Comments (7)
Charybdis uses certificates' fingerprints to verify them, it doesn't care about the certchain
from charybdis.
Affirmative. The server cares not for anything in the certificate or its chain (infact, if you supply a chained certificate and not the certificate that signed it, it won't generate a fingerprint for you at all, effectively ignoring it, because of a lack of check for an unknown signer). It doesn't care about the issuer, it doesn't care about the subject, it doesn't care about the public key algorithm, or size. It doesn't even care about the digest algorithm, always using SHA-1 instead. The fingerprint is just a digest of the DER form of the client certificate, and the fingerprint is all the server uses, because that fingerprint covers the client's public key, which is enough of an assurance to identify to e.g. an IRC services package supporting certfp. There is no problem here.
from charybdis.
Closing as we do not consider it a bug.
from charybdis.
Hi guys,
I'm very glad to receive your responses. But I think you maybe misunderstood the bug I reported.
There are two condition where a ircd should work with certificate:
1. Charybdis servers as a "irc server" . It will listen client requests and send the server certificate to clients. Clients will verify this server certificate and they have a choice to send a client certificate to the ircd.
2. A ircd also will connect to other servers under SSL. During this connection, ircd servers as a "client". Ircd will receive a certificate and it must verify the certificate to make sure the connection is safe.
The bug I reported focus on the second condition: charybdis doesn't verify the certificate which other servers sent.
What's more, I read the source code and found that charybdis use libratbox which implements the SSL connection(charybdis/libratbox/src/openssl.c). But libratbox's SSL implement is broken, it didn't verify the certificate when doing SSL connection. Do you know the broken thing?
Thanks,
Runqing
from charybdis.
- I think people are aware that charybdis is an irc server.
- See @aaronmdjones response.
- Do you even have any clue what you're talking about?
from charybdis.
As per my response, the ONLY thing the server cares about is the fingerprint. If you are connecting to another server, that server can be configured to only accept a certain fingerprint, and the server doing the connection can, too. There is no bug or problem here.
from charybdis.
OK I know..Very thanks for your responses :->
from charybdis.
Related Issues (20)
- Catastrophic compile fail in commio.c (librb) in (I believe) master HOT 2
- FreeBSD: Port bind issue HOT 3
- SCTP is not documented in reference/example.confs
- hideserver module /map for users HOT 4
- Cannot add channel modes without "+". HOT 1
- /stats C is undocumented
- a mode to mute unregistered users and show a helpful error HOT 2
- make more snotes netwide
- consider sending set by/at on BMASK burst
- ban lists preventing adding subsets of active supersets assumes human behaviour
- TLS-SRP
- warn users affected by +zq/+zb HOT 1
- Unknown date build field from release
- make `+rb $~a` prioritise ERR_NEEDREGGEDNICK
- extban for matching a mask only when unidentified
- autogen.sh fails with missing libtool files HOT 1
- KICK without a source is ignored HOT 4
- wsock doesn't accept input.
- I-Line problem
- m_requirectcp.cpp botnets/spambots/floodbots
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from charybdis.