You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Other thoughts: With ssl_verify on, maybe prompt a user to add that ssl fingerprint as trusted on connect.
Another way would be to still have weechat.network.gnutls_ca_file for system certs and then go back to allowing a per server file for certs, kinda like how we have the one now for CertFP, e.g., irc.server.freenode.ssl_cert. Or let us specify two paths in weechat.network.gnutls_ca_file, one for system and one for our locally kept custom ones. Which would probably be ideal, as just two files is more than enough, and this way you don't have to add that line for each new server, as you just add the PEM files to your one big custom CA file.
Reasoning: A lot of IRC networks use their own certs or use signing agencies that aren't very well known and not in the system ca file. This way we could take care of those without turning off ssl_verify and still have the convenience of the system ones when we connect to better known IRC networks as well as the nicety of the system ones being updated and revoked.
VerdeP in #weechat @ chat.freenode.net
The text was updated successfully, but these errors were encountered:
Currently irc.server_default.ssl_fingerprint only allows one fingerprint to be specified, it would be cool if it allowed a list:
irc.example.com
All use self-singed certs
Thus in Weechat would be nice to do,
Other thoughts: With ssl_verify on, maybe prompt a user to add that ssl fingerprint as trusted on connect.
Another way would be to still have weechat.network.gnutls_ca_file for system certs and then go back to allowing a per server file for certs, kinda like how we have the one now for CertFP, e.g., irc.server.freenode.ssl_cert. Or let us specify two paths in weechat.network.gnutls_ca_file, one for system and one for our locally kept custom ones. Which would probably be ideal, as just two files is more than enough, and this way you don't have to add that line for each new server, as you just add the PEM files to your one big custom CA file.
Reasoning: A lot of IRC networks use their own certs or use signing agencies that aren't very well known and not in the system ca file. This way we could take care of those without turning off ssl_verify and still have the convenience of the system ones when we connect to better known IRC networks as well as the nicety of the system ones being updated and revoked.
VerdeP in #weechat @ chat.freenode.net
The text was updated successfully, but these errors were encountered: