search

ergochat / ergo

A modern IRC server (daemon/ircd) written in Go.
https://ergo.chat/
MIT License
2.26k stars 178 forks source link

CA-based system for client certificates #1369

Open slingamn opened 3 years ago

slingamn commented 3 years ago

This was #414 and we already declared victory on this. But this still interests me as the best option for enterprise hardening of Oragono: with native support for this, we could immediately reject any connection that doesn't have a valid certificate. (In a hypothetical enterprise setting, rapidly expiring certificates would then be distributed by a management agent.)

Amiga60077 commented 3 years ago

I have noticed a problem with regards to Oragono using Self-Signed/Created SSL Certs and using mIRC 7.61 (NOTE: Removed IP/Hostnames)

For example when I connect I get this all the time: [16:32:37] Connecting to (+6697) [16:32:37] Using STS secure port +6697 [16:32:38] * Unable to connect to server (SSL certificate verify failed) <<--- This happens until I delete "servers.ini"

Until I delete this file:

Now I can connect perfectly fine:

[16:32:46] Connecting to (+6697) [snip*] [16:32:47] You are now logged in as Amiga600 [16:32:47] Authentication successful [16:32:47] *** Looking up your hostname...

NOTE: This does not happen on any other IRCdeamon (unreal, etc) only Oragono rejects the SSL Cert until I remove "servers.ini" which then fixes this problem

I can only assume either Oragono is sending the wrong SSL Cert Hash to mIRC and mIRC is storing it, and as it does not match the Oragono Certificate it is failing on a new connection (unless the "servers.ini" is deleted, which then allows connection)

DanielOaks commented 3 years ago

Hey @Amiga60077! This issue's about client authentication certificates, rather than the TLS certificate that the server advertises.

The issue you're having is just that your IRC client won't connect to a network that's advertising a self-signed certificate. To change mIRC to allow this, you need to go to the settings menu, then Connect -> Options -> SSL -> and then change Server Certificates to Display for approval, like here: image

This isn't really an issue of Oragono, it's just that by default newer versions of mIRC don't support self-signed TLS certs (not sure whether older versions did). But since this issue's about client authentication certificates anyway this isn't the right issue for this kinda issue regardless ehe~

Amiga60077 commented 3 years ago

Ok thanks for that - I just thought as it only affected my Oragono server, that it was an issue related to that, my apologies