From cdd7ebdd51ed312d4e9c0b66994a10de4cf632d7 Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Tue, 24 Feb 2015 09:40:49 +0200 Subject: [PATCH] add 2015-02-24-znc160-ssl.md closes #36 --- _posts/2015-02-24-znc160-ssl.md | 76 +++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 _posts/2015-02-24-znc160-ssl.md diff --git a/_posts/2015-02-24-znc160-ssl.md b/_posts/2015-02-24-znc160-ssl.md new file mode 100644 index 0000000..e535795 --- /dev/null +++ b/_posts/2015-02-24-znc160-ssl.md @@ -0,0 +1,76 @@ +--- +layout: post +comments: true +title: "ZNC 1.6.0 & SSL certificate verification" +category: [english] +tags: [irc, english] +--- + +**TL;DR: if you don't verify SSL certificates, don't use SSL!** + +ZNC 1.6.0 was released on 2015-02-12 21:05:48Z. It brings multiple +improvements such as taking IP addresses from round-robins randomly instead +of always resolving them into same IP and most notably it actually verifies +SSL certificates. + +* [Changelog](http://wiki.znc.in/ChangeLog/1.6.0) + +ZNC 1.6.0 also doesn't have option to blindly accept certificates, which +would be stupid, but sadly +[Quakenet is right about most of people just accepting certificates blindly](https://www.quakenet.org/articles/99-trust-is-not-transitive-or-why-irc-over-ssl-is-pointless) +as people are asking how to disable the SSL certificate verification on +\#znc at freenode a lot. + +Some people even wrote [a patch and scripts to disable the verification.](https://gist.github.com/KindOne-/52cfade7b937ee8b4c37) + +And to the subject +------------------ + +If you don't verify SSL certificates, you only have a false sense of +security as you let anyone between your ZNC and the IRC network. This is +called as [Man-in the middle (or shortly MITM) attack.](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) +There are also people asking for ZNC to trust the certificate for the +first time and then be alerted if the certificate changes. What if the +MITM is there during your first connection attempt and then you are +alerted when the real IRC server gives you wrong certificate? + +So what is the correct way? +--------------------------- + +* Check the website of your IRC network in case the fingerprints are + listed on their website. +* Try asking the operators of your IRC network somewhere else if you know + them (like another network or email). +* This might not be so recommended, but also check the fingerprints from + multiple locations. + +> But the IRC network has hundreds of servers with different certificates! + +In this case do what was recommened before ZNC 1.6.0, check some of the +servers that are geographically close to you and use them. + +## Checking the fingerprint from multiple locations + +I have shell function (which you can find later on this page) which I run +from multiple places: + +* my home, Kotka, Finland +* [Kapsi (shell)](https://www.kapsi.fi/english.html), somewhere in Finland +* my VPS, DigitalOcean, London, the UK + +```bash +# Get server SSL certificate fingerprint in MD5, SHA1 and SHA256. +# Note that OpenSSL doesn't support IPv6 at time of writing (2015-01-13). +serversslcertfp() { + SSSLCFFN="/tmp/$(date -Is).pem" + openssl s_client -showcerts -connect $1 < /dev/null|tee $SSSLCFFN + cat $SSSLCFFN|openssl x509 -md5 -fingerprint -noout + cat $SSSLCFFN|openssl x509 -sha1 -fingerprint -noout + cat $SSSLCFFN|openssl x509 -sha256 -fingerprint -noout + rm $SSSLCFFN +} +``` + +I hope this article has helped you to understand the issues with blindly +accepting SSL certificates or at least to understand that *if you don't +want to verify SSL certificates, don't use SSL.*