| Anonymous | Login | Signup for a new account | 2010-09-10 17:01 CEST |
| Main | My View | View Issues | Change Log | Roadmap |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||
| 0003254 | [unreal] ircd | feature | N/A | 2007-03-04 14:43 | 2007-04-15 03:51 | ||
| Reporter | djGrrr | View Status | public | ||||
| Assigned To | stskeeps | ||||||
| Priority | normal | Resolution | fixed | ||||
| Status | resolved | Product Version | 3.2.7 | ||||
| Summary | 0003254: Allow the use of SSL Certificate Fingerprints for password fields | ||||||
| Description |
Currently, its possible to specify SSL Client Certificates as passwords by using the sslclientcert flag. i think it would be much nicer if you could simply specify the Certificate fingerprint/hash in plain text, rather than having to specify a file, similar to how InspIRCd does it http://www.inspircd.org/wiki/SSL_Oper_Client_Certificate_Module [^] . also, being able to use the form with :'s or without would be nice. being able to do something like: password "B3:00:8E:15:C8:7F:4F:18:84:B8:B3:1B:67:11:D2:2A:17:F3:A7:A0" { sslclientcertfp; }; and/or: password "B3008E15C87F4F1884B8B31B6711D22A17F3A7A0" { sslclientcertfp; }; would be extremely nice, and would work much easier for remote includes. |
||||||
| Additional Information |
this hash is relatively easy to get, and shouldn't be too hard for anyone who would actually be using this feature: openssl x509 -in client.cert.pem -noout -fingerprint SHA1 Fingerprint=B3:00:8E:15:C8:7F:4F:18:84:B8:B3:1B:67:11:D2:2A:17:F3:A7:A0 |
||||||
| Tags | No tags attached. | ||||||
| 3rd party modules | |||||||
| QA | Not touched yet by developer | ||||||
| U4: Need for upstream patch | No need for upstream InspIRCd patch | ||||||
| U4: Upstream notification of bug | Not decided | ||||||
| U4: Contributor working on this | None | ||||||
| Attached Files | |||||||
|
|
|||||||
 Relationships |
|||||||||||
|
|||||||||||
|
Notes |
|
|
(0013272) Stealth (administrator) 2007-03-04 18:00 |
Great idea. I know this will definately help people using remote includes and with opers on other servers. This should not be too hard to impliment either. /me wonders if someone could make a patch |
|
(0013370) stskeeps (reporter) 2007-04-13 06:43 |
Well it is all good and all, but the verification also involves checking certificate chain and such .. I guess it is easy to implement though since it doesn't take that much effort (More cryptographically minded people should comment on if a fingerprint is as secure as comparing the actual certificate, I'm inclined to think there is a risk to it.. Think it can be done using, modelling after auth.c.. : unsigned int md_size; unsigned char md[EVP_MAX_MD_SIZE]; if (!X509_digest(x509_clientcert,EVP_md5(),md,&md_size)) { /* error condition */ } // md[0..md_size] now contains the digest, hex it up and compare |
|
(0013381) stskeeps (reporter) 2007-04-15 03:48 |
Implemented in 3.3-alpha, .2344. Testing wished, ofcourse :) |
|
(0013382) stskeeps (reporter) 2007-04-15 03:51 |
"Implemented 0003254 - Auth type 'sslcertfingerprint-sha1', suggested by djGrr. There are reservations regarding the security of this, but for most purposes it should be okay. Cryptographically minded people may comment. This may also be used to allow remote included opers with SSL certificate fingerprints as we cannot as of yet remote include client certificates (0002832, suggested by Stealth) Example use: $ openssl x509 -in cert.pem -noout -sha1 -fingerprint (where cert.pem is the oper's/server's/etc SSL client certificate) SHA1 Fingerprint=FA:A6:A3:42:95:34:15:68:26:35:40:18:8D:50:68:D4:15:C8:12:9E translating into this auth block: password "FA:A6:A3:42:95:34:15:68:26:35:40:18:8D:50:68:D4:15:C8:12:9E" { sslcertfingerprint-sha1; }; (the auth code is case sensitive). If anyone is interested in making a module for SSL client certificate authentication for services, you can probably use the code in here to do it quite simple. .. please mind any errors, it's been years since I (Stskeeps) last committed to here :) " |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2007-03-04 14:43 | djGrrr | New Issue | |
| 2007-03-04 17:49 | djGrrr | Issue Monitored: djGrrr | |
| 2007-03-04 18:00 | Stealth | Note Added: 0013272 | |
| 2007-04-13 06:43 | stskeeps | Note Added: 0013370 | |
| 2007-04-13 06:47 | stskeeps | Relationship added | related to 0002832 |
| 2007-04-14 20:48 | stskeeps | Relationship added | child of 0003049 |
| 2007-04-15 03:41 | stskeeps | Status | new => assigned |
| 2007-04-15 03:41 | stskeeps | Assigned To | => stskeeps |
| 2007-04-15 03:48 | stskeeps | Note Added: 0013381 | |
| 2007-04-15 03:51 | stskeeps | Note Added: 0013382 | |
| 2007-04-15 03:51 | stskeeps | Status | assigned => resolved |
| 2007-04-15 03:51 | stskeeps | Resolution | open => fixed |
| 2007-04-24 08:54 | djGrrr | Issue End Monitor: djGrrr | |
| 2009-03-03 22:42 | Krystena | Issue Monitored: Krystena | |
| Copyright © 2000 - 2008 Mantis Group |  |
