View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005253 | unreal | ircd | public | 2019-04-25 09:34 | 2019-05-02 09:37 |
| Reporter | syzop | Assigned To | syzop | ||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.2.0 | ||||
| Fixed in Version | 4.2.4 | ||||
| Summary | 0005253: confusing link errors regarding certs | ||||
| Description | My server wouldn't link anymore after I changed from regular cert to let's encrypt.. apparently I had not relinked since that change for at least a month (stable connection :D). On one side there was only this: Lost connection to .....: Read error The other side was helpful: *** Connection to ... activated. Link denied for ... (Authentication failed [Bad password?]) .... Then another error caused by me by turning on verify-certificate and using password sslclientcert on one side and password fixed-password on other side. Still got a "Read error" on one side, and a "Authentication failed" on the other? Or what was it.. damn I forgot. Some things: 1) In a situation where server A attempts to link to server B and A finds out there is an authentication problem, it would be nice if it informs server B... at least in SOME way. The error may be generic as usual. This as opposed to a generic "Read error" (read: simply dropping the connection). Minor point though 2) "Authentication failed (Bad Password?)" is confusing if the auth type is not a password, should be a different message, like (Certificate problem?). 3) Find out this mysterious case where I had password sslclientcert on one side (passive) and fixed-password on the other side (active). There was no hint as for the error (?) | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
Public, was private pending further investigation. In the meantime k4be reported the same on 4.2.3 (what I had was on 4.2.0, so it's nothing new). |
|
|
Cases 2 and 3 fixed in https://github.com/unrealircd/unrealircd/commit/5b63d28e2a1eee7de8942e42b72b9f2c534f0e3c: commit 5b63d28e2a1eee7de8942e42b72b9f2c534f0e3c (HEAD -> unreal42, origin/unreal42, origin/HEAD) Author: Bram Matthys <[email protected]> Date: Thu May 2 08:55:22 2019 +0200 Improve error messages in case of failed server linking due to mixed password types (eg: plaintext on one side, spkifp on the other side). Refer to https://www.unrealircd.org/docs/FAQ#auth-fail-mixed Also, unrelated to the above, don't say "Bad password?" if the password type is not of type plaintext, since it would be confusing. Case 1 is pending and reproducible here. |
|
|
https://github.com/unrealircd/unrealircd/commit/8a6cbfaaf06b5921e7ab0fb280f83954bd2518d8 commit 8a6cbfaaf06b5921e7ab0fb280f83954bd2518d8 (HEAD -> unreal42, origin/unreal42, origin/HEAD) Author: Bram Matthys <[email protected]> Date: Thu May 2 09:30:15 2019 +0200 Show linking error messages if these happen during the handshake and we have already fully authenticated the server (but when it technically is not fully linked as a server yet, eg post-EAUTH but pre-SERVER). Also, send ERRORs to junk snomask from untrusted sources. After all, the junk snomask is precisely there to enable briefly to debug issues. In case of link errors we always advice to check BOTH sides of the link as an IRCOp, and this advice still stands. This may just help a little for people who do not follow our advice. |
|
|
So case 2 and 3 have been fixed entirely. Case 1 can only be partially fixed for safety reasons (see last commit). Done :) |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2019-04-25 09:34 | syzop | New Issue | |
| 2019-05-02 07:56 | syzop | View Status | private => public |
| 2019-05-02 07:56 | syzop | Note Added: 0020606 | |
| 2019-05-02 08:59 | syzop | Note Added: 0020607 | |
| 2019-05-02 08:59 | syzop | Assigned To | => syzop |
| 2019-05-02 08:59 | syzop | Status | new => confirmed |
| 2019-05-02 09:37 | syzop | Note Added: 0020608 | |
| 2019-05-02 09:37 | syzop | Status | confirmed => resolved |
| 2019-05-02 09:37 | syzop | Resolution | open => fixed |
| 2019-05-02 09:37 | syzop | Fixed in Version | => 4.2.4 |
| 2019-05-02 09:37 | syzop | Note Added: 0020609 |
