Don't irssi_ssl_verify_hostname when hostname is 'localhost'

irssi-import / bugs.irssi.org

bugs.irssi.org archive

https://github.com/irssi/irssi/issues

0 stars 0 forks source link

Don't irssi_ssl_verify_hostname when hostname is 'localhost' #778

Closed irssibot closed 13 years ago

irssibot commented 13 years ago

- - Issue #778 opened by @boo

Hello!

I'm trying to -ssl_verify on a server on which I'm connecting using socat. This means that it's hostname is appearing to be 'localhost' and it will always fail the irssi_ssl_verify_hostname() function.

I created the attached patch to dodge this problem; it basically doesn't verify the hostname when it's 'localhost'. It also gives a warning when this happens.

Do you see any flaws with this?

irssibot commented 13 years ago

- - Attachment 235 by @boo

irssipatch.patch

--- irssi/src/core/network-openssl.c    
+++ network-openssl.c
@@ -234,11 +234,15 @@
                }
                g_warning("  MD5 Fingerprint : %s", fp);
            }
-       }
-       return FALSE;
-   } else if (! irssi_ssl_verify_hostname(cert, hostname)){
-       return FALSE;
-   }
+            return FALSE;
+        }
+    }
+    if (strcmp(hostname, "localhost"))
+      if (! irssi_ssl_verify_hostname(cert, hostname))
+        return FALSE;
+      else
+        g_warning("Server's hostname is 'localhost'. You are probably using socat/stunnel. "
+                  "Disabling hostname verification.");
    return TRUE;
 }

irssibot commented 13 years ago

- - Comment 1267 by @coekie

If you don't want to verify, you can just not specify -ssl_verify when connecting to localhost. There's no point in verifying the rest of the certificate if the hostname in it is being ignored. Less important, but I also don't like the idea of treating "localhost" as a special case. What about 127.0.0.1, what about ip6-localhost, or any other hostname that resolves to the local host...

irssibot commented 13 years ago

- - Comment 1268 by @boo

If you don't want to verify, you can just not specify -ssl_verify when connecting to localhost. There's no point in verifying the rest of the certificate if the hostname in it is being ignored.

I suppose you are right.

What about 127.0.0.1, what about ip6-localhost, or any other hostname that resolves to the local host...

Yes, that would be better indeed.

Anyway, it was indeed an ugly hack and I guess I'll keep it for myself.

PS: When you know the server you are connecting to and you have their ca.crt, there is a point in -ssl_verifying even without hostname checking, to avoid MITM. But yeah, ugly hack it was.

Thank you, Wouter!

See you around.

irssibot commented 13 years ago

- - Comment 1270 by @coekie

Yeah, you've got a point in your PS.

Not applying the patch, but thanks anyways :)

irssibot commented 13 years ago

- - Closed by @coekie