View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005014 | unreal | ircd | public | 2017-09-21 18:40 | 2017-10-09 12:32 |
| Reporter | syzop | Assigned To | syzop | ||
| Priority | normal | Severity | feature | Reproducibility | N/A |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.0.14 | ||||
| Fixed in Version | 4.0.16 | ||||
| Summary | 0005014: add spki authentication type | ||||
| Description | We used to promote SSL certificate fingerprints at UnrealIRCd for linking. In fact, our Linking tutorial uses it. Then Let's Encrypt started and trashed this idea. Since now certs get replaced every 60-90 days. In 4.0.13(?) we added certificate validation, but some people find that too risky (even though it can be cominbed with passwords and ip restrictions). grawity just suggested using SPKI hashes in #unreal-support, that would be a good option to add. The SPKI hash will stay the same, even for new certificates, as long as the same public key is used. | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
Important caveat: certbot will generate new keys by default, rendering this useless. They provide some setting to work around this but this requires manual intervention and it's said to break certbot renew. The more simple --reuse-key request in their tracker was not totally rejected but isn't implemented either. https://github.com/certbot/certbot/issues/3788 https://github.com/certbot/certbot/issues/3709 https://github.com/certbot/certbot/pull/4610 Of course we can and should still add this for all the other programs out there (the ton of certbot alternatives). |
|
|
https://github.com/unrealircd/unrealircd/commit/16faccb777bdcc5adce8f6ea6ad7179f08554b0d commit 16faccb777bdcc5adce8f6ea6ad7179f08554b0d Author: Bram Matthys <[email protected]> Date: Mon Oct 9 12:28:08 2017 +0200 Add support for 'spkifp' authtype. Example: password "AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0=" { spkifp; }; This value will stay the same even for new SSL/TLS certificates, as long as the key stays the same. This can be useful in case of Let's Encrypt (if you use a tool that keeps the same key, that is, certbot does not at the moment). Suggested by grawity (0005014). Also make auth type 'sslclientcert' available as 'cert' and make 'sslclientcertfp' available as 'certfp'. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2017-09-21 18:40 | syzop | New Issue | |
| 2017-09-21 18:40 | syzop | Assigned To | => syzop |
| 2017-09-21 18:40 | syzop | Status | new => acknowledged |
| 2017-10-08 09:38 | syzop | Note Added: 0019901 | |
| 2017-10-08 09:39 | syzop | Note Edited: 0019901 | |
| 2017-10-08 09:39 | syzop | Note Edited: 0019901 | |
| 2017-10-08 09:39 | syzop | Note Edited: 0019901 | |
| 2017-10-09 12:32 | syzop | Status | acknowledged => resolved |
| 2017-10-09 12:32 | syzop | Resolution | open => fixed |
| 2017-10-09 12:32 | syzop | Fixed in Version | => 4.0.16 |
| 2017-10-09 12:32 | syzop | Note Added: 0019907 |
