IRC Log for #openid on 2009-06-29

Timestamps are in UTC.

  1. [00:27:21] * ertai (n=ertai@lns-bzn-53-82-65-29-132.adsl.proxad.net) Quit (Remote closed the connection)
  2. [00:27:24] * ertai (n=ertai@lns-bzn-44-82-249-223-53.adsl.proxad.net) has joined #openid
  3. [00:27:42] * ertai_ (n=ertai@lns-bzn-53-82-65-29-132.adsl.proxad.net) Quit (Remote closed the connection)
  4. [00:27:46] * ertai_ (n=ertai@lns-bzn-44-82-249-223-53.adsl.proxad.net) has joined #openid
  5. [00:58:34] * shigeta (n=shigeta@sakkgw2.sixapart.jp) has joined #openid
  6. [01:24:01] * Osurac (n=mikeg@adsl-074-182-167-053.sip.hsv.bellsouth.net) has joined #openid
  7. [02:27:01] * X9829JhF3 (n=mikeg@adsl-074-182-167-053.sip.hsv.bellsouth.net) has joined #openid
  8. [02:44:26] * Osurac (n=mikeg@adsl-074-182-167-053.sip.hsv.bellsouth.net) Quit (Read error: 113 (No route to host))
  9. [02:45:26] * jonny (n=chatzill@p1089-ipadfx01maru.tokyo.ocn.ne.jp) has joined #openid
  10. [02:46:37] * jonny is now known as Jonny
  11. [02:46:46] * Jonny is now known as JonnyB
  12. [02:53:37] <flaccid> howdy
  13. [03:10:35] * stub (n=stub@ppp-58-8-8-96.revip2.asianet.co.th) has joined #openid
  14. [03:23:08] <flaccid> oi JonnyB
  15. [03:23:30] <JonnyB> hello
  16. [03:23:38] <flaccid> worked out that problem yeah..
  17. [03:24:15] <JonnyB> hm what problem?
  18. [03:25:26] <flaccid> you are a different jony from jp ? ie. not the jonny w/ mixi openid problem ?
  19. [03:25:34] <JonnyB> I'm the same
  20. [03:25:39] <JonnyB> I just chose to reg a nick today
  21. [03:25:48] <flaccid> well thats what i'm talking about
  22. [03:26:35] <JonnyB> i just tried the verisign endpoint
  23. [03:26:46] <JonnyB> it seems to respond to email/name etc requests nicely
  24. [03:27:15] <flaccid> you no longer have the problem with your example RP ?
  25. [03:27:17] <JonnyB> is there any other endpoint that does that? most other Ive tried so far gives you nothing but the openid
  26. [03:27:37] <JonnyB> oh well mixi doesn't work with my rp
  27. [03:27:46] <flaccid> yes and i'm saying i worked out why
  28. [03:27:49] <JonnyB> it still works with the openidenabled rp example however :-/
  29. [03:28:00] <flaccid> want to know why ?
  30. [03:28:02] <JonnyB> oh really?
  31. [03:28:07] <JonnyB> of course
  32. [03:28:08] <flaccid> yesshhhh
  33. [03:28:17] <flaccid> ok your RP is on ubuntu ?
  34. [03:28:49] <JonnyB> aa, atm I don't know the dist
  35. [03:29:30] <flaccid> well log on to it via shell
  36. [03:29:40] <flaccid> do say cd /tmp
  37. [03:30:08] <JonnyB> ok
  38. [03:30:52] <flaccid> and then do wget https://mixi.jp/xrds_server.pl
  39. [03:30:57] <flaccid> what does it say?
  40. [03:31:41] <JonnyB> cert. verification error
  41. [03:31:46] <flaccid> bingo!
  42. [03:31:58] <flaccid> you need to install the root CA cert that they use
  43. [03:32:34] <JonnyB> allright
  44. [03:33:12] <JonnyB> I'm not sure what that means really
  45. [03:33:13] <flaccid> if its debian/ubuntu then just install the ca-certificates package and wammo
  46. [03:33:16] <JonnyB> I mean...
  47. [03:33:20] <JonnyB> it's red hat
  48. [03:33:33] <flaccid> redhat probably has an equivalent package
  49. [03:33:39] <flaccid> or you can install it manually
  50. [03:34:21] <flaccid> well clients don't trust 'everyone' ie. certificate authorities
  51. [03:35:28] <flaccid> so the CA for mixi is COMODO. that root CA needs to be installed on the server that the RP is on so it trusts it
  52. [03:35:40] * X9829JhF3 (n=mikeg@adsl-074-182-167-053.sip.hsv.bellsouth.net) Quit ()
  53. [03:35:50] <flaccid> it failed for my RP because COMODO is not in the root CAs and is no longer supported
  54. [03:36:06] <flaccid> my server being FreeBSD..
  55. [03:36:07] <JonnyB> but
  56. [03:36:22] <JonnyB> hm
  57. [03:36:40] <JonnyB> I mean, using the example I set up last week, it worked... for a day or two
  58. [03:37:09] <JonnyB> And why is it that the openidenabled.com example RP works, did they install this CA?
  59. [03:37:12] <flaccid> well i don't know why on that. you see the yadis discovery they provide that url and its https ..
  60. [03:37:27] <flaccid> yes they would have the COMODO CA installed on that server
  61. [03:37:52] <flaccid> in debian/ubuntu it comes in the ca-certificates package, without that installed, fail, with that installed pass..
  62. [03:38:28] <flaccid> had to dig pretty deep to see that it was of course failing in the discovery with paranoid http fetcher..
  63. [03:41:08] <JonnyB> ok, i'll look into how to install that on redhat
  64. [03:41:25] <JonnyB> with wget, you could bypass that on purpose
  65. [03:41:31] <JonnyB> I guess it's a bad idea to do that on the RP :-P
  66. [03:42:17] <flaccid> yeah this all true
  67. [03:46:21] <JonnyB> is this what I need? http://www.comodo.com/trustconnect/Linux_Client_Configuration_Guide.pdf
  68. [03:47:50] * singpolyma (n=singpoly@c-76-21-5-96.hsd1.ca.comcast.net) Quit ("Lost terminal")
  69. [03:48:03] <flaccid> yeps
  70. [03:48:53] <flaccid> oh no thats the vpn client..
  71. [03:49:26] <flaccid> you need to see your distro support/doco on how to set up the root ca
  72. [03:49:45] <flaccid> it probably just goes in a directory eg. on debian its /etc/ssl/certs
  73. [03:53:14] <flaccid> which redhat is it ?
  74. [03:56:25] * Politoed[FEUP] (n=Theorem@cica-proj.fe.up.pt) Quit (Client Quit)
  75. [04:08:25] <JonnyB> 4.3
  76. [04:10:04] <flaccid> RHEL ?
  77. [04:16:17] <JonnyB> ok it's actually centos
  78. [04:31:25] <flaccid> apache and openssl is what you are server with?
  79. [04:34:08] <flaccid> do you have /etc/pki/tls/certs/ ?
  80. [04:35:02] <flaccid> i think it goes in there but im not sure if you need to do anything to enable it
  81. [04:36:13] <JonnyB> yeah well, ive googled for awhile and not found much
  82. [04:36:29] <JonnyB> just some articles about comodo fails :-P
  83. [04:48:38] <flaccid> i've never used centos
  84. [04:49:24] <flaccid> asking in #centos for you
  85. [04:51:27] <flaccid> i gtg for a bit
  86. [04:54:53] <JonnyB> ok thx
  87. [05:02:21] <JonnyB> oh ok, there's actually a comment in mixi's openid faq about this
  88. [05:02:42] <JonnyB> it suggests to update the root cas as you suggested.
  89. [05:02:59] <JonnyB> also it works to shut off the checking using curl_setopt($c, CURLOPT_SSL_VERIFYPEER, FALSE);
  90. [05:03:11] <JonnyB> and doing this it really works to auth with mixi
  91. [05:03:22] <JonnyB> but yeah, i'm removing that again
  92. [05:55:40] <flaccid> jonnyB sorry i got disconnected
  93. [05:55:57] <flaccid> last msg i got was [15:04] <fn'JonnyB> but yeah, i'm removing that again
  94. [05:56:43] <flaccid> in terms of curl, it really depends if that is what the openid lib uses, probably not, and you don't want to allow any CA by disabling it, thats bad security..
  95. [06:01:42] <flaccid> JonnyB whats your status on that ?
  96. [06:10:42] <JonnyB> flaccid: that's my last yes
  97. [06:11:17] <flaccid> and have you put the CA in that folder yet, you do have /etc/pki/tls/certs ?
  98. [06:11:27] <JonnyB> don't have the pki folder
  99. [06:12:23] <flaccid> that was for centos 5 so maybe its different
  100. [06:12:37] <flaccid> nobody answers in their channel, pretty poor support
  101. [06:12:47] <JonnyB> hmmm ok
  102. [06:13:02] <JonnyB> but the basic idea is to put the crt in a folder?
  103. [06:13:06] <flaccid> do some locate .crt and locate .pem and that kind of thing to find em
  104. [06:13:10] <flaccid> yeah
  105. [06:13:23] <flaccid> but you still might have to do something
  106. [06:19:05] <flaccid> JonnyB: http://samat.org/2005/06/23/rhel4/centos_4_placement_of_ssl_certificates w00t
  107. [06:20:18] <JonnyB> yes, I found that place
  108. [06:20:23] <JonnyB> but it seems more things needs to be done
  109. [06:21:45] <flaccid> have you got c_rehash ?
  110. [06:22:19] <JonnyB> no
  111. [06:28:31] <flaccid> JonnyB : http://gagravarr.org/writing/openssl-certs/others.shtml
  112. [06:30:22] <flaccid> and http://gagravarr.org/writing/openssl-certs/personal.shtml#apache-keys
  113. [06:54:52] * thesmith (n=bens@212.58.232.179) has joined #openid
  114. [06:55:16] * qwp0 (n=qwp0@gw.localnet.sk) has joined #openid
  115. [07:08:27] * qwp0 (n=qwp0@gw.localnet.sk) Quit (Remote closed the connection)
  116. [07:24:27] * jochen_ (n=jochen@router.begen1.office.netnoc.eu) has joined #openid
  117. [07:26:10] * jochen_ (n=jochen@router.begen1.office.netnoc.eu) Quit (Read error: 104 (Connection reset by peer))
  118. [07:33:01] * jochen_ (n=jochen@router.begen1.office.netnoc.eu) has joined #openid
  119. [07:54:54] * ertai_ (n=ertai@lns-bzn-44-82-249-223-53.adsl.proxad.net) Quit ("leaving")
  120. [07:57:37] * ponchopilate (n=markthom@host81-137-232-55.in-addr.btopenworld.com) has joined #openid
  121. [08:01:28] * overlast_ (n=overlast@99.119.111.219.dy.bbexcite.jp) Quit (Read error: 110 (Connection timed out))
  122. [09:01:15] * daedeloth (n=daedelot@ip-81-11-173-163.dsl.scarlet.be) has joined #openid
  123. [09:58:42] * qwp0 (n=qwp0@gw.localnet.sk) has joined #openid
  124. [10:29:03] * qwp0 (n=qwp0@gw.localnet.sk) Quit (Read error: 104 (Connection reset by peer))
  125. [11:21:09] * shigeta (n=shigeta@sakkgw2.sixapart.jp) Quit ("Leaving...")
  126. [11:34:44] * ertai_ (n=ertai@lns-bzn-33-82-252-15-176.adsl.proxad.net) has joined #openid
  127. [11:35:00] * ertai_ (n=ertai@lns-bzn-33-82-252-15-176.adsl.proxad.net) Quit (Client Quit)
  128. [11:39:07] * ertai_ (n=ertai@lns-bzn-33-82-252-15-176.adsl.proxad.net) has joined #openid
  129. [11:43:02] * Orango (n=s-e@wikimedia/Orango) Quit (Connection timed out)
  130. [11:50:52] * ertai (n=ertai@lns-bzn-44-82-249-223-53.adsl.proxad.net) Quit (Read error: 110 (Connection timed out))
  131. [12:03:30] * ertai_ (n=ertai@lns-bzn-33-82-252-15-176.adsl.proxad.net) Quit ("leaving")
  132. [12:03:34] * ertai (n=ertai@lns-bzn-33-82-252-15-176.adsl.proxad.net) has joined #openid
  133. [12:04:40] * ertai (n=ertai@lns-bzn-33-82-252-15-176.adsl.proxad.net) has left #openid
  134. [12:25:51] * Orango (n=s-e@wikimedia/Orango) has joined #openid
  135. [12:26:21] * Orango (n=s-e@wikimedia/Orango) Quit (Read error: 54 (Connection reset by peer))
  136. [12:49:53] * stub (n=stub@canonical/launchpad/stub) Quit ("Leaving.")

These logs were automatically created by OpenIDlogbot on chat.freenode.net using a modified version of the Java IRC LogBot.