Mikaela
/
mikaela.github.io
mirror of https://github.com/mikaela/mikaela.github.io/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
mikaela.github.io/blog/_posts/2015-02-24-znc160-ssl.md

137 lines
5.7 KiB
Markdown
Raw Blame History

---
layout: post
comments: true
title: "ZNC 1.6.0 & SSL certificate verification"
category: [english]
tags: [irc, english]
sitemap: false
redirect_from:
- /zncssl.html
- /english/2015/02/24/znc160-ssl.html
---
**TL;DR: if you don't verify SSL certificates, don't use SSL!**
ZNC 1.6.0 was released on 2015-02-12 21:05:48Z. It brings multiple improvements
such as taking IP addresses from round-robins randomly instead of always
resolving them into same IP and most notably it actually verifies SSL
certificates.
- [Changelog](https://wiki.znc.in/ChangeLog/1.6.0)
ZNC 1.6.0 also doesn't have option to blindly accept certificates, which would
be stupid, but sadly
[Quakenet is right about most of people just accepting certificates blindly](https://www.quakenet.org/articles/99-trust-is-not-transitive-or-why-irc-over-ssl-is-pointless)
as people are asking how to disable the SSL certificate verification on \#znc a
lot.
Some people even wrote
[a patch and scripts to disable the verification.](https://gist.github.com/KindOne-/52cfade7b937ee8b4c37)
This isn't a good idea as patching ZNC can cause all kinds of issues as
sometimes seen with zncstrap
[1](https://github.com/ProjectFirrre/zncstrap/issues/16)
[2](https://github.com/ProjectFirrre/zncstrap/issues/18)
[3](https://github.com/znc/znc/issues/384). See also
[contributing (reporting bugs) guidelines of ZNC.](https://github.com/znc/znc/issues/384)
I believe same policy should apply to patching ZNC as to config files, patch ZNC
or edit config file and you will forfeit all support.
## And to the subject
If you don't verify SSL certificates, you only have a false sense of security as
you let anyone between your ZNC and the IRC network. This is called as
[Man-in the middle (or shortly MITM) attack.](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)
There are also people asking for ZNC to trust the certificate for the first time
and then be alerted if the certificate changes. What if the MITM is there during
your first connection attempt and then you are alerted when the real IRC server
gives you wrong certificate?
## So what is the correct way?
- Check the website of your IRC network in case the fingerprints are listed on
their website.
- Try asking the operators of your IRC network somewhere else if you know them
(like another network or email).
- This might not be so recommended, but also check the fingerprints from
multiple locations.
> But the IRC network has hundreds of servers with different certificates!
In this case do what was recommened before ZNC 1.6.0, check some of the servers
that are geographically close to you and use them.
## Checking the fingerprint from multiple locations
I have shell function (which you can find later on this page) which I run from
multiple places:
- my home, Kotka, Finland
- [Kapsi (shell)](https://www.kapsi.fi/english.html), somewhere in Finland
- my VPS, DigitalOcean, London, the UK
```bash
# Get server SSL certificate fingerprint in MD5, SHA1 and SHA256.
# Note that OpenSSL doesn't support IPv6 at time of writing (2015-01-13).
serversslcertfp() {
SSSLCFFN=$(openssl s_client -showcerts -connect $1 < /dev/null)
# To see all validity information
echo "$SSSLCFFN"
# For getting the fingerprints
echo "$SSSLCFFN" | openssl x509 -md5 -fingerprint -noout
echo "$SSSLCFFN" | openssl x509 -sha1 -fingerprint -noout
echo "$SSSLCFFN" | openssl x509 -sha256 -fingerprint -noout
echo "$SSSLCFFN" | openssl x509 -sha512 -fingerprint -noout
unset SSSLCFFN
}
```
I hope this article has helped you to understand the issues with blindly
accepting SSL certificates or at least to understand that _if you don't want to
verify SSL certificates, don't use SSL._
- _Updated on 2015-02-26 10:43Z: just use environment variables in the function
like suggested by @DarthGandalf on \#znc._
## I am asked to verify fingerprint for network with valid certificate
_Added on 2015-09-03. 4. added on 2016-01-26._
There are usually four causes for this. Lets use liberachat as example network.
1. You don't have the `ca-certificates` package installed (`ca_root_nss` on
FreeBSD), so your system trusts no certificate authority. Install it and try
again.
2. You are connecting to wrong address. liberachat's certificate is valid for
\*.libera.chat, but there are CNAMEs pointing there. If you connect to CNAME
and the certificate isn't valid for that CNAME, the certificate is invalid.
- You should always connect to `irc.libera.chat`.
3. There is MITM which is unlikely, but unlikely is not impossible. Validating
the certificates either by trusted certificates or verifying the fingerprints
securely manually protect you from this. If MITM is the case, you shouldn't
connect.
4. You have `ca-certificates` installed, but the remote certificate is signed by
CA that is not included in it. You could try installing system updates in
case `ca-certificates` have been updated or you will have to treat the
certificate as invalid until ZNC starts supporting it's own CA storage. See
(and comment if you encounter this)
[znc/znc#909](https://github.com/znc/znc/issues/909).
---
Section added on 2018-11-10: I have started using the new option to allow
invalid SSL certificates in some cases as this post is only written with
clearnet in mind.
I am on some networks over Yggdrasil or Cjdns which already have E2EE like Tor
hidden services so as long as they are accessed directly, all benefits of TLS
are there already and TLS certificates are an additional burden as with
LetsEncrypt they will change often and LetsEncrypt doesn't support any network I
mentioned.
---
_As I seem to be updating this page more than I originally thought I should
probably add
[this link to changelog here.](https://github.com/Mikaela/mikaela.github.io/commits/master/_posts/2015-02-24-znc160-ssl.md)_
Reference in New Issue View Git Blame Copy Permalink