Mikaela/mikaela.github.io
1
0
Fork 0
mirror of https://github.com/mikaela/mikaela.github.io/ synced 2025-01-12 14:02:41 +01:00
Code Issues Projects Releases Wiki Activity

_posts/znc160ssl: zncstrap 3 & valid cert issues

Browse Source
This commit is contained in:
Aminda Suomalainen 2015-09-03 13:21:15 +03:00
parent 75b56cfde8
commit a3771390ef
1 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
_posts/2015-02-24-znc160-ssl.md
View File

@ -24,7 +24,8 @@ as people are asking how to disable the SSL certificate verification on
Some people even wrote [a patch and scripts to disable the verification.](https://gist.github.com/KindOne-/52cfade7b937ee8b4c37)
This isn't a good idea as patching ZNC can cause all kinds of issues as
sometimes seen with zncstrap [1](https://github.com/ProjectFirrre/zncstrap/issues/16) [2](https://github.com/ProjectFirrre/zncstrap/issues/18).
sometimes seen with zncstrap [1](https://github.com/ProjectFirrre/zncstrap/issues/16) [2](https://github.com/ProjectFirrre/zncstrap/issues/18) [3](https://github.com/znc/znc/issues/384).
See also [contributing (reporting bugs) guidelines of ZNC.](https://github.com/znc/znc/issues/384)
I believe same policy should apply to patching ZNC as to config files,
patch ZNC or edit config file and you will forfeit all support.
@ -83,5 +84,21 @@ I hope this article has helped you to understand the issues with blindly
accepting SSL certificates or at least to understand that *if you don't
want to verify SSL certificates, don't use SSL.*
*Updated on 2015-02-26 10:43Z: just use environment variables in the
* *Updated on 2015-02-26 10:43Z: just use environment variables in the
function like suggested by @DarthGandalf on \#znc.*
## I am asked to verify fingerprint for network with valid certificate
*Added on 2015-09-03.*
There are usually three causes for this. Lets use freenode as example
network.
1. You don't have `ca-certificates` package installed, so your system
trusts no certificate authority. Install it and try again.
2. You are connecting to wrong address. freenode's certificate is vaid for
\*.freenode.net, but some other domains are CNAMEs to it and get
3. There is MITM which is unlikely, but unlikely is not impossible.
Validating the certificates either by trusted certificates or verifying
the fingerprints securely manually protect you from this. If MITM is the
case, you shouldn't connect.