From 817937b218c4b57515f54216ebc936cd69df0aae Mon Sep 17 00:00:00 2001 From: Christoph Biedl Date: Sun, 2 Nov 2014 14:48:34 +0100 Subject: Support for server certificate validation on server links [S2S-TLS] This patch provides code to validate the server certificate in server links, defeating nasty man-in-the-middle attacks on server links. Features: - Check whether the certificate is signed by a trusted certificate authority (CA). - Check the host name, including wildcard certificates and Subject Alternative Names. - Optionally check against a certificate revocation list (CRL). - Implementation for both OpenSSL and GnuTLS linkage. Left for another day: - Parameterize the TLS parameter of an outbound connection. Currently, it's hardcoded to disable all versions before TLSv1.1. - Using certificate as CA-certificate. They work for GnuTLS only but perhaps this should rather raise an error there, too. - Optional OCSP checking. - Checking client certificates. Code is there but this first needs some consideration about the use cases. This could replace all other authentication methods, for both client-server and server-server connections. This patch is based on a patch by Florian Westphal from 2009, which implemented this for OpenSSL only: From: Florian Westphal Date: Mon, 18 May 2009 00:29:02 +0200 Subject: SSL/TLS: Add initial certificate support to OpenSSL backend Commit message modified by Alex Barton. Closes #120, "Server links using TLS/SSL need certificate validation". Supersedes PR #8, "Options for verifying and requiring SSL client certificates", which had (incomplete?) code for OpenSSL, no GnuTLS. --- doc/sample-ngircd.conf.tmpl | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'doc') diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl index d59b139b..5f9cb9eb 100644 --- a/doc/sample-ngircd.conf.tmpl +++ b/doc/sample-ngircd.conf.tmpl @@ -273,6 +273,13 @@ # is only available when ngIRCd is compiled with support for SSL! # So don't forget to remove the ";" above if this is the case ... + # SSL Trusted CA Certificates File (for verifying peer certificates) + ;CAFile = /etc/ssl/CA/cacert.pem + + # Certificate Revocation File (for marking otherwise valid + # certficates as invalid) + ;CRLFile = /etc/ssl/CA/crl.pem + # SSL Server Key Certificate ;CertFile = :ETCDIR:/ssl/server-cert.pem @@ -364,6 +371,10 @@ # Connect to the remote server using TLS/SSL (Default: false) ;SSLConnect = yes + # Verify the TLS certificate presented by the remote server + # (Default: yes) + ;SSLVerify = yes + # Define a (case insensitive) list of masks matching nicknames that # should be treated as IRC services when introduced via this remote # server, separated by commas (","). -- cgit 1.4.1