Closed irssibot closed 13 years ago
irssipatch.patch
--- irssi/src/core/network-openssl.c
+++ network-openssl.c
@@ -234,11 +234,15 @@
}
g_warning(" MD5 Fingerprint : %s", fp);
}
- }
- return FALSE;
- } else if (! irssi_ssl_verify_hostname(cert, hostname)){
- return FALSE;
- }
+ return FALSE;
+ }
+ }
+ if (strcmp(hostname, "localhost"))
+ if (! irssi_ssl_verify_hostname(cert, hostname))
+ return FALSE;
+ else
+ g_warning("Server's hostname is 'localhost'. You are probably using socat/stunnel. "
+ "Disabling hostname verification.");
return TRUE;
}
If you don't want to verify, you can just not specify -ssl_verify when connecting to localhost. There's no point in verifying the rest of the certificate if the hostname in it is being ignored. Less important, but I also don't like the idea of treating "localhost" as a special case. What about 127.0.0.1, what about ip6-localhost, or any other hostname that resolves to the local host...
If you don't want to verify, you can just not specify -ssl_verify when connecting to localhost. There's no point in verifying the rest of the certificate if the hostname in it is being ignored.
I suppose you are right.
What about 127.0.0.1, what about ip6-localhost, or any other hostname that resolves to the local host...
Yes, that would be better indeed.
Anyway, it was indeed an ugly hack and I guess I'll keep it for myself.
PS: When you know the server you are connecting to and you have their ca.crt, there is a point in -ssl_verifying even without hostname checking, to avoid MITM. But yeah, ugly hack it was.
Thank you, Wouter!
See you around.
Yeah, you've got a point in your PS.
Not applying the patch, but thanks anyways :)
Hello!
I'm trying to -ssl_verify on a server on which I'm connecting using socat. This means that it's hostname is appearing to be 'localhost' and it will always fail the irssi_ssl_verify_hostname() function.
I created the attached patch to dodge this problem; it basically doesn't verify the hostname when it's 'localhost'. It also gives a warning when this happens.
Do you see any flaws with this?