View Issue Details

IDProjectCategoryView StatusLast Update
0006378unrealircdpublic2024-05-20 11:53
Reportersyzop Assigned Tosyzop  
PrioritynormalSeveritytweakReproducibilityhave not tried
Status resolvedResolutionfixed 
Fixed in Version6.1.6-rc1 
Summary0006378: tls-users / tls-and-known-users for non -z users
DescriptionWhen connected over TLS, users are put in the "tls-users" and "tls-and-known-users" group.

However, for the case of WEBIRC where the gateway--ircd is TLS but is not indicated as 'secure', and the user does not get user mode +z, this is kinda weird, even though it is in fact indeed TLS. Eg see

The same situation is true for a transparant proxy (proxy block) where the connection between the gateway and ircd is https (thus TLS+HTTP) but the end-user connection is not indicated to be https (eg insecure HTTP).

I think it would make sense not to include those users in the "tls-users" and "tls-and-known-users" group, even though one way or the other it is contradictory :D
TagsNo tags attached.
3rd party modules



2024-05-20 11:53

administrator   ~0023205

commit 05c946579f31982e9bf2ef782ea188f1e50e3d4f (HEAD -> unreal60_dev, origin/unreal60_dev, origin/HEAD)
Author: Bram Matthys <[email protected]>
Date: Mon May 20 11:50:24 2024 +0200

    Don't put insecure gatewayed/proxied connections in 'tls-users' security group.
    For user--proxy--ircserv we don't set +z when user--proxy is not
    using SSL/TLS and we should behave the same way with ::tls in
    security groups / match items.
    See also
    But also applies to other types in the proxy block.

Issue History

Date Modified Username Field Change
2023-12-29 15:55 syzop New Issue
2024-05-20 11:53 syzop Assigned To => syzop
2024-05-20 11:53 syzop Status new => resolved
2024-05-20 11:53 syzop Resolution open => fixed
2024-05-20 11:53 syzop Fixed in Version => 6.1.6-rc1
2024-05-20 11:53 syzop Note Added: 0023205