mirrors/ngircd
1
0
Fork 0
mirror of https://github.com/osmarks/ngircd.git synced 2025-09-10 06:16:01 +00:00
Code Issues Releases Wiki Activity

Support for server certificate validation on server links [S2S-TLS]

Browse Source 
This patch provides code to validate the server certificate in
server links, defeating nasty man-in-the-middle attacks on server
links.

Features:

- Check whether the certificate is signed by a trusted certificate
  authority (CA).
- Check the host name, including wildcard certificates and Subject
  Alternative Names.
- Optionally check against a certificate revocation list (CRL).
- Implementation for both OpenSSL and GnuTLS linkage.

Left for another day:

- Parameterize the TLS parameter of an outbound connection. Currently,
  it's hardcoded to disable all versions before TLSv1.1.
- Using certificate as CA-certificate. They work for GnuTLS only but
  perhaps this should rather raise an error there, too.
- Optional OCSP checking.
- Checking client certificates. Code is there but this first needs some
  consideration about the use cases. This could replace all other
  authentication methods, for both client-server and server-server
  connections.

This patch is based on a patch by Florian Westphal from 2009, which
implemented this for OpenSSL only:

  From: Florian Westphal <fw@strlen.de>
  Date: Mon, 18 May 2009 00:29:02 +0200
  Subject: SSL/TLS: Add initial certificate support to OpenSSL backend

Commit message modified by Alex Barton.

Closes #120, "Server links using TLS/SSL need certificate validation".
Supersedes PR #8, "Options for verifying and requiring SSL client
certificates", which had (incomplete?) code for OpenSSL, no GnuTLS.
This commit is contained in:
Christoph Biedl
2014-11-02 14:48:34 +01:00
committed by Alexander Barton
parent 339ad77b62
commit 817937b218
7 changed files with 386 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
man/ngircd.conf.5.tmpl
View File

@@ -397,6 +397,13 @@ All SSL-related configuration variables are located in the
section. Please note that this whole section is only recognized by ngIRCd
when it is compiled with support for SSL using OpenSSL or GnuTLS!
.TP
\fBCAFile (string)\fR
Filename pointing to the Trusted CA Certificates. This is required for
verifying peer certificates.
.TP
\fBCRLFile (string)\fR
Filename of Certificate Revocation List.
.TP
\fBCertFile\fR (string)
SSL Certificate file of the private server key.
.TP
@@ -491,6 +498,9 @@ You can use the IRC Operator command CONNECT later on to create the link.
\fBSSLConnect\fR (boolean)
Connect to the remote server using TLS/SSL. Default: false.
.TP
\fBSSLVerify\fR (boolean)
Verify the TLS certificate presented by the remote server. Default: yes.
.TP
\fBServiceMask\fR (string)
Define a (case insensitive) list of masks matching nicknames that should be
treated as IRC services when introduced via this remote server, separated