mirror of
https://github.com/mikaela/mikaela.github.io/
synced 2024-11-30 00:19:25 +01:00
88 lines
3.6 KiB
Markdown
88 lines
3.6 KiB
Markdown
---
|
|
layout: post
|
|
comments: true
|
|
title: "ZNC 1.6.0 & SSL certificate verification"
|
|
category: [english]
|
|
tags: [irc, english]
|
|
redirect_from: /zncssl.html
|
|
---
|
|
|
|
**TL;DR: if you don't verify SSL certificates, don't use SSL!**
|
|
|
|
ZNC 1.6.0 was released on 2015-02-12 21:05:48Z. It brings multiple
|
|
improvements such as taking IP addresses from round-robins randomly instead
|
|
of always resolving them into same IP and most notably it actually verifies
|
|
SSL certificates.
|
|
|
|
* [Changelog](http://wiki.znc.in/ChangeLog/1.6.0)
|
|
|
|
ZNC 1.6.0 also doesn't have option to blindly accept certificates, which
|
|
would be stupid, but sadly
|
|
[Quakenet is right about most of people just accepting certificates blindly](https://www.quakenet.org/articles/99-trust-is-not-transitive-or-why-irc-over-ssl-is-pointless)
|
|
as people are asking how to disable the SSL certificate verification on
|
|
\#znc at freenode a lot.
|
|
|
|
Some people even wrote [a patch and scripts to disable the verification.](https://gist.github.com/KindOne-/52cfade7b937ee8b4c37)
|
|
This isn't a good idea as patching ZNC can cause all kinds of issues as
|
|
sometimes seen with zncstrap [1](https://github.com/ProjectFirrre/zncstrap/issues/16) [2](https://github.com/ProjectFirrre/zncstrap/issues/18).
|
|
|
|
I believe same policy should apply to patching ZNC as to config files,
|
|
patch ZNC or edit config file and you will forfeit all support.
|
|
|
|
And to the subject
|
|
------------------
|
|
|
|
If you don't verify SSL certificates, you only have a false sense of
|
|
security as you let anyone between your ZNC and the IRC network. This is
|
|
called as [Man-in the middle (or shortly MITM) attack.](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)
|
|
There are also people asking for ZNC to trust the certificate for the
|
|
first time and then be alerted if the certificate changes. What if the
|
|
MITM is there during your first connection attempt and then you are
|
|
alerted when the real IRC server gives you wrong certificate?
|
|
|
|
So what is the correct way?
|
|
---------------------------
|
|
|
|
* Check the website of your IRC network in case the fingerprints are
|
|
listed on their website.
|
|
* Try asking the operators of your IRC network somewhere else if you know
|
|
them (like another network or email).
|
|
* This might not be so recommended, but also check the fingerprints from
|
|
multiple locations.
|
|
|
|
> But the IRC network has hundreds of servers with different certificates!
|
|
|
|
In this case do what was recommened before ZNC 1.6.0, check some of the
|
|
servers that are geographically close to you and use them.
|
|
|
|
## Checking the fingerprint from multiple locations
|
|
|
|
I have shell function (which you can find later on this page) which I run
|
|
from multiple places:
|
|
|
|
* my home, Kotka, Finland
|
|
* [Kapsi (shell)](https://www.kapsi.fi/english.html), somewhere in Finland
|
|
* my VPS, DigitalOcean, London, the UK
|
|
|
|
```bash
|
|
# Get server SSL certificate fingerprint in MD5, SHA1 and SHA256.
|
|
# Note that OpenSSL doesn't support IPv6 at time of writing (2015-01-13).
|
|
serversslcertfp () {
|
|
SSSLCFFN=$(openssl s_client -showcerts -connect $1 < /dev/null)
|
|
# To see all validity information
|
|
echo $SSSLCFFN
|
|
# For getting the fingerprints
|
|
echo $SSSLCFFN | openssl x509 -md5 -fingerprint -noout
|
|
echo $SSSLCFFN | openssl x509 -sha1 -fingerprint -noout
|
|
echo $SSSLCFFN | openssl x509 -sha256 -fingerprint -noout
|
|
unset SSSLCFFN
|
|
}
|
|
```
|
|
|
|
I hope this article has helped you to understand the issues with blindly
|
|
accepting SSL certificates or at least to understand that *if you don't
|
|
want to verify SSL certificates, don't use SSL.*
|
|
|
|
*Updated on 2015-02-26 10:43Z: just use environment variables in the
|
|
function like suggested by @DarthGandalf on \#znc.*
|