add build/install guidelines for Qubes

[david415]

has anyone tested xmpp-client in qubes besides me?

using go1.4.2 in a fedora 20 qube, i built and installed xmpp-client. i get a failure to connect to jabber.ccc.de; one of these:

x509: certificate signed by unknown authority (possibly because of "x509: connot verify signature: algorithm unimplemented" while trying to verify candidate authority certificate "CA Cert Signing Authority")

there must be an easy solution to this... such as yum installing a package with crypto libraries that make this work?

[david415]

is there a conspiracy against xmpp-client working on qubes?!

in a debian jessie qube, i built the latest stable go1.4.2 and then used that to build (via "go get") the latest upstream xmpp-client; this doesn't work either!

$GOPATH/bin/xmpp-client Password for windfall@jabber.ccc.de (will not be saved to disk):

• (5:51PM) Making connection to okj7xc6j2szr2y75.onion:5222 via proxy
• (5:51PM) Failed to connect to XMPP server: unmarshal : expected element type but have user@xmpp-client2:~/go/gopath/src/github.com/agl/xmpp-client$

[david415]

I ended up getting this to work by using the debian qube and specifying a ServerCertificateSHA256 in the xmpp-client config. If Fedora 20 also doesn't come with certificates then this would explain why it didn't work in either situation. It'd be nice if the error reporting were more clear in both cases.

[agl]

Indeed, if you don't trust CACert locally then jabber.ccc.de won't be able to validate correctly. I'm open to suggestions here since some distros are (sensibly) removing this root cert. Should xmpp perhaps special-case jabber.ccc.de and trust CACert for that host? I did wonder about a special-case match on the certificate hash, but that seems prone to breaking when the certificate is renewed.