kentonv changed the topic of #sandstorm to: Welcome to #sandstorm: home of all things Say hi! | Have a question but no one is here? Try asking in the discussion group:
<abliss> openssl s_client also says "verify error:num=24:invalid CA certificate"
<abliss> (btw, can you remind me why we have to MITM the ssl connection anyway? now that we're only powerbox-requesting the domain, not the path, isn't the CONNECT line itself enough?)
<isd> abliss: CONNECT wants a raw TCP connection, over which it expects to speak TCP to the end server.
<isd> We can't do that transparently, since the capabilities we're working with want to know more about http.
<abliss> ah, right, gotcha, thanks
<isd> So when we get a CONNECT we hand it a connection to ourslves, and then MITM the request it tries to make over that connection.
<isd> expects to speak HTTP
<abliss> it seems like the proxy server serves two certs, a self-signed one and then the regular target cert signed by the CA. It's the self-signed one that seems to have an invalid CA cert.
<abliss> (as well as also `verify error:num=26:unsupported certificate purpose`)
<abliss> i can't get openssl s_client to like the cert (nor to tell me anything more verbose than 'invalid CA certificate'.
<isd> It's entirely possible there's a bug in the logic that generates the CA, and it happens not to bother php
<abliss> I'm doing `echo -e 'GET / HTTP/1.0\r\n\r\n' | openssl s_client -connect -proxy localhost:4000 -verify 3 --verify_return_error -CAfile "$CA_CERT_PATH"` from inside the grain's network namespace
<abliss> is php one of those garbage languages (like python <2.9) that just skips all ssl validation by deafult?
<abliss> have you tried with curl? or any https client besides php?
<isd> It definitely didn't work before I changed the root certs in php.ini
<isd> But no, I have not tried it with any other clients.
<isd> Probably php is being more lax than other clients.
<abliss1> thanks! not sure if i'll have left time to test tonight but i'll let you know.
abliss has quit [Ping timeout: 258 seconds]
abliss has joined #sandstorm
<abliss> that patch didn't seem to make any difference :(
<abliss1> trying agin with `BasicConstraintsValid: true`, which i think may be necessary to include the isCA in the x509v3 fields
<abliss1> we may also need the Key Usage field:
<isd> Yeah, probably.
abliss has quit [Ping timeout: 258 seconds]
griff_ has quit [Quit: griff_]
strugee has joined #sandstorm
abliss has joined #sandstorm
<abliss> ok, that seems to make it work.
<abliss> the problem now is the auth header.
<abliss> seems like the proxy is changing my auth header to something with a bearer token.
<isd> cool.
<isd> Wait, so you're trying to send an authorization header from inside the grain?
<abliss> yes
<isd> That won't work; the Authorization header is used by the bridge to determine which capability to use for the request.
<abliss> matrix server-server federation requires an auth header
<abliss> can we add another header that can smuggle it out?
griff_ has joined #sandstorm
<isd> abliss: look at headerWhitelist in web-session.capnp
<isd> Probably you want to use x-sandstorm-app-*
<isd> Did someone try to port phabricator? Noticed there's an entry there, but afaik we don't have an app for it.
<abliss> isd: but now i have to add another proxy on the way out to restore the header?
<isd> I guess so.
<abliss> so it's the same set of whitelisted headers for incoming http api requests and outgoing requests?
<isd> From what I can tell; it looks like the implementation is pulling from the same list.
<isd> shell/imports/server/drivers/external-ui-view.js if you're interested in opening up the hood
<abliss> i'm so sick of sandstorm stomping on my auth header... now i'd need another MITMing proxy for sandstorm itself to live inside, to restore the headers that it's stripping
_whitelogger has joined #sandstorm
<JacobWeisz[m]> Wooo, SandCal in the experimental market!
<isd> It feels good to get that out the door.
<isd> Reminder office hours tomorrow
abliss has quit [Ping timeout: 260 seconds]
strugee has quit [Ping timeout: 258 seconds]
griff_ has quit [Quit: griff_]
crab has quit [Remote host closed the connection]
crab has joined #sandstorm
crab has quit [Remote host closed the connection]
crab has joined #sandstorm
griff_ has joined #sandstorm
michaeln3 has joined #sandstorm
michaeln3 has quit [Ping timeout: 246 seconds]
sam_w has quit [Read error: Connection reset by peer]
sam_w has joined #sandstorm
griff_ has quit [Quit: griff_]
griff_ has joined #sandstorm
sknebel has left #sandstorm [#sandstorm]
griff_ has quit [Quit: griff_]
_whitelogger has joined #sandstorm
nicoo has quit [Remote host closed the connection]
nicoo has joined #sandstorm
TMM has quit [Quit: - Chat comfortably. Anywhere.]
TMM has joined #sandstorm
<isd> Reminder: office hours in 30 min
<JacobWeisz[m]> Probably won't be there, friends are on their way.
<abliss1> jitsi phone bridge seems busted again
<isd> Just me so far. Is anyone else planning on joining?
<abliss1> trying
strugee has joined #sandstorm
<isd> ill_logic: are you still having trouble getting oriented with meteor? I'm wondering if maybe doing some pair programming might get you over that hump?
<ill_logic> Ian Denhardt: I appreciate it. I think it may be a good idea.
<ill_logic> It's mostly a momentum thing.
<JacobWeisz[m]> Ian, you might wanna tell the mailing list SandCal is open for testing.
<isd> Yeah, I probably should.
<isd> I guess we need to figure out how to do pair programming remotely.
<abliss1> tried FlooBits?
sam_w has quit [Read error: Connection reset by peer]
sam_w has joined #sandstorm
<isd> I haven't
<isd> ill_logic: what editor(s) do you use?
<ill_logic> vim
<isd> me too. Maybe I can just proxy a tmux session somewhere.
<ill_logic> hah. I mean, could just ssh right?
<ill_logic> or I guess it would have to be on a server running a development sandstorm
<abliss1> vim should work in my ttyd spk....
<abliss1> (but you couldn't do much testing in the sandbox)
<isd> Yeah, getting a full dev setup running (including both of us being able to see the server via the browser) is a bit fiddlier than just ssh
<abliss1> Ian Denhardt: am I wrong to think that whatever golang I write for a TcpPort-sharing grain will have to be 100% rewritten in kj-dialect C++ when it gets integrated into sandstorm?
<isd> Right now the IpNetwork implementation is in javascript, actually