charybdis have some ssl security problems about charybdis HOT 7 CLOSED

Charybdis uses certificates' fingerprints to verify them, it doesn't care about the certchain

from charybdis.

Affirmative. The server cares not for anything in the certificate or its chain (infact, if you supply a chained certificate and not the certificate that signed it, it won't generate a fingerprint for you at all, effectively ignoring it, because of a lack of check for an unknown signer). It doesn't care about the issuer, it doesn't care about the subject, it doesn't care about the public key algorithm, or size. It doesn't even care about the digest algorithm, always using SHA-1 instead. The fingerprint is just a digest of the DER form of the client certificate, and the fingerprint is all the server uses, because that fingerprint covers the client's public key, which is enough of an assurance to identify to e.g. an IRC services package supporting certfp. There is no problem here.

from charybdis.

Closing as we do not consider it a bug.

from charybdis.

Hi guys,
I'm very glad to receive your responses. But I think you maybe misunderstood the bug I reported.
There are two condition where a ircd should work with certificate:
1. Charybdis servers as a "irc server" . It will listen client requests and send the server certificate to clients. Clients will verify this server certificate and they have a choice to send a client certificate to the ircd.
2. A ircd also will connect to other servers under SSL. During this connection, ircd servers as a "client". Ircd will receive a certificate and it must verify the certificate to make sure the connection is safe.
The bug I reported focus on the second condition: charybdis doesn't verify the certificate which other servers sent.
What's more, I read the source code and found that charybdis use libratbox which implements the SSL connection(charybdis/libratbox/src/openssl.c). But libratbox's SSL implement is broken, it didn't verify the certificate when doing SSL connection. Do you know the broken thing?

Thanks,
Runqing

from charybdis.

1. I think people are aware that charybdis is an irc server.
2. See @aaronmdjones response.
3. Do you even have any clue what you're talking about?

from charybdis.

As per my response, the ONLY thing the server cares about is the fingerprint. If you are connecting to another server, that server can be configured to only accept a certain fingerprint, and the server doing the connection can, too. There is no bug or problem here.

from charybdis.

OK I know..Very thanks for your responses :->

from charybdis.