diff --git a/_posts/2015-02-24-znc160-ssl.md b/_posts/2015-02-24-znc160-ssl.md index bbdbfe7..3d16ba4 100644 --- a/_posts/2015-02-24-znc160-ssl.md +++ b/_posts/2015-02-24-znc160-ssl.md @@ -24,7 +24,8 @@ as people are asking how to disable the SSL certificate verification on Some people even wrote [a patch and scripts to disable the verification.](https://gist.github.com/KindOne-/52cfade7b937ee8b4c37) This isn't a good idea as patching ZNC can cause all kinds of issues as -sometimes seen with zncstrap [1](https://github.com/ProjectFirrre/zncstrap/issues/16) [2](https://github.com/ProjectFirrre/zncstrap/issues/18). +sometimes seen with zncstrap [1](https://github.com/ProjectFirrre/zncstrap/issues/16) [2](https://github.com/ProjectFirrre/zncstrap/issues/18) [3](https://github.com/znc/znc/issues/384). +See also [contributing (reporting bugs) guidelines of ZNC.](https://github.com/znc/znc/issues/384) I believe same policy should apply to patching ZNC as to config files, patch ZNC or edit config file and you will forfeit all support. @@ -83,5 +84,21 @@ I hope this article has helped you to understand the issues with blindly accepting SSL certificates or at least to understand that *if you don't want to verify SSL certificates, don't use SSL.* -*Updated on 2015-02-26 10:43Z: just use environment variables in the +* *Updated on 2015-02-26 10:43Z: just use environment variables in the function like suggested by @DarthGandalf on \#znc.* + +## I am asked to verify fingerprint for network with valid certificate + +*Added on 2015-09-03.* + +There are usually three causes for this. Lets use freenode as example +network. + +1. You don't have `ca-certificates` package installed, so your system + trusts no certificate authority. Install it and try again. +2. You are connecting to wrong address. freenode's certificate is vaid for + \*.freenode.net, but some other domains are CNAMEs to it and get +3. There is MITM which is unlikely, but unlikely is not impossible. + Validating the certificates either by trusted certificates or verifying + the fingerprints securely manually protect you from this. If MITM is the + case, you shouldn't connect.