parent
48f969ee98
commit
cdd7ebdd51
|
|
@ -0,0 +1,76 @@
|
|||
---
|
||||
layout: post
|
||||
comments: true
|
||||
title: "ZNC 1.6.0 & SSL certificate verification"
|
||||
category: [english]
|
||||
tags: [irc, english]
|
||||
---
|
||||
|
||||
**TL;DR: if you don't verify SSL certificates, don't use SSL!**
|
||||
|
||||
ZNC 1.6.0 was released on 2015-02-12 21:05:48Z. It brings multiple
|
||||
improvements such as taking IP addresses from round-robins randomly instead
|
||||
of always resolving them into same IP and most notably it actually verifies
|
||||
SSL certificates.
|
||||
|
||||
* [Changelog](http://wiki.znc.in/ChangeLog/1.6.0)
|
||||
|
||||
ZNC 1.6.0 also doesn't have option to blindly accept certificates, which
|
||||
would be stupid, but sadly
|
||||
[Quakenet is right about most of people just accepting certificates blindly](https://www.quakenet.org/articles/99-trust-is-not-transitive-or-why-irc-over-ssl-is-pointless)
|
||||
as people are asking how to disable the SSL certificate verification on
|
||||
\#znc at freenode a lot.
|
||||
|
||||
Some people even wrote [a patch and scripts to disable the verification.](https://gist.github.com/KindOne-/52cfade7b937ee8b4c37)
|
||||
|
||||
And to the subject
|
||||
------------------
|
||||
|
||||
If you don't verify SSL certificates, you only have a false sense of
|
||||
security as you let anyone between your ZNC and the IRC network. This is
|
||||
called as [Man-in the middle (or shortly MITM) attack.](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)
|
||||
There are also people asking for ZNC to trust the certificate for the
|
||||
first time and then be alerted if the certificate changes. What if the
|
||||
MITM is there during your first connection attempt and then you are
|
||||
alerted when the real IRC server gives you wrong certificate?
|
||||
|
||||
So what is the correct way?
|
||||
---------------------------
|
||||
|
||||
* Check the website of your IRC network in case the fingerprints are
|
||||
listed on their website.
|
||||
* Try asking the operators of your IRC network somewhere else if you know
|
||||
them (like another network or email).
|
||||
* This might not be so recommended, but also check the fingerprints from
|
||||
multiple locations.
|
||||
|
||||
> But the IRC network has hundreds of servers with different certificates!
|
||||
|
||||
In this case do what was recommened before ZNC 1.6.0, check some of the
|
||||
servers that are geographically close to you and use them.
|
||||
|
||||
## Checking the fingerprint from multiple locations
|
||||
|
||||
I have shell function (which you can find later on this page) which I run
|
||||
from multiple places:
|
||||
|
||||
* my home, Kotka, Finland
|
||||
* [Kapsi (shell)](https://www.kapsi.fi/english.html), somewhere in Finland
|
||||
* my VPS, DigitalOcean, London, the UK
|
||||
|
||||
```bash
|
||||
# Get server SSL certificate fingerprint in MD5, SHA1 and SHA256.
|
||||
# Note that OpenSSL doesn't support IPv6 at time of writing (2015-01-13).
|
||||
serversslcertfp() {
|
||||
SSSLCFFN="/tmp/$(date -Is).pem"
|
||||
openssl s_client -showcerts -connect $1 < /dev/null|tee $SSSLCFFN
|
||||
cat $SSSLCFFN|openssl x509 -md5 -fingerprint -noout
|
||||
cat $SSSLCFFN|openssl x509 -sha1 -fingerprint -noout
|
||||
cat $SSSLCFFN|openssl x509 -sha256 -fingerprint -noout
|
||||
rm $SSSLCFFN
|
||||
}
|
||||
```
|
||||
|
||||
I hope this article has helped you to understand the issues with blindly
|
||||
accepting SSL certificates or at least to understand that *if you don't
|
||||
want to verify SSL certificates, don't use SSL.*
|
||||
Loading…
Reference in New Issue