View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0005002||unreal||ircd||public||2017-09-08 16:34||2018-09-05 10:02|
|Status||closed||Resolution||no change required|
|Platform||Linux||OS||Any:||OS Version||Latest stable|
|Target Version||Fixed in Version|
|Summary||0005002: /gline on SSL certfp|
|Description||In regards to the following feature which is greatly appreciated and useful to control bot attacks and much more.|
An additional enhancement should be made to give more control to the admins when several clones are connected.
The best example of such clone situation is the use of tor hidden service to run the ircd, which will cause all clients to have *@127.0.0.1.
Another example would be users doing ssh to remote box and connect to to localhost ircd.
Other examples include places with several machines but that have only one exit gateway wan ip address.
Using the best case described above and in other to allow tor users to connect and prevent almost all abuses from it's usage, the use of a client certificate is excellent but still leaves some gaps such as how to discipline that one specific abuser without causing issues to the rest *@127.0.0.1
For example in a case of a bot attack which although is already severely mitigated by the fail-if-no-clientcert, one could still load all the bots with the same certificate.
The proposed enhancement is to allow channel operators and admins to apply bans, kicks, shuns, glines, zlines, klines and so on, based on client fingerprint.
Such functionality will allow everyone to have the same ip, but still allow traditional (old) disciplinary actions to work based on the client cryptography certificate fingerprint
|Steps To Reproduce||ATM N/A|
Forces clients that do not have a certificate to be denied.
|Tags||access control, certfp, conf, security|
|3rd party modules|
Certificates are easy to generate, though. It takes only a second or two. I have my doubts about how useful it will be for banning.
For that reason in the https://www.unrealircd.org/docs/Extended_bans documentation regarding ~S:certfp.. it only shows +e and +I as examples since +b ~S:xxxx would have limited use (but you CAN set it).
Since I have my doubts how useful this will be for the general public I was just thinking of an alternative for you. Everyone is coming from localhost so the host field is useless right now, correct? Perhaps a new module could be made that sets the host to the SSL client certificate fingerprint. That may even look neater.
I think 0005002 and 0005042 are really 'niche' features that are not big enough to be in UnrealIRCd core (or having me spend time on).
Best would be what I mentioned earlier: have some module change the hostname to the certfp. Perhaps ask Gottem ;)
|2017-09-08 16:34||HeXiLeD||New Issue|
|2017-09-08 16:34||HeXiLeD||Tag Attached: certfp|
|2017-09-08 16:34||HeXiLeD||Tag Attached: conf|
|2017-09-08 16:34||HeXiLeD||Tag Attached: access control|
|2017-09-08 16:34||HeXiLeD||Tag Attached: security|
|2017-09-08 20:10||syzop||Note Added: 0019844|
|2017-09-09 17:19||syzop||View Status||private => public|
|2017-09-16 18:24||syzop||Summary||ssl::options::fail-if-no-clientcert complementary feature => /gline on SSL certfp|
|2018-09-05 10:02||syzop||Assigned To||=> syzop|
|2018-09-05 10:02||syzop||Status||new => closed|
|2018-09-05 10:02||syzop||Resolution||open => no change required|
|2018-09-05 10:02||syzop||Note Added: 0020262|