mirrors/ngircd
1
0
Fork 0
mirror of https://github.com/osmarks/ngircd.git synced 2025-09-10 06:16:01 +00:00
Code Issues Releases Wiki Activity

Support for server certificate validation on server links [S2S-TLS]

Browse Source 
This patch provides code to validate the server certificate in
server links, defeating nasty man-in-the-middle attacks on server
links.

Features:

- Check whether the certificate is signed by a trusted certificate
  authority (CA).
- Check the host name, including wildcard certificates and Subject
  Alternative Names.
- Optionally check against a certificate revocation list (CRL).
- Implementation for both OpenSSL and GnuTLS linkage.

Left for another day:

- Parameterize the TLS parameter of an outbound connection. Currently,
  it's hardcoded to disable all versions before TLSv1.1.
- Using certificate as CA-certificate. They work for GnuTLS only but
  perhaps this should rather raise an error there, too.
- Optional OCSP checking.
- Checking client certificates. Code is there but this first needs some
  consideration about the use cases. This could replace all other
  authentication methods, for both client-server and server-server
  connections.

This patch is based on a patch by Florian Westphal from 2009, which
implemented this for OpenSSL only:

  From: Florian Westphal <fw@strlen.de>
  Date: Mon, 18 May 2009 00:29:02 +0200
  Subject: SSL/TLS: Add initial certificate support to OpenSSL backend

Commit message modified by Alex Barton.

Closes #120, "Server links using TLS/SSL need certificate validation".
Supersedes PR #8, "Options for verifying and requiring SSL client
certificates", which had (incomplete?) code for OpenSSL, no GnuTLS.
This commit is contained in:
Christoph Biedl
2014-11-02 14:48:34 +01:00
committed by Alexander Barton
parent 339ad77b62
commit 817937b218
7 changed files with 386 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
doc/sample-ngircd.conf.tmpl
View File

@@ -273,6 +273,13 @@
# is only available when ngIRCd is compiled with support for SSL!
# So don't forget to remove the ";" above if this is the case ...
# SSL Trusted CA Certificates File (for verifying peer certificates)
;CAFile = /etc/ssl/CA/cacert.pem
# Certificate Revocation File (for marking otherwise valid
# certficates as invalid)
;CRLFile = /etc/ssl/CA/crl.pem
# SSL Server Key Certificate
;CertFile = :ETCDIR:/ssl/server-cert.pem
@@ -364,6 +371,10 @@
# Connect to the remote server using TLS/SSL (Default: false)
;SSLConnect = yes
# Verify the TLS certificate presented by the remote server
# (Default: yes)
;SSLVerify = yes
# Define a (case insensitive) list of masks matching nicknames that
# should be treated as IRC services when introduced via this remote
# server, separated by commas (",").