Hi all,
a patch (mostly untested 8->) that adds initial support for certificates to the openssl backend is located here:
http://strlen.de/ngircd/0001-SSL-TLS-add-initial-certificate-support-to-open... (signature: http://strlen.de/ngircd/0001-SSL-TLS-add-initial-certificate-support-to-open...)
The patch applies to ngircd release 14.1.
For those that want to follow up on changes/patches, please consider tracking my repository at git://git.breakpoint.cc/fw/ngircd-tls.git , the certificate changes are in the "tls-master" branch. (gitweb: http://git.breakpoint.cc/cgi-bin/gitweb.cgi?p=fw/ngircd-tls.git;a=summary)
By "initial" i mean that the basic functionality appears to work, but has not been tested much; noone has reviewed the code so far, there is no support for things like "accept this cerificate only from ip X", etc.
Although I do not know when I can work on this again, I ask that everyone interested in seeing this feature in ngircd and with some spare time and a ngircd test installation to try out this patch and report any bugs/change requests, thanks a lot!
The patch adds a few new config options:
in GLOBAL section:
SSLCAFile = /the/file/with/trusted/ca/certificates Filename pointing to the Trusted CA Certificates. Required for verifying peer certificates.
SSLCRLFile = /the/file/with/revoked/certificates (WARNING: not tested AT ALL)
SSLRequireClientCert = (yes|no) Do not accept incoming SSL connections from clients that do not have a valid certificate.
in [SERVER] section:
SSLVerify: (yes|no)
Verify Server Peer Certificate. If this is an active connection (i.e. ngircd connects to the peer), the ssl handshake is aborted if the certificate of the remote server cannot be validated.
If this is a passive connection (ngircd waits for the remote server to connect) and SSLRequireClientCert is false, the server link will only be established if the password matches and a valid certificate was received. (obvioulsy, because its not possible to know in advance if the incoming connection is from a server or an irc client, the ssl handshake always completes; the connection will be shut down again once the SERVER command is received and the connection was established without /invalid certificate.