From a3771390ef614469d6d65c2358c825fe985cf146 Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Thu, 3 Sep 2015 13:21:15 +0300 Subject: [PATCH] _posts/znc160ssl: zncstrap 3 & valid cert issues --- _posts/2015-02-24-znc160-ssl.md | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/_posts/2015-02-24-znc160-ssl.md b/_posts/2015-02-24-znc160-ssl.md index bbdbfe7..3d16ba4 100644 --- a/_posts/2015-02-24-znc160-ssl.md +++ b/_posts/2015-02-24-znc160-ssl.md @@ -24,7 +24,8 @@ as people are asking how to disable the SSL certificate verification on Some people even wrote [a patch and scripts to disable the verification.](https://gist.github.com/KindOne-/52cfade7b937ee8b4c37) This isn't a good idea as patching ZNC can cause all kinds of issues as -sometimes seen with zncstrap [1](https://github.com/ProjectFirrre/zncstrap/issues/16) [2](https://github.com/ProjectFirrre/zncstrap/issues/18). +sometimes seen with zncstrap [1](https://github.com/ProjectFirrre/zncstrap/issues/16) [2](https://github.com/ProjectFirrre/zncstrap/issues/18) [3](https://github.com/znc/znc/issues/384). +See also [contributing (reporting bugs) guidelines of ZNC.](https://github.com/znc/znc/issues/384) I believe same policy should apply to patching ZNC as to config files, patch ZNC or edit config file and you will forfeit all support. @@ -83,5 +84,21 @@ I hope this article has helped you to understand the issues with blindly accepting SSL certificates or at least to understand that *if you don't want to verify SSL certificates, don't use SSL.* -*Updated on 2015-02-26 10:43Z: just use environment variables in the +* *Updated on 2015-02-26 10:43Z: just use environment variables in the function like suggested by @DarthGandalf on \#znc.* + +## I am asked to verify fingerprint for network with valid certificate + +*Added on 2015-09-03.* + +There are usually three causes for this. Lets use freenode as example +network. + +1. You don't have `ca-certificates` package installed, so your system + trusts no certificate authority. Install it and try again. +2. You are connecting to wrong address. freenode's certificate is vaid for + \*.freenode.net, but some other domains are CNAMEs to it and get +3. There is MITM which is unlikely, but unlikely is not impossible. + Validating the certificates either by trusted certificates or verifying + the fingerprints securely manually protect you from this. If MITM is the + case, you shouldn't connect.