View Issue Details

IDProjectCategoryView StatusLast Update
0005014unrealircdpublic2017-10-09 12:32
ReportersyzopAssigned Tosyzop 
PrioritynormalSeverityfeatureReproducibilityN/A
Status resolvedResolutionfixed 
Product Version4.0.14 
Target VersionFixed in Version4.0.16 
Summary0005014: add spki authentication type
DescriptionWe used to promote SSL certificate fingerprints at UnrealIRCd for linking. In fact, our Linking tutorial uses it.
Then Let's Encrypt started and trashed this idea. Since now certs get replaced every 60-90 days.
In 4.0.13(?) we added certificate validation, but some people find that too risky (even though it can be cominbed with passwords and ip restrictions).
grawity just suggested using SPKI hashes in #unreal-support, that would be a good option to add.
The SPKI hash will stay the same, even for new certificates, as long as the same public key is used.
TagsNo tags attached.
3rd party modules

Activities

syzop

2017-10-08 09:38

administrator   ~0019901

Last edited: 2017-10-08 09:39

View 4 revisions

Important caveat: certbot will generate new keys by default, rendering this useless. They provide some setting to work around this but this requires manual intervention and it's said to break certbot renew. The more simple --reuse-key request in their tracker was not totally rejected but isn't implemented either.
https://github.com/certbot/certbot/issues/3788
https://github.com/certbot/certbot/issues/3709
https://github.com/certbot/certbot/pull/4610

Of course we can and should still add this for all the other programs out there (the ton of certbot alternatives).

syzop

2017-10-09 12:32

administrator   ~0019907

https://github.com/unrealircd/unrealircd/commit/16faccb777bdcc5adce8f6ea6ad7179f08554b0d

commit 16faccb777bdcc5adce8f6ea6ad7179f08554b0d
Author: Bram Matthys <syzop@vulnscan.org>
Date: Mon Oct 9 12:28:08 2017 +0200

    Add support for 'spkifp' authtype. Example:
    password "AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0=" { spkifp; };
    This value will stay the same even for new SSL/TLS certificates,
    as long as the key stays the same. This can be useful in case of
    Let's Encrypt (if you use a tool that keeps the same key, that is,
    certbot does not at the moment). Suggested by grawity (0005014).
    
    Also make auth type 'sslclientcert' available as 'cert' and
    make 'sslclientcertfp' available as 'certfp'.

Issue History

Date Modified Username Field Change
2017-09-21 18:40 syzop New Issue
2017-09-21 18:40 syzop Assigned To => syzop
2017-09-21 18:40 syzop Status new => acknowledged
2017-10-08 09:38 syzop Note Added: 0019901
2017-10-08 09:39 syzop Note Edited: 0019901 View Revisions
2017-10-08 09:39 syzop Note Edited: 0019901 View Revisions
2017-10-08 09:39 syzop Note Edited: 0019901 View Revisions
2017-10-09 12:32 syzop Status acknowledged => resolved
2017-10-09 12:32 syzop Resolution open => fixed
2017-10-09 12:32 syzop Fixed in Version => 4.0.16
2017-10-09 12:32 syzop Note Added: 0019907