View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003254 | unreal | ircd | public | 2007-03-04 14:43 | 2012-02-26 22:01 |
| Reporter | djGrrr | Assigned To | |||
| Priority | normal | Severity | feature | Reproducibility | N/A |
| Status | resolved | Resolution | fixed | ||
| Platform | * | OS | * | OS Version | * |
| Product Version | 3.2.7 | ||||
| Target Version | 3.3-alpha0 | ||||
| Summary | 0003254: Allow the use of SSL Certificate Fingerprints for password fields | ||||
| Description | Currently, its possible to specify SSL Client Certificates as passwords by using the sslclientcert flag. i think it would be much nicer if you could simply specify the Certificate fingerprint/hash in plain text, rather than having to specify a file, similar to how InspIRCd does it http://www.inspircd.org/wiki/SSL_Oper_Client_Certificate_Module . also, being able to use the form with :'s or without would be nice. being able to do something like: password "B3:00:8E:15:C8:7F:4F:18:84:B8:B3:1B:67:11:D2:2A:17:F3:A7:A0" { sslclientcertfp; }; and/or: password "B3008E15C87F4F1884B8B31B6711D22A17F3A7A0" { sslclientcertfp; }; would be extremely nice, and would work much easier for remote includes. | ||||
| Additional Information | this hash is relatively easy to get, and shouldn't be too hard for anyone who would actually be using this feature: openssl x509 -in client.cert.pem -noout -fingerprint SHA1 Fingerprint=B3:00:8E:15:C8:7F:4F:18:84:B8:B3:1B:67:11:D2:2A:17:F3:A7:A0 | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
| related to | 0002832 | resolved | Remote include oper SSL cert |
|
|
Great idea. I know this will definately help people using remote includes and with opers on other servers. This should not be too hard to impliment either. /me wonders if someone could make a patch |
|
|
Well it is all good and all, but the verification also involves checking certificate chain and such .. I guess it is easy to implement though since it doesn't take that much effort (More cryptographically minded people should comment on if a fingerprint is as secure as comparing the actual certificate, I'm inclined to think there is a risk to it.. Think it can be done using, modelling after auth.c.. : unsigned int md_size; unsigned char md[EVP_MAX_MD_SIZE]; if (!X509_digest(x509_clientcert,EVP_md5(),md,&md_size)) { /* error condition */ } // md[0..md_size] now contains the digest, hex it up and compare |
|
|
Implemented in 3.3-alpha, .2344. Testing wished, ofcourse :) |
|
|
"Implemented 0003254 - Auth type 'sslcertfingerprint-sha1', suggested by djGrr. There are reservations regarding the security of this, but for most purposes it should be okay. Cryptographically minded people may comment. This may also be used to allow remote included opers with SSL certificate fingerprints as we cannot as of yet remote include client certificates (0002832, suggested by Stealth) Example use: $ openssl x509 -in cert.pem -noout -sha1 -fingerprint (where cert.pem is the oper's/server's/etc SSL client certificate) SHA1 Fingerprint=FA:A6:A3:42:95:34:15:68:26:35:40:18:8D:50:68:D4:15:C8:12:9E translating into this auth block: password "FA:A6:A3:42:95:34:15:68:26:35:40:18:8D:50:68:D4:15:C8:12:9E" { sslcertfingerprint-sha1; }; (the auth code is case sensitive). If anyone is interested in making a module for SSL client certificate authentication for services, you can probably use the code in here to do it quite simple. .. please mind any errors, it's been years since I (Stskeeps) last committed to here :) " |
|
|
Needs re-porting for 3.3.. Though, could also later be backported to 3.2, possibly... |
|
|
Item 0004019 has a patch that adds this to 3.2 code and 0004020 includes a priliminary command for getting a fingerprint IRC side, though it could be extended to simply add the fingerprint to WHOIS output. |
|
|
Thanks, I didn't see that. I've now marked the bug you mention as 'has patch'. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2007-03-04 14:43 | djGrrr | New Issue | |
| 2007-03-04 18:00 | Stealth | Note Added: 0013272 | |
| 2007-04-13 06:43 |
|
Note Added: 0013370 | |
| 2007-04-13 06:47 |
|
Relationship added | related to 0002832 |
| 2007-04-15 03:41 |
|
Status | new => assigned |
| 2007-04-15 03:41 |
|
Assigned To | => stskeeps |
| 2007-04-15 03:48 |
|
Note Added: 0013381 | |
| 2007-04-15 03:51 |
|
Note Added: 0013382 | |
| 2007-04-15 03:51 |
|
Status | assigned => resolved |
| 2007-04-15 03:51 |
|
Resolution | open => fixed |
| 2011-07-19 14:00 | syzop | Note Added: 0016702 | |
| 2011-07-19 14:00 | syzop | Assigned To | stskeeps => |
| 2011-07-19 14:00 | syzop | Status | resolved => needs re porting |
| 2011-07-19 17:11 | syzop | Target Version | => 3.3-alpha0 |
| 2011-10-11 11:56 | Jobe | Note Added: 0016755 | |
| 2012-02-26 22:01 | syzop | Note Added: 0016925 | |
| 2012-02-26 22:01 | syzop | Status | needs re porting => resolved |
| 2012-02-26 22:01 | syzop | Assigned To | => syzop |
| 2012-02-26 22:01 | syzop | Assigned To | syzop => |
