View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0003389||unreal||ircd||public||2007-06-12 23:10||2015-07-09 19:51|
|Target Version||Fixed in Version||3.4-alpha3|
|Summary||0003389: Ability to retrieve SSL fingerprint of connected user|
|Description||It would be nice to be able to retrieve the SSL fingerprint of a connected user. This command should be available to all users.|
Uses would be for admins wanting to add an oper, but only want the SSL fingerprint; and for users who want to verify who they are talking to through scripts and such.
Command could be called USERFINGERPRINT (if that isn't too long), and work like USERHOST and USERIP.
|Tags||No tags attached.|
|3rd party modules|
I'm inclined to make this 3rd party module wishlist, but I see benefit in this module as part of an release. I do however think we should look into the actual security of the SSL fingerprints if we decide to make such a module.
Also, this also means the IRCd has responsibility to check using OCSP if the certificate expired or alike and verify the user is doing what it should, and USERFINGERPRINT would rely on the trust of the IRCd doing this..
|Also, there might be more benefit of a services/bot solution for this, that is - on connection, send :server FINGERPRINT <user> :fingerprint, and allow users to register their certificate through a service and verify they're talking to the right user..|
Sample use could be..:
For the user:
/nickserv cert add <fingerprint> <common name from cert>
/nickserv cert del <fingerprint>
/nickserv cert list
For the server:
Send :server FINGERPRINT <nick> :CommonName to services
NickServ would then based on this information automatically identify you
For the requester:
/nickserv trust Stskeeps
-NickServ- Trust level 3 - Stskeeps is currently verified using his client certificate
-NickServ- Trust level 2 - Stskeeps has identified using his password
-NickServ- Trust level 1 - Stskeeps is recognized using his host mask
-NickServ- Trust level 0 - Stskeeps is not authenticated in any way
This should be possible to build proper scripts on? Ie, when a user queries you or you open a query to someone, script could send a /nickserv trust query , and notify you in window when the channel has been verified as being secure.
This does however require that servers VERIFY the certificates to make sure they're not expired or revoked, before this is a sufficiently secure way.
Same goes for SSL fingerprints and SSL client certificates, though
> Also, this also means the IRCd has responsibility to check using OCSP if the certificate expired or alike and verify the user is doing what it should, and USERFINGERPRINT would rely on the trust of the IRCd doing this..
isn't that what set::ssl::verify-certificate is supposed to do?
|Yeah, was just implying that it has to be turned on or this could be a huge security hole instead..|
||Perhaps deny use of the command if set::ssl::verify-certificate is not set?|
||In /WHOIS now (3.4-alpha....)|
|2007-06-12 23:10||Stealth||New Issue|
||Status||new => acknowledged|
||Note Added: 0014355|
||Note Added: 0014356|
||Note Added: 0014357|
|2007-06-13 12:12||Stealth||Note Added: 0014359|
||Note Added: 0014361|
|2007-06-14 11:14||Stealth||Note Added: 0014362|
|2015-07-09 19:50||syzop||Note Added: 0018460|
|2015-07-09 19:50||syzop||Status||acknowledged => resolved|
|2015-07-09 19:50||syzop||Fixed in Version||=> 3.4-alpha3|
|2015-07-09 19:50||syzop||Resolution||open => fixed|
|2015-07-09 19:50||syzop||Assigned To||=> syzop|