diff options
| author | Christoph Biedl <ngircd.anoy@manchmal.in-ulm.de> | 2014-11-02 14:48:34 +0100 |
|---|---|---|
| committer | Alexander Barton <alex@barton.de> | 2024-03-23 20:19:01 +0100 |
| commit | 817937b218c4b57515f54216ebc936cd69df0aae (patch) | |
| tree | c664b78a598d0fa732ce060d4843985078082716 /doc | |
| parent | 339ad77b621b061de7053f88410f1b1395392ff5 (diff) | |
| download | ngircd-817937b218c4b57515f54216ebc936cd69df0aae.tar.gz ngircd-817937b218c4b57515f54216ebc936cd69df0aae.zip | |
Support for server certificate validation on server links [S2S-TLS]
This patch provides code to validate the server certificate in server links, defeating nasty man-in-the-middle attacks on server links. Features: - Check whether the certificate is signed by a trusted certificate authority (CA). - Check the host name, including wildcard certificates and Subject Alternative Names. - Optionally check against a certificate revocation list (CRL). - Implementation for both OpenSSL and GnuTLS linkage. Left for another day: - Parameterize the TLS parameter of an outbound connection. Currently, it's hardcoded to disable all versions before TLSv1.1. - Using certificate as CA-certificate. They work for GnuTLS only but perhaps this should rather raise an error there, too. - Optional OCSP checking. - Checking client certificates. Code is there but this first needs some consideration about the use cases. This could replace all other authentication methods, for both client-server and server-server connections. This patch is based on a patch by Florian Westphal from 2009, which implemented this for OpenSSL only: From: Florian Westphal <fw@strlen.de> Date: Mon, 18 May 2009 00:29:02 +0200 Subject: SSL/TLS: Add initial certificate support to OpenSSL backend Commit message modified by Alex Barton. Closes #120, "Server links using TLS/SSL need certificate validation". Supersedes PR #8, "Options for verifying and requiring SSL client certificates", which had (incomplete?) code for OpenSSL, no GnuTLS.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/sample-ngircd.conf.tmpl | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl index d59b139b..5f9cb9eb 100644 --- a/doc/sample-ngircd.conf.tmpl +++ b/doc/sample-ngircd.conf.tmpl @@ -273,6 +273,13 @@ # is only available when ngIRCd is compiled with support for SSL! # So don't forget to remove the ";" above if this is the case ... + # SSL Trusted CA Certificates File (for verifying peer certificates) + ;CAFile = /etc/ssl/CA/cacert.pem + + # Certificate Revocation File (for marking otherwise valid + # certficates as invalid) + ;CRLFile = /etc/ssl/CA/crl.pem + # SSL Server Key Certificate ;CertFile = :ETCDIR:/ssl/server-cert.pem @@ -364,6 +371,10 @@ # Connect to the remote server using TLS/SSL (Default: false) ;SSLConnect = yes + # Verify the TLS certificate presented by the remote server + # (Default: yes) + ;SSLVerify = yes + # Define a (case insensitive) list of masks matching nicknames that # should be treated as IRC services when introduced via this remote # server, separated by commas (","). |