View Issue Details

IDProjectCategoryView StatusLast Update
0003389unrealircdpublic2015-07-09 19:51
ReporterStealthAssigned Tosyzop 
PrioritynormalSeverityfeatureReproducibilityN/A
Status resolvedResolutionfixed 
Platform*OS*OS Version*
Product Version3.3-alpha0 
Target VersionFixed in Version3.4-alpha3 
Summary0003389: Ability to retrieve SSL fingerprint of connected user
DescriptionIt would be nice to be able to retrieve the SSL fingerprint of a connected user. This command should be available to all users.

Uses would be for admins wanting to add an oper, but only want the SSL fingerprint; and for users who want to verify who they are talking to through scripts and such.

Command could be called USERFINGERPRINT (if that isn't too long), and work like USERHOST and USERIP.
TagsNo tags attached.
3rd party modules

Activities

stskeeps

2007-06-13 06:51

reporter   ~0014355

I'm inclined to make this 3rd party module wishlist, but I see benefit in this module as part of an release. I do however think we should look into the actual security of the SSL fingerprints if we decide to make such a module.

Also, this also means the IRCd has responsibility to check using OCSP if the certificate expired or alike and verify the user is doing what it should, and USERFINGERPRINT would rely on the trust of the IRCd doing this..

stskeeps

2007-06-13 07:02

reporter   ~0014356

Also, there might be more benefit of a services/bot solution for this, that is - on connection, send :server FINGERPRINT <user> :fingerprint, and allow users to register their certificate through a service and verify they're talking to the right user..

stskeeps

2007-06-13 07:14

reporter   ~0014357

Sample use could be..:

For the user:
/nickserv cert add <fingerprint> <common name from cert>
/nickserv cert del <fingerprint>
/nickserv cert list

For the server:

Send :server FINGERPRINT <nick> :CommonName to services

NickServ would then based on this information automatically identify you

For the requester:

/nickserv trust Stskeeps

-NickServ- Trust level 3 - Stskeeps is currently verified using his client certificate

-NickServ- Trust level 2 - Stskeeps has identified using his password

-NickServ- Trust level 1 - Stskeeps is recognized using his host mask

-NickServ- Trust level 0 - Stskeeps is not authenticated in any way

This should be possible to build proper scripts on? Ie, when a user queries you or you open a query to someone, script could send a /nickserv trust query , and notify you in window when the channel has been verified as being secure.

This does however require that servers VERIFY the certificates to make sure they're not expired or revoked, before this is a sufficiently secure way.

Same goes for SSL fingerprints and SSL client certificates, though

Stealth

2007-06-13 12:12

reporter   ~0014359

> Also, this also means the IRCd has responsibility to check using OCSP if the certificate expired or alike and verify the user is doing what it should, and USERFINGERPRINT would rely on the trust of the IRCd doing this..

isn't that what set::ssl::verify-certificate is supposed to do?

stskeeps

2007-06-14 05:15

reporter   ~0014361

Yeah, was just implying that it has to be turned on or this could be a huge security hole instead..

Stealth

2007-06-14 11:14

reporter   ~0014362

Perhaps deny use of the command if set::ssl::verify-certificate is not set?

syzop

2015-07-09 19:50

administrator   ~0018460

In /WHOIS now (3.4-alpha....)

Issue History

Date Modified Username Field Change
2007-06-12 23:10 Stealth New Issue
2007-06-13 06:48 stskeeps Status new => acknowledged
2007-06-13 06:51 stskeeps Note Added: 0014355
2007-06-13 07:02 stskeeps Note Added: 0014356
2007-06-13 07:14 stskeeps Note Added: 0014357
2007-06-13 12:12 Stealth Note Added: 0014359
2007-06-14 05:15 stskeeps Note Added: 0014361
2007-06-14 11:14 Stealth Note Added: 0014362
2015-07-09 19:50 syzop Note Added: 0018460
2015-07-09 19:50 syzop Status acknowledged => resolved
2015-07-09 19:50 syzop Fixed in Version => 3.4-alpha3
2015-07-09 19:50 syzop Resolution open => fixed
2015-07-09 19:50 syzop Assigned To => syzop