weechat-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Weechat-dev] ssl_fingerprint irc server option

From: Maarten de Vries
Subject: Re: [Weechat-dev] ssl_fingerprint irc server option
Date: Mon, 20 Jan 2014 13:07:51 +0100
I uploaded it with a comment. Glad to be able to help.

Kind regards,
Maarten


On 20 January 2014 07:44, Sébastien Helleu <address@hidden> wrote:
On Mon, Jan 20, 2014 at 04:40:55AM +0100, Maarten de Vries wrote:
>    Currently, the only way to use a self-signed certificate for an IRC server (or bouncer) is to add the certificate to the root certificate list
>    or to disable certificate verification all together.
>
>    Adding it to the root CA list means that other certificate signed with the matching private key will also be accepted, which is not desirable
>    since it could be used to forge certificates for existing servers when compromised. Additionally, there is only one global setting for which
>    root CA list to use, and it can't be set per server. That means that you'd have to either add the certificate to your distribution's CA list or
>    keep a copy in in sync somewhere with the added certificate. Adding it to your distribution's CA list would even compromise https and other
>    applications if the private key was ever stolen, so this would be a very bad idea™. Keeping a copy in sync is just a hassle, although it can no
>    doubt be automated.
>
>    Disabling certificate verification entirely means you are vulnerable to man-in-the-middle attacks again, which means the whole purpose of
>    SSL/TLS is kind of defeated. Sure, the traffic is encrypted, but with enough effort it can still be eavesdropped on.
>
>    A much better option, in my opinion, is to allow the user to specify exactly which certificate is allowed for a specific server. That way you
>    can use a self-signed certificate without fear of compromising traffic to other server and without being susceptible to man-in-the-middle
>    attacks. To keep things easy (for the implementation and for the user) I think that a sha1 fingerprint of the certificate is enough to identify
>    the certificate uniquely and safely.
>
>     I added an option irc.server.*.ssl_fingerprint . When set and not an empty string, the only certificate accepted for the server is the one with
>    that fingerprint. It should be the SHA1 hash of the certificate without separators between the bytes, exactly in the format as shown when
>    connecting to the server. Otherwise valid certificates that have been signed by a trusted CA will not be accepted if this option is non-empty,
>    unless of course the fingerprint matches.
>    I attached the patch. I hope I followed the coding style. Any comments or remarks are welcome.

Hi Maarten,

Thank you for the patch!

There is a task for this feature on savannah, could you please attach the patch
to the task (with a short comment to explain what it does):

https://savannah.nongnu.org/task/?12724

Thank you.

Cordialement / Best regards.

--
Sébastien Helleu

web: flashtux.org / weechat.org      mail: address@hidden
irc: FlashCode @ irc.freenode.net    xmpp: address@hidden

reply via email to
[Prev in Thread] Current Thread [Next in Thread]