Branch: refs/heads/tmp/ValidateCerts
Home: https://github.com/ngircd/ngircd
Commit: 5a098d101ae1768da5d20c03ba5fa8049912d8bf
https://github.com/ngircd/ngircd/commit/5a098d101ae1768da5d20c03ba5fa804991…
Author: Christoph Biedl <ngircd.anoy(a)manchmal.in-ulm.de>
Date: 2014-11-05 (Wed, 05 Nov 2014)
Changed paths:
M doc/sample-ngircd.conf.tmpl
M man/ngircd.conf.5.tmpl
M src/ngircd/conf.c
M src/ngircd/conf.h
M src/ngircd/conn-ssl.c
M src/ngircd/conn.c
M src/ngircd/conn.h
M src/ngircd/irc-server.c
Log Message:
-----------
Optionally validate certificates on TLS server links
Bugzilla#120 is a *really* long-standing issue, and it's a very
important one: The peer's certificate is *not* validated on a server
link, rendering the security on such links useless since a
man-in-the-middle attacker can easily capture all the traffic and
re-encode it without even being noticed.
More than five years ago, Florian Westphal wrote a patch to mitigate
the issue but it was never completed nor made it to master. So I
took the liberty to rebase the patch onto rel-22, update the
configuration variables to reflect the rel-19-ish configuration
changes, and to fix a common error in certificate validation: The
certificate's CN must match the host name the client connects to.
This is anything but ready for prime time. Please test in every
conceivable way, there are many. Especially CRL is completely
untested. If you have an SSL/TLS guru at hand, please seek his advice.
There are many, many pitfalls in this area and certainly some are
still present. Host name validation should not solely done against the
CN, this is rather a last resort [citation needed]. Also, an outgoing
connection probably does not work against work SNI but certainly
should.
Also to do: Minor code style cleanup, some more error checking.
Cheers,
Christoph, beware of easter eggs
Based on
From: Florian Westphal <fw(a)strlen.de>
Date: Mon, 18 May 2009 00:29:02 +0200
Subject: [PATCH] SSL/TLS: add initial certificate support to openssl backend
**NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/
Functionality will be removed from GitHub.com on January 31st, 2019.
Branch: refs/heads/AllowServiceKILL
Home: https://github.com/ngircd/ngircd
Commit: 8416e469cd9f55ae2d7b72ef2fb0a9bf0cc603d9
https://github.com/ngircd/ngircd/commit/8416e469cd9f55ae2d7b72ef2fb0a9bf0cc…
Author: Alexander Barton <alex(a)barton.de>
Date: 2017-09-26 (Tue, 26 Sep 2017)
Changed paths:
M src/ngircd/irc.c
Log Message:
-----------
Allow IRC Ops and remote servers to KILL service clients
In the end, service clients behave like regular users, therefore IRC
operators and servers should be able to KILL them: for example to
resolve nick collisions.
This is related to #238.
**NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/
Functionality will be removed from GitHub.com on January 31st, 2019.