mirror of
https://github.com/osmarks/ngircd.git
synced 2024-12-12 09:50:29 +00:00
817937b218
This patch provides code to validate the server certificate in server links, defeating nasty man-in-the-middle attacks on server links. Features: - Check whether the certificate is signed by a trusted certificate authority (CA). - Check the host name, including wildcard certificates and Subject Alternative Names. - Optionally check against a certificate revocation list (CRL). - Implementation for both OpenSSL and GnuTLS linkage. Left for another day: - Parameterize the TLS parameter of an outbound connection. Currently, it's hardcoded to disable all versions before TLSv1.1. - Using certificate as CA-certificate. They work for GnuTLS only but perhaps this should rather raise an error there, too. - Optional OCSP checking. - Checking client certificates. Code is there but this first needs some consideration about the use cases. This could replace all other authentication methods, for both client-server and server-server connections. This patch is based on a patch by Florian Westphal from 2009, which implemented this for OpenSSL only: From: Florian Westphal <fw@strlen.de> Date: Mon, 18 May 2009 00:29:02 +0200 Subject: SSL/TLS: Add initial certificate support to OpenSSL backend Commit message modified by Alex Barton. Closes #120, "Server links using TLS/SSL need certificate validation". Supersedes PR #8, "Options for verifying and requiring SSL client certificates", which had (incomplete?) code for OpenSSL, no GnuTLS. |
||
---|---|---|
.. | ||
src | ||
Bopm.txt | ||
Capabilities.txt | ||
Commands.txt | ||
Container.md | ||
Contributing.txt | ||
FAQ.md | ||
HowToRelease.txt | ||
Makefile.am | ||
Modes.txt | ||
PAM.txt | ||
Platforms.txt | ||
Protocol.txt | ||
QuickStart.md | ||
README-AUX.txt | ||
README-BeOS.txt | ||
README-Interix.txt | ||
RFC.txt | ||
sample-ngircd.conf.tmpl | ||
Services.txt | ||
SSL.txt |