diff options
| author | Christoph Biedl <ngircd.anoy@manchmal.in-ulm.de> | 2014-11-02 14:48:34 +0100 |
|---|---|---|
| committer | Alexander Barton <alex@barton.de> | 2024-03-23 20:19:01 +0100 |
| commit | 817937b218c4b57515f54216ebc936cd69df0aae (patch) | |
| tree | c664b78a598d0fa732ce060d4843985078082716 /man | |
| parent | 339ad77b621b061de7053f88410f1b1395392ff5 (diff) | |
| download | ngircd-817937b218c4b57515f54216ebc936cd69df0aae.tar.gz ngircd-817937b218c4b57515f54216ebc936cd69df0aae.zip | |
Support for server certificate validation on server links [S2S-TLS]
This patch provides code to validate the server certificate in server links, defeating nasty man-in-the-middle attacks on server links. Features: - Check whether the certificate is signed by a trusted certificate authority (CA). - Check the host name, including wildcard certificates and Subject Alternative Names. - Optionally check against a certificate revocation list (CRL). - Implementation for both OpenSSL and GnuTLS linkage. Left for another day: - Parameterize the TLS parameter of an outbound connection. Currently, it's hardcoded to disable all versions before TLSv1.1. - Using certificate as CA-certificate. They work for GnuTLS only but perhaps this should rather raise an error there, too. - Optional OCSP checking. - Checking client certificates. Code is there but this first needs some consideration about the use cases. This could replace all other authentication methods, for both client-server and server-server connections. This patch is based on a patch by Florian Westphal from 2009, which implemented this for OpenSSL only: From: Florian Westphal <fw@strlen.de> Date: Mon, 18 May 2009 00:29:02 +0200 Subject: SSL/TLS: Add initial certificate support to OpenSSL backend Commit message modified by Alex Barton. Closes #120, "Server links using TLS/SSL need certificate validation". Supersedes PR #8, "Options for verifying and requiring SSL client certificates", which had (incomplete?) code for OpenSSL, no GnuTLS.
Diffstat (limited to 'man')
| -rw-r--r-- | man/ngircd.conf.5.tmpl | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/man/ngircd.conf.5.tmpl b/man/ngircd.conf.5.tmpl index 9d37e5fa..23c98fa9 100644 --- a/man/ngircd.conf.5.tmpl +++ b/man/ngircd.conf.5.tmpl @@ -397,6 +397,13 @@ All SSL-related configuration variables are located in the section. Please note that this whole section is only recognized by ngIRCd when it is compiled with support for SSL using OpenSSL or GnuTLS! .TP +\fBCAFile (string)\fR +Filename pointing to the Trusted CA Certificates. This is required for +verifying peer certificates. +.TP +\fBCRLFile (string)\fR +Filename of Certificate Revocation List. +.TP \fBCertFile\fR (string) SSL Certificate file of the private server key. .TP @@ -491,6 +498,9 @@ You can use the IRC Operator command CONNECT later on to create the link. \fBSSLConnect\fR (boolean) Connect to the remote server using TLS/SSL. Default: false. .TP +\fBSSLVerify\fR (boolean) +Verify the TLS certificate presented by the remote server. Default: yes. +.TP \fBServiceMask\fR (string) Define a (case insensitive) list of masks matching nicknames that should be treated as IRC services when introduced via this remote server, separated |