View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001827 | unreal | ircd | public | 2004-05-21 00:52 | 2015-08-08 18:26 |
| Reporter | DukePyrolator | Assigned To | syzop | ||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | closed | Resolution | no change required | ||
| Summary | 0001827: remote includes with ssl and self signed server certificates | ||||
| Description | *** Notice -- error: unrealircd.conf:15: include: error downloading 'https://***/network.conf': SSL certificate problem, verify that the CA cert is OK I use a self signed certificate. Is there a way to disable the certificat checking in remote includes? include "https://bla.com/network.conf" { insecure; }; | ||||
| Additional Information | ReleaseID (1.1.1.1.2.1.2.1.2.2234.2.21 2004/05/18 21:17:29) libcurl/7.11.0 OpenSSL/0.9.7d zlib/1.2.1 http://curl.haxx.se/docs/sslcerts.html | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
| has duplicate | 0002756 | resolved | SSL and Remote includes |
|
|
I found a solution for my "problem" I added following line to url.c/set_curl_ssl_options curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); perhaps you can make a config option for it? I think I'm not the only user with self signed ssl-certificates. bearbeitet am: 2004-05-22 14:56 |
|
|
I suppose I could make that tap into set::ssl::options to determine whether to allow it or not. |
|
|
I think its not a SSL option, its a CURL option. look at http://curl.haxx.se/docs/manpage.html, there are some more options who should included in Unreal. --digest Enables HTTP Digest authentication --cert use the specified certificate file when getting a file with HTTPS --cacert use the specified certificate file to verify the peer --ftp-ssl Make the FTP connection switch to use SSL/TLS. (Added in 7.11.0) --insecure Tell libcurl to *not* verify the peer. --config Specify which config file to read curl arguments from |
|
|
Yes, it's a curl option, but it is only valid for SSL, and so it is an SSL setting. |
|
|
any news on it? I dont want to modify each unreal version to make it work on my network. :( |
|
|
hm.. why not just add the certificates? :P. Much more secure, and then you don't need to modify your unreal :P. Or did I miss anything... |
|
|
I have a self-signed ssl certificate. A certificate signed by an offical CA costs a lot of money. http://curl.haxx.se/docs/sslcerts.html |
|
|
yeah I know, but... oh self-signed... so you cannot directly add that? fun :p Well let me explain what I did on my network: I just created my own CA, and sign server certificates with that. AFAIK you can simply do the same with https SSL certificates.. And then you could just add that CA to curl :p. |
|
|
[quote]yeah I know, but... oh self-signed... so you cannot directly add that? fun :p Well let me explain what I did on my network: I just created my own CA, and sign server certificates with that. AFAIK you can simply do the same with https SSL certificates.. And then you could just add that CA to curl[/quote] And there is always cacert.org which does the same thing. |
|
|
Bump. Is this still valid? Patch? |
|
|
i still have problems with remote includes in self signed server certificates. I'm using libcurl/7.17.1 OpenSSL/0.9.8a zlib/1.2.3 c-ares/1.4.0 libidn/0.6.0. (Unreal 3.2.7) include "https://mydomain.net/network.conf"; results in: "Could not resolve host" (http:// is working) My Modification from 2004 (CURLOPT_SSL_VERIFYPEER, FALSE) does not work. |
|
|
I have come across the issue that curl will not accept a self signed certificate. Anyway we can make an option for this? |
|
|
We could. I was about to suggest set::curl::verify-certificate [yes|no]? (with the default of yes), but.. when I was writing that I realized there's a problem: the configuration isn't parsed until all remote includes have been fetched ;) We could make it a ./Config option I guess. Or parse the main config file for exactly this setting before we process remote includes, but that sounds quite hackish. |
|
|
The way I overcame this issue with remote includes was to just add my CA certificate for the webserver to curl-ca-bundle.crt in the Unreal folder. If you're using self-signed you can just add the webserver's certificate instead to the file. |
|
|
Yeah, that's the current way to do it :) Remember that accepting any certificate (which is basically what Cronus and DukePyrolator are asking) is insecure. It permits man-in-the-middle (MITM) attacks where an attacker can intercept communication between the ircd and the https server and inject - for example - a configuration file of his choosing, thus grantin him oper access etc. Even worse, if the attacker has a local account on the same box the ircd is running on, then he could create a module in /tmp for example and make it load through this technique and run any code of his choosing. So this would definitely never be the default. The question is if we should make a ./Config option for this, or rather ./Config -advanced. It would be fine by me, I guess. Another option is include/config.h. We generally use that latter for options we advise against. |
|
|
I'd prefer to see this in include/config.h IF we opt to implement it, because: * We advise against it (see Syzop's comments). * There is a secure workaround (add cert to curl-ca-bundle.crt). * It isn't a very widespread issue (as in this is the first or second time I have seen it since remote includes were added). |
|
|
I would prefer a ./Config option. Using a few Windows IRCd. Making it a config.h setting wouldn't be best. |
|
|
A ./Config option wouldn't help you on Windows either, the IRCd would need to be compiled either way :P |
|
|
Oh right, its late forgive me. I'll simplify it, make it work on the windows versions too! |
|
|
shouldn't use self-signed, can add to ca certificate bundle, see previous comment from me & all the other issues in previous comments. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2004-05-21 00:52 | DukePyrolator | New Issue | |
| 2004-05-22 14:56 | DukePyrolator | Note Added: 0006374 | |
| 2004-05-22 14:56 | DukePyrolator | Note Edited: 0006374 | |
| 2004-05-22 19:36 |
|
Note Added: 0006379 | |
| 2004-05-23 00:06 | DukePyrolator | Note Added: 0006387 | |
| 2004-05-23 00:11 |
|
Note Added: 0006388 | |
| 2005-02-25 00:37 | DukePyrolator | Note Added: 0009298 | |
| 2005-02-25 10:18 | syzop | Note Added: 0009301 | |
| 2005-02-25 10:52 | DukePyrolator | Note Added: 0009304 | |
| 2005-02-25 11:03 | syzop | Note Added: 0009305 | |
| 2005-02-25 11:49 |
|
Note Added: 0009306 | |
| 2007-04-19 04:39 |
|
Note Added: 0013593 | |
| 2007-04-27 03:10 |
|
Status | new => feedback |
| 2007-04-27 03:44 |
|
Relationship added | has duplicate 0002756 |
| 2007-12-16 17:55 | DukePyrolator | Note Added: 0014909 | |
| 2012-11-13 20:26 | Cronus | Note Added: 0017233 | |
| 2012-12-15 20:36 | syzop | Note Added: 0017261 | |
| 2013-02-15 08:18 | wolfwood | Note Added: 0017418 | |
| 2013-02-19 22:47 | syzop | Note Added: 0017426 | |
| 2013-02-20 00:27 | Stealth | Note Added: 0017428 | |
| 2013-02-20 02:56 | Cronus | Note Added: 0017429 | |
| 2013-02-20 03:26 | Stealth | Note Added: 0017430 | |
| 2013-02-20 03:27 | Cronus | Note Added: 0017431 | |
| 2015-08-08 18:26 | syzop | Note Added: 0018644 | |
| 2015-08-08 18:26 | syzop | Status | feedback => closed |
| 2015-08-08 18:26 | syzop | Assigned To | => syzop |
| 2015-08-08 18:26 | syzop | Resolution | open => no change required |
