Opened 7 years ago
Closed 6 years ago
#4737 closed defect (fixed)
Update TLS certificate for XMPP
Reported by: | Dunedan | Owned by: | |
---|---|---|---|
Priority: | Must Have | Milestone: | Alpha 23 |
Component: | Multiplayer lobby | Keywords: | |
Cc: | Patch: |
Description
The XMPP serves providing the default lobby (lobby.wildfiregames.com:5222) currently serves a self-signed certificate, which expired last year. Please fix that and install a valid one signed by a known CA.
It'd probably also be a good idea to adjust 0ad to refuse to connect to an TLS-enabled XMPP-server which is serving an invalid certificate.
Change History (6)
comment:1 by , 7 years ago
comment:2 by , 7 years ago
The "Ratings"- and "WFGBot"-XMPP-bots use TLS if I'm not mistaken. As I assume that they're running on the same server as ejabberd that shouldn't matter for them much though.
A Letsencrypt certificate would be perfect and also doesn't need an HTTP server. Challenges can be also exchanged via DNS or a temporary HTTP server just for that purpose.
comment:3 by , 7 years ago
Yes, the bots are most likely still running on the same box (under a different user, but that's about it). I'm not sure how we get our certs, but I assume that it isn't using the dns challenge, which most likely will need some work to get a cert that way (either forwarding traffic, or changing that mechanism).
Then again I'm not involved in running the lobby (anymore), or any of the other machines.
comment:4 by , 6 years ago
Milestone: | Backlog → Alpha 23 |
---|---|
Priority: | Should Have → Must Have |
Self-signed is as valid as an expired one, so we actually need one from Let's encrypt if MITM should be prevented.
TLS is both cheap to implement and good practice and good practice is an obligation by https://gdpr-info.eu/art-32-gdpr/ under some arbitrary conditions, refs #5257. By implementing TLS, the elastic clauses were much harder to violate. There already are Cease & Decist letters in germany for this under both GDPR and TMG (Telemediengesetz), so it seems silly not to use it.
comment:6 by , 6 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
The certificate should be fine, gloox isn't: #4705.
Since the game doesn't use TLS at all, it doesn't see an outdated cert. In case someone cares it would be nice to get a Let's Encrypt cert for the lobby server (but without running an http server on the lobby server), and then require TLS when connecting to the lobby. (There might also be some information regarding this and a few related issues in some slightly flamewar-y forum topic.)