View Issue Details

IDProjectCategoryView StatusLast Update
0004019unrealircdpublic2012-10-15 21:26
ReporterJobe1986Assigned Tosyzop 
PrioritynormalSeverityfeatureReproducibilityN/A
Status resolvedResolutionfixed 
Product Version 
Target VersionFixed in Version3.2.10-rc1 
Summary0004019: SSL Client Certificate Fingerprint Authentication
DescriptionSimple request for the addition of SSL client certificat auth based on a certificats SHA1 fingerprint as an alternative (but not replacement) for the current system.

For example you could specify:
password "C5:A2:60:6B:07:68:8C:21:12:F9:58:87:40:CE:E7:0E:87:EA:F8:41" { sslclientcertfp; };
or
password "C5A2606B07688C2112F9588740CEE70E87EAF841" { sslclientcertfp; };
or
password "c5a2606b07688c2112f9588740cee70e87eaf841" { sslclientcertfp; };

I know the sslclientcertfp option has already been implimented in 3.3 but it would be nice to have this available in 3.2.* as well so this is in some ways a backport.

Attached is a diff adding sslclientcertfp authentication to 3.2 (current CVS as of this post) allowing for case insensitive comparison of sha1 fingerprints with and without : seperators.
TagsNo tags attached.
3rd party modules

Relationships

related to 0004020 resolvedsyzop SSL Client Certificate Fingerprint Command 
child of 0003915 resolvedsyzop Unreal3.2.10 TODO 
child of 0004301 resolvedsyzop Unreal3.2.10 TODO 

Activities

Jobe1986

2011-05-11 17:02

reporter  

sslclientcertfp.diff (2,542 bytes)

warg

2011-05-13 21:52

reporter   ~0016650

This is great work, Jobe!

syzop

2012-02-26 22:22

administrator   ~0016926

Last edited: 2012-02-26 22:24

View 2 revisions

Thanks Jobe.
Reading up a bit on this it sounds like it would be better to use SHA256 right from the start, as there are some doubts on the security of the SHA1 hash as fingerprint.
I don't know how far-fetched it is, but since we are introducing the feature now anyway we can do it right from the start.

Jobe1986

2012-02-27 16:17

reporter   ~0016930

I agree SHA256 or higher is better for this, I only used SHA1 for my patch as it did not involve much more work to implement. Also it is worth noting I have had some experience with trouble compiling another IRCd I work on on some systems as a result of using OpenSSL's SHA256 code to get the certificate's SHA256 hash.

In particular the code used to retrieve the SHA256 fingerprint that I used was (modified from what I used as mine retrieved the client certificate from the ssl context as well but I removed that from this paste as Unreal already does that):

char*
ssl_get_fingerprint(X509* cert)
{
    unsigned int n = 0;
    unsigned char md[EVP_MAX_MD_SIZE];
    const EVP_MD *digest = EVP_sha256();
    static char hex[BUFSIZE + 1];

    if (!(cert))
    {
        return NULL;
    }

    if (!X509_digest(cert, digest, md, &n))
    {
        return NULL;
    }

    binary_to_hex(md, hex, n);

    return (hex);
}

syzop

2012-10-06 12:28

administrator   ~0017151

If possible, I'll have a go at this before we do a test release of 3.2.10.
All other SHA fingerprint stuff has been postponed, I don't want to delay a (test) release any further and those other changes (eg: in /whois etc) have a large impact on the code, and more work.

syzop

2012-10-15 21:26

administrator   ~0017177

http://hg.unrealircd.com/hg/unreal/rev/64b3c4006702
- Added auth method 'sslclientcertfp' which provides an alternative
  method to authenticate users with SSL client certificates based
  on SHA256 fingerprints. This can be used instead of the already
  existing 'sslclientcert' so you don't have to use an external file.
  One way to get the SHA256 fingerprint would be:
  openssl x509 -in name-of-pem-file.pem -sha256 -noout -fingerprint
  Suggested and patch supplied by Jobe (0004019).
- Added documentation on the new sslclientcertfp
- Moved documentation on authentication types to one place and refer
  to it from each section (oper::password, vhost::password,
  link::password-receive, etc).

Thanks for the patch! I only needed to change a few things for SHA256 and that was it.
... and then spend hours on updating the documentation and reordering everything, but that was another issue ;)

Issue History

Date Modified Username Field Change
2011-05-11 17:02 Jobe1986 New Issue
2011-05-11 17:02 Jobe1986 File Added: sslclientcertfp.diff
2011-05-12 01:55 ohnobinki Severity minor => feature
2011-05-13 21:52 warg Note Added: 0016650
2012-02-26 22:01 syzop Status new => has patch
2012-02-26 22:02 syzop Relationship added child of 0003915
2012-02-26 22:22 syzop Note Added: 0016926
2012-02-26 22:24 syzop Note Edited: 0016926 View Revisions
2012-02-27 16:17 Jobe1986 Note Added: 0016930
2012-05-07 18:28 syzop Relationship added related to 0004020
2012-10-06 12:28 syzop Note Added: 0017151
2012-10-06 12:29 syzop Assigned To => syzop
2012-10-06 12:29 syzop Status has patch => assigned
2012-10-15 21:26 syzop Note Added: 0017177
2012-10-15 21:26 syzop Status assigned => resolved
2012-10-15 21:26 syzop Fixed in Version => 3.2.10-rc1
2012-10-15 21:26 syzop Resolution open => fixed