New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Have ZNC-specific CA storage #909

Open
Mikaela opened this Issue Mar 2, 2015 · 5 comments

Comments

Projects
None yet
4 participants
@Mikaela
Copy link
Contributor

Mikaela commented Mar 2, 2015

For adding certificate authorities for specific networks like OFTC or CACERT. This has been discussed on #znc multiple times.

  • http://www.oftc.net/
    • We support SSL on all of our servers. The certificates are signed, indirectly, by SPI’s certification authority. You can get the root certificate at the SPI website under http://www.spi-inc.org/ca/spi-cacert.crt, and if you care you can verify it using the pgp-signed certificate fingerprints. Alternatively, install a certificate collection (ca-certificates or similar names are common) that includes it.
  • http://www.cacert.org/

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

@Mikaela

This comment has been minimized.

Copy link
Contributor

Mikaela commented May 7, 2015

And was just requested again.

2015-05-07 12:10:18+0300 < Darac> Hello. Question about 1.6.0 and AddTrustedServerFingerprint. I want to connect to a network where the servers are signed by a network CA. Can I trust the fingerprint of that CA certificate and have ZNC trust the servers, or do I need to add the fingerprints of each servers' individual cert?
2015-05-07 12:17:37+0300 < Darac> (Actually, just tried that and it doesn't work)
2015-05-07 12:21:48+0300 < Darac> Ah, never mind. I see #909
2015-05-07 12:21:49+0300 < ZNC-Linker> https://github.com/znc/znc/issues/909 “Have ZNC-specific CA storage” (open)
@habnabit

This comment has been minimized.

Copy link

habnabit commented Aug 27, 2015

👍 this is sorely missing. :(

@reissmann

This comment has been minimized.

Copy link

reissmann commented Sep 16, 2015

This is an important improvement, as there are irc networks who use a full-featured PKI, which one would trust for irc, but not system-wide. At the same time, if such network uses multiple servers in DNS rotation, adding all the fingerprints in not really an option.

@Mikaela

This comment has been minimized.

Copy link
Contributor

Mikaela commented Jan 26, 2016

Another network having it's own CA is Hackint.

@mweinelt

This comment has been minimized.

Copy link

mweinelt commented Jan 27, 2018

15:40 <user> hi all, i have a client specific problem with znc.. znc does not connect to hackint if i only specify the root-ca as trusted fingerprint and it will round-robin(?) all available servers without success
15:42 <user> so what is the best thing to do? 1.) import the root ca into my os trust store (not my favorit one) or 2.) specify all fingerprints of all hackint irc servers in my znc config?

Those are some fine questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment