View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006378 | unreal | ircd | public | 2023-12-29 15:55 | 2024-05-20 11:53 |
| Reporter | syzop | Assigned To | syzop | ||
| Priority | normal | Severity | tweak | Reproducibility | have not tried |
| Status | resolved | Resolution | fixed | ||
| Fixed in Version | 6.1.6 | ||||
| Summary | 0006378: tls-users / tls-and-known-users for non -z users | ||||
| Description | When connected over TLS, users are put in the "tls-users" and "tls-and-known-users" group. However, for the case of WEBIRC where the gateway--ircd is TLS but is not indicated as 'secure', and the user does not get user mode +z, this is kinda weird, even though it is in fact indeed TLS. Eg see https://www.unrealircd.org/docs/FAQ#Why_do_users_on_WEBIRC_gateways_not_get_user_mode_+z? The same situation is true for a transparant proxy (proxy block) where the connection between the gateway and ircd is https (thus TLS+HTTP) but the end-user connection is not indicated to be https (eg insecure HTTP). I think it would make sense not to include those users in the "tls-users" and "tls-and-known-users" group, even though one way or the other it is contradictory :D | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
https://github.com/unrealircd/unrealircd/commit/05c946579f31982e9bf2ef782ea188f1e50e3d4f commit 05c946579f31982e9bf2ef782ea188f1e50e3d4f (HEAD -> unreal60_dev, origin/unreal60_dev, origin/HEAD) Author: Bram Matthys <[email protected]> Date: Mon May 20 11:50:24 2024 +0200 Don't put insecure gatewayed/proxied connections in 'tls-users' security group. For user--proxy--ircserv we don't set +z when user--proxy is not using SSL/TLS and we should behave the same way with ::tls in security groups / match items. See also https://www.unrealircd.org/docs/FAQ#Why_do_users_on_WEBIRC_gateways_not_get_user_mode_+z? But also applies to other types in the proxy block. |
