lonnie, On 7 January 2014 18:51, Lonnie Abelbeck wrote: > Hi Matthew, > > I built 0.9.2 and see the certs get generated. Of course we remove them > anyway. > > Question, what is your reason for generating certs vs. let developers/users > handle that outside of prosody ? Aren't you still setting-up the risk of > private keys getting distributed ? Hmm, right - it's possible that packages could still generate certificates at build time, and distribute binary packages containing these certificates. The correct thing for packages to do is to pass --no-example-certs to ./configure now (I've just documented this at https://prosody.im/doc/packagers#section09 ). There is a balance to strike, and it's a tough one. I can't immediately see a way to automatically prevent packagers from making this mistake, except by removing all forms of automatic cert generation, which would inconvenience users building from source. Perhaps now we have prosodyctl able to generate certificates, this isn't terrible. More thought required. Regards, Matthew -- You received this message because you are subscribed to the Google Groups "prosody-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev+unsubscr...@googlegroups.com. To post to this group, send email to prosody-dev@googlegroups.com. Visit this group at http://groups.google.com/group/prosody-dev. For more options, visit https://groups.google.com/groups/opt_out.
Re: [prosody-dev] [ANN] Prosody 0.9.2 released!
Hi Matthew, I built 0.9.2 and see the certs get generated. Of course we remove them anyway. Question, what is your reason for generating certs vs. let developers/users handle that outside of prosody ? Aren't you still setting-up the risk of private keys getting distributed ? Thanks as always for you and your team's fine work. Lonnie On Jan 7, 2014, at 12:02 PM, Matthew Wild wrote: > We are pleased to announce Prosody 0.9.2, the latest release of our > stable 0.9 branch. The main focus of this release is on a couple of > security improvements. > > A summary of changes in this release: > > * Debian/Ubuntu packages fixed to always generate per-system certs > * TLS: Improved cipher string, and use Prosody's preferred ciphers > * MUC: Fix for Spark clients not displaying room lists > > More information can be found in the release announcement on our blog: > http://blog.prosody.im/prosody-0-9-2-released/ > > Download information can be found at https://prosody.im/download > > Happy Jabbering! > The Prosody Team > > -- > You received this message because you are subscribed to the Google Groups > "prosody-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to prosody-dev+unsubscr...@googlegroups.com. > To post to this group, send email to prosody-dev@googlegroups.com. > Visit this group at http://groups.google.com/group/prosody-dev. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "prosody-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev+unsubscr...@googlegroups.com. To post to this group, send email to prosody-dev@googlegroups.com. Visit this group at http://groups.google.com/group/prosody-dev. For more options, visit https://groups.google.com/groups/opt_out.