View Issue Details

IDProjectCategoryView StatusLast Update
0005253unrealircdpublic2019-05-02 09:37
ReportersyzopAssigned Tosyzop 
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version4.2.0 
Target VersionFixed in Version4.2.4 
Summary0005253: confusing link errors regarding certs
DescriptionMy server wouldn't link anymore after I changed from regular cert to let's encrypt.. apparently I had not relinked since that change for at least a month (stable connection :D).

On one side there was only this:
Lost connection to .....: Read error
The other side was helpful:
*** Connection to ... activated.
Link denied for ... (Authentication failed [Bad password?]) ....

Then another error caused by me by turning on verify-certificate and using password sslclientcert on one side and password fixed-password on other side.
Still got a "Read error" on one side, and a "Authentication failed" on the other? Or what was it.. damn I forgot.

Some things:
1) In a situation where server A attempts to link to server B and A finds out there is an authentication problem, it would be nice if it informs server B... at least in SOME way. The error may be generic as usual. This as opposed to a generic "Read error" (read: simply dropping the connection). Minor point though
2) "Authentication failed (Bad Password?)" is confusing if the auth type is not a password, should be a different message, like (Certificate problem?).
3) Find out this mysterious case where I had password sslclientcert on one side (passive) and fixed-password on the other side (active). There was no hint as for the error (?)
TagsNo tags attached.
3rd party modules

Activities

syzop

2019-05-02 07:56

administrator   ~0020606

Public, was private pending further investigation. In the meantime k4be reported the same on 4.2.3 (what I had was on 4.2.0, so it's nothing new).

syzop

2019-05-02 08:59

administrator   ~0020607

Cases 2 and 3 fixed in https://github.com/unrealircd/unrealircd/commit/5b63d28e2a1eee7de8942e42b72b9f2c534f0e3c:

commit 5b63d28e2a1eee7de8942e42b72b9f2c534f0e3c (HEAD -> unreal42, origin/unreal42, origin/HEAD)
Author: Bram Matthys <syzop@vulnscan.org>
Date: Thu May 2 08:55:22 2019 +0200

    Improve error messages in case of failed server linking due to mixed
    password types (eg: plaintext on one side, spkifp on the other side).
    Refer to https://www.unrealircd.org/docs/FAQ#auth-fail-mixed
    
    Also, unrelated to the above, don't say "Bad password?" if the
    password type is not of type plaintext, since it would be confusing.

Case 1 is pending and reproducible here.

syzop

2019-05-02 09:37

administrator   ~0020608

https://github.com/unrealircd/unrealircd/commit/8a6cbfaaf06b5921e7ab0fb280f83954bd2518d8

commit 8a6cbfaaf06b5921e7ab0fb280f83954bd2518d8 (HEAD -> unreal42, origin/unreal42, origin/HEAD)
Author: Bram Matthys <syzop@vulnscan.org>
Date: Thu May 2 09:30:15 2019 +0200

    Show linking error messages if these happen during the handshake and we
    have already fully authenticated the server (but when it technically is
    not fully linked as a server yet, eg post-EAUTH but pre-SERVER).
    
    Also, send ERRORs to junk snomask from untrusted sources. After all,
    the junk snomask is precisely there to enable briefly to debug issues.
    In case of link errors we always advice to check BOTH sides of the link
    as an IRCOp, and this advice still stands. This may just help a little
    for people who do not follow our advice.

syzop

2019-05-02 09:37

administrator   ~0020609

So case 2 and 3 have been fixed entirely. Case 1 can only be partially fixed for safety reasons (see last commit).

Done :)

Issue History

Date Modified Username Field Change
2019-04-25 09:34 syzop New Issue
2019-05-02 07:56 syzop View Status private => public
2019-05-02 07:56 syzop Note Added: 0020606
2019-05-02 08:59 syzop Note Added: 0020607
2019-05-02 08:59 syzop Assigned To => syzop
2019-05-02 08:59 syzop Status new => confirmed
2019-05-02 09:37 syzop Note Added: 0020608
2019-05-02 09:37 syzop Status confirmed => resolved
2019-05-02 09:37 syzop Resolution open => fixed
2019-05-02 09:37 syzop Fixed in Version => 4.2.4
2019-05-02 09:37 syzop Note Added: 0020609