Feature #96

avatar

SSL+CertFP support

Added by Mirco Bauer 5984 days ago. Updated 3368 days ago.

Status:Closed Start:
Priority:Urgent Due date:
Assigned to:avatarMirco Bauer % Done:

100%

Category:Engine
Target version:1.1
Complexity:

Medium

Votes: 2 (View)

Description

Implement SSL+CertFP support see: http://www.oftc.net/oftc/NickServ/CertFP


Related issues

blocked by Smuxi - Task #456 Include SmartIrc4net library Closed 08/22/2010

Associated revisions

Revision 3a07213acabf7b0de23b9d1851781c82efb56537
Added by Mirco Bauer 4780 days ago

[Engine/Engine-*] Refactored IProtocolManager.Connect() to use ServerModel

Cleanly pass all connection parameters to the protocol manager using the
ServerModel class. This way it is no longer needed to add and save a server
before making use of SSL options.

Also it will make it easier to add multi-identity support (references: #428),
different encoding per server (references: #27),
client certificates (references: #96) and SASL support (references: #98).

Revision 83a2ab1c3e64ef4438b8e901891270f65566ea95
Added by Mirco Bauer 3368 days ago

Engine(-IRC), Frontend-GNOME: support CertFP (closes: #96) as an more secure alternative to the famous "/msg NickServ IDENTIFY my_password"
command.

https://freenode.net/certfp/

As this is an internal setting only (for now) you need to configure it using
the /config command like this:

/config Servers/IRC/$SERVER_ID/ClientCertificateFilename = mycert.pfx
/config save

The client certificate can be generated using makecert like this:

makecert -eku 1.3.6.1.5.5.7.3.2 -r -cy end -n "CN=$USER" -p12 mycert.pfx ""

The certificate must not use a passphrase, else it can't be loaded. Thus secure
the file against access by other users with:

chmod 400 mycert.pfx

Place the certificate in ~/.config/smuxi/certs/ otherwise specify the full path
in ClientCertificateFilename.

On most IRC networks that support CertFP you can verify if the certificate was
used using /whois on your own nickname. A line like this should show up in the
whois reply:

[276 (?) meebey3] has client certificate fingerprint a15aecab43e1d0965a2da43739a9628d790994e0

Special thanks goes to An-Ivoz for finding out how client certificate selection
works!

History

Updated by Mirco Bauer 5229 days ago

avatar
  • Target version changed from 0.8 to TBD

CA certs need to be imported into Smuxi and the CA store needs to be populated at runtime somehow... SslStream doesn't need to offer a simple API for this :/

Updated by Mirco Bauer 3999 days ago

avatar
  • Priority changed from Normal to Urgent
  • Complexity set to Medium

Cert validation is NOT required as the client only needs to supply a client certificate and the server validates that cert for authentication.

Updated by Mirco Bauer 3986 days ago

avatar
  • % Done changed from 0 to 90

I have implemented a PoC of this feature here:
https://github.com/meebey/smuxi/tree/experiments/certfp

But it seems like Mono has a bug in its SSL implementation which does not send a client supplied certificate to the server :/

Updated by Mirco Bauer 3368 days ago

avatar
  • Target version changed from TBD to 1.1

Updated by Mirco Bauer 3368 days ago

avatar
  • Status changed from New to Closed
  • % Done changed from 90 to 100

Updated by Mirco Bauer 3368 days ago

avatar

That was because the client certificate selection callback wasn't provided, thus the supplied cert was never sent.

Also available in: Atom PDF