~emersion/soju#56: 
Add support for TLS cert pinning

currently it is only possible to either validate ssl certs via the local certstore or to connect via plaintext, but for example when using socat to proxy connections to servers through tor, I want to use ssl but the cert not to be validated.

Status
REPORTED
Submitter
~r4pr0n
Assigned to
No-one
Submitted
1 year, 6 months ago
Updated
a month ago
Labels
enhancement upstream

~r4pr0n 1 year, 6 months ago

of course another possibility for this special use-case would be adding socks proxy support.

~emersion 1 year, 6 months ago

ircs+insecure is not planned. Instead fingerprint pinning should be used.

~r4pr0n 1 year, 6 months ago

And that won't check if the domain you're connecting to is the domain the certificate is issued for?

~emersion 1 year, 6 months ago

Correct. This will just check the fingerprint is the right one.

~r4pr0n 1 year, 6 months ago

I guess that's better, though I then have to change the pinned cert every time the cert changes, something like "domain pinning" would be more convenient. (setting a domain for a server that the certificate may be issued to)

~emersion 1 year, 6 months ago

If you're going to use Tor, why not use plain-text connections? TLS doesn't provide any value if certificate verification is disabled.

~r4pr0n 1 year, 6 months ago

That's true, but I still could use tls when I could configure the domain check somehow (and also by normal cert pinning but that is pretty inconvenient).

~emersion a month ago

To fix this:

  • Add a new tls_cert_fingerprint column to the Network table
  • Update our Network type and DB implementations accordingly
  • Set tls.Config.VerifyPeerCertificate to check the fingerprint
  • Add a BouncerServ network update flag to set the fingerprint
Register here or Log in to comment, or comment via email.