mikaela.github.io/_posts/2015-02-24-znc160-ssl.md

105 lines
4.4 KiB
Markdown

---
layout: post
comments: true
title: "ZNC 1.6.0 & SSL certificate verification"
category: [english]
tags: [irc, english]
redirect_from: /zncssl.html
---
**TL;DR: if you don't verify SSL certificates, don't use SSL!**
ZNC 1.6.0 was released on 2015-02-12 21:05:48Z. It brings multiple
improvements such as taking IP addresses from round-robins randomly instead
of always resolving them into same IP and most notably it actually verifies
SSL certificates.
* [Changelog](http://wiki.znc.in/ChangeLog/1.6.0)
ZNC 1.6.0 also doesn't have option to blindly accept certificates, which
would be stupid, but sadly
[Quakenet is right about most of people just accepting certificates blindly](https://www.quakenet.org/articles/99-trust-is-not-transitive-or-why-irc-over-ssl-is-pointless)
as people are asking how to disable the SSL certificate verification on
\#znc at freenode a lot.
Some people even wrote [a patch and scripts to disable the verification.](https://gist.github.com/KindOne-/52cfade7b937ee8b4c37)
This isn't a good idea as patching ZNC can cause all kinds of issues as
sometimes seen with zncstrap [1](https://github.com/ProjectFirrre/zncstrap/issues/16) [2](https://github.com/ProjectFirrre/zncstrap/issues/18) [3](https://github.com/znc/znc/issues/384).
See also [contributing (reporting bugs) guidelines of ZNC.](https://github.com/znc/znc/issues/384)
I believe same policy should apply to patching ZNC as to config files,
patch ZNC or edit config file and you will forfeit all support.
And to the subject
------------------
If you don't verify SSL certificates, you only have a false sense of
security as you let anyone between your ZNC and the IRC network. This is
called as [Man-in the middle (or shortly MITM) attack.](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)
There are also people asking for ZNC to trust the certificate for the
first time and then be alerted if the certificate changes. What if the
MITM is there during your first connection attempt and then you are
alerted when the real IRC server gives you wrong certificate?
So what is the correct way?
---------------------------
* Check the website of your IRC network in case the fingerprints are
listed on their website.
* Try asking the operators of your IRC network somewhere else if you know
them (like another network or email).
* This might not be so recommended, but also check the fingerprints from
multiple locations.
> But the IRC network has hundreds of servers with different certificates!
In this case do what was recommened before ZNC 1.6.0, check some of the
servers that are geographically close to you and use them.
## Checking the fingerprint from multiple locations
I have shell function (which you can find later on this page) which I run
from multiple places:
* my home, Kotka, Finland
* [Kapsi (shell)](https://www.kapsi.fi/english.html), somewhere in Finland
* my VPS, DigitalOcean, London, the UK
```bash
# Get server SSL certificate fingerprint in MD5, SHA1 and SHA256.
# Note that OpenSSL doesn't support IPv6 at time of writing (2015-01-13).
serversslcertfp () {
SSSLCFFN=$(openssl s_client -showcerts -connect $1 < /dev/null)
# To see all validity information
echo "$SSSLCFFN"
# For getting the fingerprints
echo "$SSSLCFFN" | openssl x509 -md5 -fingerprint -noout
echo "$SSSLCFFN" | openssl x509 -sha1 -fingerprint -noout
echo "$SSSLCFFN" | openssl x509 -sha256 -fingerprint -noout
unset SSSLCFFN
}
```
I hope this article has helped you to understand the issues with blindly
accepting SSL certificates or at least to understand that *if you don't
want to verify SSL certificates, don't use SSL.*
* *Updated on 2015-02-26 10:43Z: just use environment variables in the
function like suggested by @DarthGandalf on \#znc.*
## I am asked to verify fingerprint for network with valid certificate
*Added on 2015-09-03.*
There are usually three causes for this. Lets use freenode as example
network.
1. You don't have `ca-certificates` package installed, so your system
trusts no certificate authority. Install it and try again.
2. You are connecting to wrong address. freenode's certificate is vaid for
\*.freenode.net, but some other domains are CNAMEs to it and get
3. There is MITM which is unlikely, but unlikely is not impossible.
Validating the certificates either by trusted certificates or verifying
the fingerprints securely manually protect you from this. If MITM is the
case, you shouldn't connect.