View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0004019 | unreal | ircd | public | 2011-05-11 17:02 | 2012-10-15 21:26 |
| Reporter | Jobe | Assigned To | syzop | ||
| Priority | normal | Severity | feature | Reproducibility | N/A |
| Status | resolved | Resolution | fixed | ||
| Fixed in Version | 3.2.10-rc1 | ||||
| Summary | 0004019: SSL Client Certificate Fingerprint Authentication | ||||
| Description | Simple request for the addition of SSL client certificat auth based on a certificats SHA1 fingerprint as an alternative (but not replacement) for the current system. For example you could specify: password "C5:A2:60:6B:07:68:8C:21:12:F9:58:87:40:CE:E7:0E:87:EA:F8:41" { sslclientcertfp; }; or password "C5A2606B07688C2112F9588740CEE70E87EAF841" { sslclientcertfp; }; or password "c5a2606b07688c2112f9588740cee70e87eaf841" { sslclientcertfp; }; I know the sslclientcertfp option has already been implimented in 3.3 but it would be nice to have this available in 3.2.* as well so this is in some ways a backport. Attached is a diff adding sslclientcertfp authentication to 3.2 (current CVS as of this post) allowing for case insensitive comparison of sha1 fingerprints with and without : seperators. | ||||
| Tags | No tags attached. | ||||
| Attached Files | |||||
| 3rd party modules | |||||
|
|
This is great work, Jobe! |
|
|
Thanks Jobe. Reading up a bit on this it sounds like it would be better to use SHA256 right from the start, as there are some doubts on the security of the SHA1 hash as fingerprint. I don't know how far-fetched it is, but since we are introducing the feature now anyway we can do it right from the start. |
|
|
I agree SHA256 or higher is better for this, I only used SHA1 for my patch as it did not involve much more work to implement. Also it is worth noting I have had some experience with trouble compiling another IRCd I work on on some systems as a result of using OpenSSL's SHA256 code to get the certificate's SHA256 hash. In particular the code used to retrieve the SHA256 fingerprint that I used was (modified from what I used as mine retrieved the client certificate from the ssl context as well but I removed that from this paste as Unreal already does that): char* ssl_get_fingerprint(X509* cert) { unsigned int n = 0; unsigned char md[EVP_MAX_MD_SIZE]; const EVP_MD *digest = EVP_sha256(); static char hex[BUFSIZE + 1]; if (!(cert)) { return NULL; } if (!X509_digest(cert, digest, md, &n)) { return NULL; } binary_to_hex(md, hex, n); return (hex); } |
|
|
If possible, I'll have a go at this before we do a test release of 3.2.10. All other SHA fingerprint stuff has been postponed, I don't want to delay a (test) release any further and those other changes (eg: in /whois etc) have a large impact on the code, and more work. |
|
|
http://hg.unrealircd.com/hg/unreal/rev/64b3c4006702 - Added auth method 'sslclientcertfp' which provides an alternative method to authenticate users with SSL client certificates based on SHA256 fingerprints. This can be used instead of the already existing 'sslclientcert' so you don't have to use an external file. One way to get the SHA256 fingerprint would be: openssl x509 -in name-of-pem-file.pem -sha256 -noout -fingerprint Suggested and patch supplied by Jobe (0004019). - Added documentation on the new sslclientcertfp - Moved documentation on authentication types to one place and refer to it from each section (oper::password, vhost::password, link::password-receive, etc). Thanks for the patch! I only needed to change a few things for SHA256 and that was it. ... and then spend hours on updating the documentation and reordering everything, but that was another issue ;) |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2011-05-11 17:02 | Jobe | New Issue | |
| 2011-05-11 17:02 | Jobe | File Added: sslclientcertfp.diff | |
| 2011-05-12 01:55 | ohnobinki | Severity | minor => feature |
| 2011-05-13 21:52 | warg | Note Added: 0016650 | |
| 2012-02-26 22:01 | syzop | Status | new => has patch |
| 2012-02-26 22:02 | syzop | Relationship added | child of 0003915 |
| 2012-02-26 22:22 | syzop | Note Added: 0016926 | |
| 2012-02-26 22:24 | syzop | Note Edited: 0016926 | |
| 2012-02-27 16:17 | Jobe | Note Added: 0016930 | |
| 2012-05-07 18:28 | syzop | Relationship added | related to 0004020 |
| 2012-10-06 12:28 | syzop | Note Added: 0017151 | |
| 2012-10-06 12:29 | syzop | Assigned To | => syzop |
| 2012-10-06 12:29 | syzop | Status | has patch => assigned |
| 2012-10-15 21:26 | syzop | Note Added: 0017177 | |
| 2012-10-15 21:26 | syzop | Status | assigned => resolved |
| 2012-10-15 21:26 | syzop | Fixed in Version | => 3.2.10-rc1 |
| 2012-10-15 21:26 | syzop | Resolution | open => fixed |
