View Issue Details

IDProjectCategoryView StatusLast Update
0003254unrealircdpublic2012-02-26 22:01
ReporterdjGrrr Assigned To 
Status resolvedResolutionfixed 
Platform*OS*OS Version*
Product Version3.2.7 
Target Version3.3-alpha0 
Summary0003254: Allow the use of SSL Certificate Fingerprints for password fields
DescriptionCurrently, its possible to specify SSL Client Certificates as passwords by using the sslclientcert flag. i think it would be much nicer if you could simply specify the Certificate fingerprint/hash in plain text, rather than having to specify a file, similar to how InspIRCd does it .
also, being able to use the form with :'s or without would be nice.

being able to do something like:
password "B3:00:8E:15:C8:7F:4F:18:84:B8:B3:1B:67:11:D2:2A:17:F3:A7:A0" { sslclientcertfp; };
password "B3008E15C87F4F1884B8B31B6711D22A17F3A7A0" { sslclientcertfp; };

would be extremely nice, and would work much easier for remote includes.
Additional Informationthis hash is relatively easy to get, and shouldn't be too hard for anyone who would actually be using this feature:
openssl x509 -in client.cert.pem -noout -fingerprint
SHA1 Fingerprint=B3:00:8E:15:C8:7F:4F:18:84:B8:B3:1B:67:11:D2:2A:17:F3:A7:A0
TagsNo tags attached.
3rd party modules


related to 0002832 resolvedstskeeps Remote include oper SSL cert 



2007-03-04 18:00

reporter   ~0013272

Great idea. I know this will definately help people using remote includes and with opers on other servers. This should not be too hard to impliment either.

/me wonders if someone could make a patch


2007-04-13 06:43

reporter   ~0013370

Well it is all good and all, but the verification also involves checking certificate chain and such .. I guess it is easy to implement though since it doesn't take that much effort (More cryptographically minded people should comment on if a fingerprint is as secure as comparing the actual certificate, I'm inclined to think there is a risk to it..

Think it can be done using, modelling after auth.c.. :

    unsigned int md_size;
    unsigned char md[EVP_MAX_MD_SIZE];
    if (!X509_digest(x509_clientcert,EVP_md5(),md,&md_size)) { /* error condition */ }
    // md[0..md_size] now contains the digest, hex it up and compare


2007-04-15 03:48

reporter   ~0013381

Implemented in 3.3-alpha, .2344. Testing wished, ofcourse :)


2007-04-15 03:51

reporter   ~0013382

"Implemented 0003254 - Auth type 'sslcertfingerprint-sha1', suggested by
  djGrr. There are reservations regarding the security of this, but for most
   purposes it should be okay. Cryptographically minded people may comment.
  This may also be used to allow remote included opers with SSL certificate
  fingerprints as we cannot as of yet remote include client certificates
  (0002832, suggested by Stealth)
  Example use:
  $ openssl x509 -in cert.pem -noout -sha1 -fingerprint
   (where cert.pem is the oper's/server's/etc SSL client certificate)
  SHA1 Fingerprint=FA:A6:A3:42:95:34:15:68:26:35:40:18:8D:50:68:D4:15:C8:12:9E

 translating into this auth block:
 password "FA:A6:A3:42:95:34:15:68:26:35:40:18:8D:50:68:D4:15:C8:12:9E" { sslcertfingerprint-sha1; };
 (the auth code is case sensitive).

 If anyone is interested in making a module for SSL client certificate
 authentication for services, you can probably use the code in here to do it
 quite simple.
 .. please mind any errors, it's been years since I (Stskeeps) last committed to here :)


2011-07-19 14:00

administrator   ~0016702

Needs re-porting for 3.3..

Though, could also later be backported to 3.2, possibly...


2011-10-11 11:56

reporter   ~0016755

Item 0004019 has a patch that adds this to 3.2 code and 0004020 includes a priliminary command for getting a fingerprint IRC side, though it could be extended to simply add the fingerprint to WHOIS output.


2012-02-26 22:01

administrator   ~0016925

Thanks, I didn't see that. I've now marked the bug you mention as 'has patch'.

Issue History

Date Modified Username Field Change
2007-03-04 14:43 djGrrr New Issue
2007-03-04 18:00 Stealth Note Added: 0013272
2007-04-13 06:43 stskeeps Note Added: 0013370
2007-04-13 06:47 stskeeps Relationship added related to 0002832
2007-04-15 03:41 stskeeps Status new => assigned
2007-04-15 03:41 stskeeps Assigned To => stskeeps
2007-04-15 03:48 stskeeps Note Added: 0013381
2007-04-15 03:51 stskeeps Note Added: 0013382
2007-04-15 03:51 stskeeps Status assigned => resolved
2007-04-15 03:51 stskeeps Resolution open => fixed
2011-07-19 14:00 syzop Note Added: 0016702
2011-07-19 14:00 syzop Assigned To stskeeps =>
2011-07-19 14:00 syzop Status resolved => needs re porting
2011-07-19 17:11 syzop Target Version => 3.3-alpha0
2011-10-11 11:56 Jobe Note Added: 0016755
2012-02-26 22:01 syzop Note Added: 0016925
2012-02-26 22:01 syzop Status needs re porting => resolved
2012-02-26 22:01 syzop Assigned To => syzop
2012-02-26 22:01 syzop Assigned To syzop =>