mirror of
https://github.com/mikaela/mikaela.github.io/
synced 2025-01-24 11:14:12 +01:00
Mikaela Suomalainen
d09ce30198
This breaks some links which can be fixed later if they don't fix themselves. Closes #123
136 lines
5.9 KiB
Markdown
136 lines
5.9 KiB
Markdown
---
|
|
layout: post
|
|
comments: true
|
|
title: "ZNC 1.6.0 & SSL certificate verification"
|
|
category: [english]
|
|
tags: [irc, english]
|
|
redirect_from:
|
|
- /zncssl.html
|
|
- /english/2015/02/24/znc160-ssl.html
|
|
---
|
|
|
|
**TL;DR: if you don't verify SSL certificates, don't use SSL!**
|
|
|
|
ZNC 1.6.0 was released on 2015-02-12 21:05:48Z. It brings multiple
|
|
improvements such as taking IP addresses from round-robins randomly instead
|
|
of always resolving them into same IP and most notably it actually verifies
|
|
SSL certificates.
|
|
|
|
* [Changelog](https://wiki.znc.in/ChangeLog/1.6.0)
|
|
|
|
ZNC 1.6.0 also doesn't have option to blindly accept certificates, which
|
|
would be stupid, but sadly
|
|
[Quakenet is right about most of people just accepting certificates blindly](https://www.quakenet.org/articles/99-trust-is-not-transitive-or-why-irc-over-ssl-is-pointless)
|
|
as people are asking how to disable the SSL certificate verification on
|
|
\#znc at freenode a lot.
|
|
|
|
Some people even wrote [a patch and scripts to disable the verification.](https://gist.github.com/KindOne-/52cfade7b937ee8b4c37)
|
|
This isn't a good idea as patching ZNC can cause all kinds of issues as
|
|
sometimes seen with zncstrap [1](https://github.com/ProjectFirrre/zncstrap/issues/16) [2](https://github.com/ProjectFirrre/zncstrap/issues/18) [3](https://github.com/znc/znc/issues/384).
|
|
See also [contributing (reporting bugs) guidelines of ZNC.](https://github.com/znc/znc/issues/384)
|
|
|
|
I believe same policy should apply to patching ZNC as to config files,
|
|
patch ZNC or edit config file and you will forfeit all support.
|
|
|
|
And to the subject
|
|
------------------
|
|
|
|
If you don't verify SSL certificates, you only have a false sense of
|
|
security as you let anyone between your ZNC and the IRC network. This is
|
|
called as [Man-in the middle (or shortly MITM) attack.](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)
|
|
There are also people asking for ZNC to trust the certificate for the
|
|
first time and then be alerted if the certificate changes. What if the
|
|
MITM is there during your first connection attempt and then you are
|
|
alerted when the real IRC server gives you wrong certificate?
|
|
|
|
So what is the correct way?
|
|
---------------------------
|
|
|
|
* Check the website of your IRC network in case the fingerprints are
|
|
listed on their website.
|
|
* Try asking the operators of your IRC network somewhere else if you know
|
|
them (like another network or email).
|
|
* This might not be so recommended, but also check the fingerprints from
|
|
multiple locations.
|
|
|
|
> But the IRC network has hundreds of servers with different certificates!
|
|
|
|
In this case do what was recommened before ZNC 1.6.0, check some of the
|
|
servers that are geographically close to you and use them.
|
|
|
|
## Checking the fingerprint from multiple locations
|
|
|
|
I have shell function (which you can find later on this page) which I run
|
|
from multiple places:
|
|
|
|
* my home, Kotka, Finland
|
|
* [Kapsi (shell)](https://www.kapsi.fi/english.html), somewhere in Finland
|
|
* my VPS, DigitalOcean, London, the UK
|
|
|
|
```bash
|
|
# Get server SSL certificate fingerprint in MD5, SHA1 and SHA256.
|
|
# Note that OpenSSL doesn't support IPv6 at time of writing (2015-01-13).
|
|
serversslcertfp () {
|
|
SSSLCFFN=$(openssl s_client -showcerts -connect $1 < /dev/null)
|
|
# To see all validity information
|
|
echo "$SSSLCFFN"
|
|
# For getting the fingerprints
|
|
echo "$SSSLCFFN" | openssl x509 -md5 -fingerprint -noout
|
|
echo "$SSSLCFFN" | openssl x509 -sha1 -fingerprint -noout
|
|
echo "$SSSLCFFN" | openssl x509 -sha256 -fingerprint -noout
|
|
echo "$SSSLCFFN" | openssl x509 -sha512 -fingerprint -noout
|
|
unset SSSLCFFN
|
|
}
|
|
```
|
|
|
|
I hope this article has helped you to understand the issues with blindly
|
|
accepting SSL certificates or at least to understand that *if you don't
|
|
want to verify SSL certificates, don't use SSL.*
|
|
|
|
* *Updated on 2015-02-26 10:43Z: just use environment variables in the
|
|
function like suggested by @DarthGandalf on \#znc.*
|
|
|
|
## I am asked to verify fingerprint for network with valid certificate
|
|
|
|
*Added on 2015-09-03. 4. added on 2016-01-26.*
|
|
|
|
There are usually four causes for this. Lets use freenode as example
|
|
network.
|
|
|
|
1. You don't have the `ca-certificates` package installed (`ca_root_nss`
|
|
on FreeBSD), so your system trusts no certificate authority. Install it
|
|
and try again.
|
|
2. You are connecting to wrong address. freenode's certificate is valid for
|
|
\*.freenode.net, but there are CNAMEs pointing there. If you connect to
|
|
CNAME and the certificate isn't valid for that CNAME, the certificate
|
|
is invalid.
|
|
* You should always connect to either `irc.freenode.net` or
|
|
`chat.freenode.net` where it points to.
|
|
3. There is MITM which is unlikely, but unlikely is not impossible.
|
|
Validating the certificates either by trusted certificates or verifying
|
|
the fingerprints securely manually protect you from this. If MITM is the
|
|
case, you shouldn't connect.
|
|
4. You have `ca-certificates` installed, but the remote certificate is
|
|
signed by CA that is not included in it. You could try installing
|
|
system updates in case `ca-certificates` have been updated or you will
|
|
have to treat the certificate as invalid until ZNC starts supporting
|
|
it's own CA storage. See (and comment if you encounter this)
|
|
[znc/znc#909](https://github.com/znc/znc/issues/909).
|
|
|
|
* * * * *
|
|
|
|
Section added on 2018-11-10: I have started using the new option to allow
|
|
invalid SSL certificates in some cases as this post is only written with
|
|
clearnet in mind.
|
|
|
|
I am on some networks over Yggdrasil or Cjdns which already have E2EE like
|
|
Tor hidden services so as long as they are accessed directly, all benefits
|
|
of TLS are there already and TLS certificates are an additional burden as
|
|
with LetsEncrypt they will change often and LetsEncrypt doesn't support
|
|
any network I mentioned.
|
|
|
|
* * * * *
|
|
|
|
*As I seem to be updating this page more than I originally thought I should
|
|
probably add [this link to changelog here.](https://github.com/Mikaela/mikaela.github.io/commits/master/_posts/2015-02-24-znc160-ssl.md)*
|