mirror of
https://github.com/mikaela/mikaela.github.io/
synced 2024-11-29 07:59:24 +01:00
137 lines
5.7 KiB
Markdown
137 lines
5.7 KiB
Markdown
---
|
|
layout: post
|
|
comments: true
|
|
title: "ZNC 1.6.0 & SSL certificate verification"
|
|
category: [english]
|
|
tags: [irc, english]
|
|
sitemap: false
|
|
redirect_from:
|
|
- /zncssl.html
|
|
- /english/2015/02/24/znc160-ssl.html
|
|
---
|
|
|
|
**TL;DR: if you don't verify SSL certificates, don't use SSL!**
|
|
|
|
ZNC 1.6.0 was released on 2015-02-12 21:05:48Z. It brings multiple improvements
|
|
such as taking IP addresses from round-robins randomly instead of always
|
|
resolving them into same IP and most notably it actually verifies SSL
|
|
certificates.
|
|
|
|
- [Changelog](https://wiki.znc.in/ChangeLog/1.6.0)
|
|
|
|
ZNC 1.6.0 also doesn't have option to blindly accept certificates, which would
|
|
be stupid, but sadly
|
|
[Quakenet is right about most of people just accepting certificates blindly](https://www.quakenet.org/articles/99-trust-is-not-transitive-or-why-irc-over-ssl-is-pointless)
|
|
as people are asking how to disable the SSL certificate verification on \#znc a
|
|
lot.
|
|
|
|
Some people even wrote
|
|
[a patch and scripts to disable the verification.](https://gist.github.com/KindOne-/52cfade7b937ee8b4c37)
|
|
This isn't a good idea as patching ZNC can cause all kinds of issues as
|
|
sometimes seen with zncstrap
|
|
[1](https://github.com/ProjectFirrre/zncstrap/issues/16)
|
|
[2](https://github.com/ProjectFirrre/zncstrap/issues/18)
|
|
[3](https://github.com/znc/znc/issues/384). See also
|
|
[contributing (reporting bugs) guidelines of ZNC.](https://github.com/znc/znc/issues/384)
|
|
|
|
I believe same policy should apply to patching ZNC as to config files, patch ZNC
|
|
or edit config file and you will forfeit all support.
|
|
|
|
## And to the subject
|
|
|
|
If you don't verify SSL certificates, you only have a false sense of security as
|
|
you let anyone between your ZNC and the IRC network. This is called as
|
|
[Man-in the middle (or shortly MITM) attack.](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)
|
|
There are also people asking for ZNC to trust the certificate for the first time
|
|
and then be alerted if the certificate changes. What if the MITM is there during
|
|
your first connection attempt and then you are alerted when the real IRC server
|
|
gives you wrong certificate?
|
|
|
|
## So what is the correct way?
|
|
|
|
- Check the website of your IRC network in case the fingerprints are listed on
|
|
their website.
|
|
- Try asking the operators of your IRC network somewhere else if you know them
|
|
(like another network or email).
|
|
- This might not be so recommended, but also check the fingerprints from
|
|
multiple locations.
|
|
|
|
> But the IRC network has hundreds of servers with different certificates!
|
|
|
|
In this case do what was recommened before ZNC 1.6.0, check some of the servers
|
|
that are geographically close to you and use them.
|
|
|
|
## Checking the fingerprint from multiple locations
|
|
|
|
I have shell function (which you can find later on this page) which I run from
|
|
multiple places:
|
|
|
|
- my home, Kotka, Finland
|
|
- [Kapsi (shell)](https://www.kapsi.fi/english.html), somewhere in Finland
|
|
- my VPS, DigitalOcean, London, the UK
|
|
|
|
```bash
|
|
# Get server SSL certificate fingerprint in MD5, SHA1 and SHA256.
|
|
# Note that OpenSSL doesn't support IPv6 at time of writing (2015-01-13).
|
|
serversslcertfp() {
|
|
SSSLCFFN=$(openssl s_client -showcerts -connect $1 < /dev/null)
|
|
# To see all validity information
|
|
echo "$SSSLCFFN"
|
|
# For getting the fingerprints
|
|
echo "$SSSLCFFN" | openssl x509 -md5 -fingerprint -noout
|
|
echo "$SSSLCFFN" | openssl x509 -sha1 -fingerprint -noout
|
|
echo "$SSSLCFFN" | openssl x509 -sha256 -fingerprint -noout
|
|
echo "$SSSLCFFN" | openssl x509 -sha512 -fingerprint -noout
|
|
unset SSSLCFFN
|
|
}
|
|
```
|
|
|
|
I hope this article has helped you to understand the issues with blindly
|
|
accepting SSL certificates or at least to understand that _if you don't want to
|
|
verify SSL certificates, don't use SSL._
|
|
|
|
- _Updated on 2015-02-26 10:43Z: just use environment variables in the function
|
|
like suggested by @DarthGandalf on \#znc._
|
|
|
|
## I am asked to verify fingerprint for network with valid certificate
|
|
|
|
_Added on 2015-09-03. 4. added on 2016-01-26._
|
|
|
|
There are usually four causes for this. Lets use liberachat as example network.
|
|
|
|
1. You don't have the `ca-certificates` package installed (`ca_root_nss` on
|
|
FreeBSD), so your system trusts no certificate authority. Install it and try
|
|
again.
|
|
2. You are connecting to wrong address. liberachat's certificate is valid for
|
|
\*.libera.chat, but there are CNAMEs pointing there. If you connect to CNAME
|
|
and the certificate isn't valid for that CNAME, the certificate is invalid.
|
|
- You should always connect to `irc.libera.chat`.
|
|
3. There is MITM which is unlikely, but unlikely is not impossible. Validating
|
|
the certificates either by trusted certificates or verifying the fingerprints
|
|
securely manually protect you from this. If MITM is the case, you shouldn't
|
|
connect.
|
|
4. You have `ca-certificates` installed, but the remote certificate is signed by
|
|
CA that is not included in it. You could try installing system updates in
|
|
case `ca-certificates` have been updated or you will have to treat the
|
|
certificate as invalid until ZNC starts supporting it's own CA storage. See
|
|
(and comment if you encounter this)
|
|
[znc/znc#909](https://github.com/znc/znc/issues/909).
|
|
|
|
---
|
|
|
|
Section added on 2018-11-10: I have started using the new option to allow
|
|
invalid SSL certificates in some cases as this post is only written with
|
|
clearnet in mind.
|
|
|
|
I am on some networks over Yggdrasil or Cjdns which already have E2EE like Tor
|
|
hidden services so as long as they are accessed directly, all benefits of TLS
|
|
are there already and TLS certificates are an additional burden as with
|
|
LetsEncrypt they will change often and LetsEncrypt doesn't support any network I
|
|
mentioned.
|
|
|
|
---
|
|
|
|
_As I seem to be updating this page more than I originally thought I should
|
|
probably add
|
|
[this link to changelog here.](https://github.com/Mikaela/mikaela.github.io/commits/master/_posts/2015-02-24-znc160-ssl.md)_
|