Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

irc.server.*.ssl_fingerprint Allow a list of fingerprints #49

Closed
verde opened this Issue Apr 4, 2014 · 0 comments

Comments

Projects
None yet
2 participants
@verde
Copy link

verde commented Apr 4, 2014

Currently irc.server_default.ssl_fingerprint only allows one fingerprint to be specified, it would be cool if it allowed a list:

irc.example.com

--> a.example.com 40f5ccae2c382c9ca3d9d38b9ed1e0440a5bad27
--> b.example.com 76d9d1d7abc04d1631fb06f112f8c761dcc09243

All use self-singed certs

Thus in Weechat would be nice to do,

/set irc.server.example.ssl_fingerprint 40f5ccae2c382c9ca3d9d38b9ed1e0440a5bad27,76d9d1d7abc04d1631fb06f112f8c761dcc09243

Other thoughts: With ssl_verify on, maybe prompt a user to add that ssl fingerprint as trusted on connect.

Another way would be to still have weechat.network.gnutls_ca_file for system certs and then go back to allowing a per server file for certs, kinda like how we have the one now for CertFP, e.g., irc.server.freenode.ssl_cert. Or let us specify two paths in weechat.network.gnutls_ca_file, one for system and one for our locally kept custom ones. Which would probably be ideal, as just two files is more than enough, and this way you don't have to add that line for each new server, as you just add the PEM files to your one big custom CA file.


Reasoning: A lot of IRC networks use their own certs or use signing agencies that aren't very well known and not in the system ca file. This way we could take care of those without turning off ssl_verify and still have the convenience of the system ones when we connect to better known IRC networks as well as the nicety of the system ones being updated and revoked.

VerdeP in #weechat @ chat.freenode.net

@flashcode flashcode closed this in df8acd1 Apr 4, 2014

@flashcode flashcode added this to the 1.0 milestone Nov 16, 2014

@flashcode flashcode self-assigned this Nov 16, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.