Follow

Helping bring knzk.me back to life...

@staticsafe A couple things. If my understanding of the events is correct, the security fix that rate-limits failures in signature verification by source IP backfired on knzk.me because their Puma does not see the real IP address (proxy misconfig). In search of solution, they reset all RSA keys as well, wherein I discovered a bug in the tootctl command that does that, so the accounts were advertising one public key, while signing with another.

@staticsafe I have run another update on the public_key column to source it from the actual keypair, and given them a patch to (temporarily) undo the IP-based fix. In a day or more the accounts should be considered stale, and key caches on other servers should update and fix themselves. To check that it worked, I manually updated key caches on mastodon.social, and was able to successfully communicate with knzk.me

@staticsafe The somewhat disturbing thing is that I was able to reliably reproduce the key-related issue, but the problem that led them to attempt resetting their keys in the first place is merely an (educated) guess. At least it seems to work 🤷‍♂️

@Gargron @staticsafe

That explains what I saw!

excellent work by the creator... we can all learn here.

@Gargron OMG EUGEN I WILL GIVE YOU ANY FORM OF AFFECTION YOU WOULD LIKE (INCLUDING NONE) IF YOU DO THIS!!!!!!!

@Gargron

it looked very odd the other day... nothing in queues...

I am concerned about the agressiveness of the SSL inspection on their Fortigate.

@thegibson @Gargron hey i just wanna say thank you at thegibson for all your efforts helping out knzk, i saw your posts and appreciated the hard work

and thank you eugen for helping solve the issue!

sorry to not add anything but thanks, but, i'm really grateful. have a nice night/day/whenever

@Gargron thank you eugen, it's kind of you to help and i appreciate your efforts.

@Gargron I’d be fascinated to see a post-mortem for the fix

@Gargron I'm trying to use my Evanescence method of summoning...and I'm givin' it all she's got, cap'n!

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!