aatxe / irc

the irc crate – usable, async IRC for Rust
Mozilla Public License 2.0
536 stars 100 forks source link

Add option to add fingerprints to validate certificates #67

Closed belst closed 7 years ago

belst commented 7 years ago

If a server uses a self signed certificate a fingerprint check would be nice to allow connecting.

aatxe commented 7 years ago

You can now specify the root certificate being used for the connection with the config field cert_path. It has to be DER encoded, and the certificate has to otherwise be valid (can't be expired). You should also be able to use your system keychain to a similar effect (at least, I can confirm this works on macOS).

quite commented 5 years ago

I can't get seem to connect to a server with self-signed cert in this way. I'm getting hold of the DER like so:

openssl </dev/null s_client -connect example.org:6697 \
| sed -ne "/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p" \
>example.org.pem
openssl x509 -inform PEM -in example.org.pem -outform DER -out example.org.der

But I'm just getting the openssl error unable to get local issuer certificate:

thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Tls(Ssl(Error { code: ErrorCode(1), cause: Some(Ssl(ErrorStack([Error { code: 337047686, library: "SSL routines", function: "tls_process_server_certificate", reason: "certificate verify failed", file: "ssl/statem/statem_clnt.c", line: 1925 }]))) }, X509VerifyResult { code: 20, error: "unable to get local issuer certificate" }))', libcore/result.rs:1009:5

I can squeeze in a builder.danger_accept_invalid_certs(true) in src/client/conn.rs and get a connection, "of course", but that's precisely what I don't want to do :)

I've made sure that the server I'm connecting to is the same as the CN of the cert, as well.

quite commented 5 years ago

I tried out adding an option to do native_tls::TlsConnectorBuilder.danger_accept_invalid_certs(). Is that too mad? Helpful to get around issues with self-signed certs in dev envs...