Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
irc.server.*.ssl_fingerprint Allow a list of fingerprints #49
Currently irc.server_default.ssl_fingerprint only allows one fingerprint to be specified, it would be cool if it allowed a list:
All use self-singed certs
Thus in Weechat would be nice to do,
Other thoughts: With ssl_verify on, maybe prompt a user to add that ssl fingerprint as trusted on connect.
Another way would be to still have weechat.network.gnutls_ca_file for system certs and then go back to allowing a per server file for certs, kinda like how we have the one now for CertFP, e.g., irc.server.freenode.ssl_cert. Or let us specify two paths in weechat.network.gnutls_ca_file, one for system and one for our locally kept custom ones. Which would probably be ideal, as just two files is more than enough, and this way you don't have to add that line for each new server, as you just add the PEM files to your one big custom CA file.
Reasoning: A lot of IRC networks use their own certs or use signing agencies that aren't very well known and not in the system ca file. This way we could take care of those without turning off ssl_verify and still have the convenience of the system ones when we connect to better known IRC networks as well as the nicety of the system ones being updated and revoked.
VerdeP in #weechat @ chat.freenode.net