xmpp-server-list
xmpp-server-list copied to clipboard
ChatSecure
Replace certificates for pub keys
Most XMPP servers on the list are now using Let's Encrypt certificates, which have a short 90 days lifetime. This means that the certificate property will become quickly outdated. IMO it should be removed. Otherwise you would need a bot to continuously monitor all domains and update certificates.
We pin to the public key, not the leaf cert, so as long as the key isn't regenerated it should work okay. I think the LE default is to renew just the cert and not regen the key but I could be mistaken.
It doesn't seem so. I've checked one of oldest entries, Calyx, and it contains a full certificate (a CA signed public key) in the certificate property.
*.calyxinstitute.org
Identity: *.calyxinstitute.org
Verified by: RapidSSL SHA256 CA - G3
Expires: 10/03/16
To check it yourself you can run: echo MIIFwzCCBKugAwIBAgIDAivsMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEyNTYgQ0EgLSBHMzAeFw0xNTAyMDYwNDQzMDRaFw0xNjAzMTAwODIwMDZaMIGYMRMwEQYDVQQLEwpHVDcwMjc0Nzg2MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNvbS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEdMBsGA1UEAwwUKi5jYWx5eGluc3RpdHV0ZS5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDCTdLiJ5/UTGjpAU9+pFY/gwYqdjZ5W045BXenSIkDqEkGqASgAmr76uIJgeIR2+gaySV4B1PBVRBwu4gOwOnry2skdfJdX/E3LPf2qz8+9T7aesvb684JHoInIH6OyUviG7/yclUKwyetz5hO/FO4KY1SP83Wb3Q9GCBRN8VWVC0P3MP8cySo+jXKOEPbCpbzKvsDRAzcyVpTUBHhnxRLuOcjNJREVnkWmAZdT8NW9qyNYTVPMaYZXcNGUAa9uSnR0AD5Vpqg5OW6VjVNh/veBdVg4+mQUVxtJoMLCzc4n3Ps73ZRITVPdpllB3w6jOhyLSzyIVRQj8q2jCb7xdkDGGInGyOOqxSC+E7Cuz5XlRf6DUFXQdlonegkzKrmTNhiLkMeNvVHxr8IFZCnmpBUdnBI8zn+GdBlXIkBTjYMoMzxayE+8UftF36nAXS8xWa/J5iBsNsETpdNT6upQ3vHzCvBK5TZAd4GQGK6ghdca5JbgwLWNZqLYnhhw4YxSNZxlle3sG5c/nzltp4StNXodR4qXcXlN4ay363zOYBgmDzyjlKph0fCPZwbCby+26w61pwXAgVJP+sLMu96ZsHNnfTZxUo3v3tsztMiU1WekXR1rO9fMAQ2bAHFB66OwRiIZgu1OtniQW+rPm7A1JD9d1/IO4LFkgqWQxCmpPsZrwIDAQABo4IBZDCCAWAwHwYDVR0jBBgwFoAUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vZ3Yuc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vZ3Yuc3ltY2IuY29tL2d2LmNydDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdEQQsMCqCFCouY2FseXhpbnN0aXR1dGUub3JnghJjYWx5eGluc3RpdHV0ZS5vcmcwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2d2LnN5bWNiLmNvbS9ndi5jcmwwDAYDVR0TAQH/BAIwADBFBgNVHSAEPjA8MDoGCmCGSAGG+EUBBzYwLDAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMA0GCSqGSIb3DQEBCwUAA4IBAQCKbCIimuh3jSQCxZw5n8oHMbJxZoBvbo8awn3N6d7LZ4CF/LJhCyOJilDY1pyjKKCq8vz5haYJWw1dUiMiVlZ/mubmYvnSZ4rvpOV37HxUQXfujowHTQWBOhNiEFzI+/EwZgKmUxW9WwNLpTAOqfebN85RuWUq5EAvFZ3iEaYxnMevbZVOvg32GuqLWfLfTiFX/aeTeKsuG2O08xzqLX+tpHDU6MiNM6TFELd2xwB31xW9KhZqrzSq27PUT/lWrS4teQvbLFWcytORaim55sTw77Y5z/BuMbvBDxZYThzxIZNd9WDw1odck1llbuUe15NKMRpCfjWgwZ2K/W6K73ve | base64 --decode | openssl x509 -inform der -noout -text
We pin to the public key
Do you mean in ChatSecure code itself? That way you are right, it should work as long as the pub key isn't renewed. If that's the case, we should just store the public key here instead of the complete certificate. That would spare us the job of updating certificates to keep things nice and tidy.
Ya in the code itself. The problem there is that the processing code only handles the full cert at the moment, so it is easier to just keep it as is for now. :)