| Age | Commit message (Collapse) | Author |
|---|
|
Original patch by 'Slarky'
According to that ticket, the next major version of solaris won't need
this. Consider reverting this when solaris 11.3 stops being relevant.
|
|
|
|
This patch moves the emitted "tls handshake finished" signal to before
we do validation of the given TLS certificate. This ensures that we
display certificate information before we possibly error out and
disconnects from the server.
|
|
This patch removes support for DANE validation of TLS certificates.
There wasn't enough support in the IRC community to push for this on the
majority of bigger IRC networks. If you believe this should be
reintroduced into irssi, then please come up with an implementation that
does not rely on the libval library. It is causing a lot of troubles for
our downstream maintainers.
|
|
|
|
|
|
|
|
|
|
This patch adds two new options to /CONNECT and /SERVER to let the user
pin either an x509 certificate and/or the public key of a given server.
It is possible to fetch the certificate outside of Irssi itself to
verify the checksum. To fetch the certificate call:
$ openssl s_client -connect chat.freenode.net:6697 < /dev/null 2>/dev/null | \
openssl x509 > freenode.cert
This will download chat.freenode.net:6697's TLS certificate and put it into the
file freenode.cert.
-tls_pinned_cert
----------------
This option allows you to specify the SHA-256 hash of the x509
certificate. When succesfully connected to the server, irssi will verify
that the given server certificate matches the pin set by the user.
The SHA-256 hash of a given certificate can be verified outside of irssi
using the OpenSSL command line tool:
$ openssl x509 -in freenode.cert -fingerprint -sha256 -noout
-tls_pinned_pubkey
------------------
This option allows you to specify the SHA-256 hash of the subject public key
information section of the server certificate. This section contains both the
cryptographic parameters for the public key, but also information about the
algorithm used together with the public key parameters.
When succesfully connected to the server, irssi will verify that the
given public key matches the pin set by the user.
The SHA-256 hash of a public key can be verified outside of irssi using
the OpenSSL command line tool:
$ openssl x509 -in freenode.cert -pubkey -noout | \
openssl pkey -pubin -outform der | \
openssl dgst -sha256 -c | \
tr a-z A-Z
It is possible to specify both -tls_pinned_cert and -tls_pinned_pubkey
together.
|
|
|
|
|
|
|
|
This patch changes the internal name of SSL to TLS. We also add -tls_*
options to /CONNECT and /SERVER, but make sure that the -ssl_* versions
of the commands continue to work like before.
|
|
This patch removes the optional checks for whether to build irssi with
TLS support or not. This will allow us to ship a default configuration
file where we connect to TLS enabled IRC servers out of the box.
|
|
|
|
Otherwise we can see errors that are not related to the operation
we check for. SSL_get_error() inspects the thread's error queue.
See https://www.openssl.org/docs/manmaster/ssl/SSL_get_error.html for
more information.
|
|
and warn when no cipher suite could be selected.
|
|
|
|
|
|
|
|
|
|
Fixes: Bug #305
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5231 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5223 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
This patch adds 3 new signals:
* tlsa avalable: emitted if TLSA is available for a given domain.
* tlsa verification success: emitted if the TLSA check was successful.
* tlsa verification failed: emitted if the TLSA check was unsuccessful.
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5220 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
This patch refactors how we are passing connection information for SSL
connections. This will allow us to emit signals with a SERVER_REC as
parameter during SSL handshake.
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5219 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
This patch adds experimental support for the DNSSEC DANE verification
protocol using the libval library from the DNSSEC-Tools package.
Thanks to Thomas Steen Ramussen for creating a test setup and suggesting
the idea of experimenting with DANE support in Irssi :-)
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5218 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
connections to TLSv1.1 servers from working. Patch by pi-rho.
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5216 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5186 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5170 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5136 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5117 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5116 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
certain versions of OpenSSL.
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5108 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
This allows useful use of -ssl_verify without
-ssl_cafile/-ssl_capath, using OpenSSL's default trusted CAs.
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5107 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
connecting to
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5104 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
the same).
This fixes disconnects when sending large amounts of data
to the server.
Note that it assumes that write retries will retry the same
data; a reasonable assumption, but it is not necessary for
any normal write().
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5095 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5031 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
Display more detailed error messages about SSL and
fix assertion failure warnings on some SSL errors.
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@4933 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
the openssl error string.
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@4884 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
openssl error is SSL_WANT_{READ,WRITE}, G_IO_STATUS_ERROR otherwise.
git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@4883 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: http://svn.irssi.org/repos/irssi/trunk@4792 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
rather than g_io_channel_{seek,close}.
git-svn-id: http://svn.irssi.org/repos/irssi/trunk@4791 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: http://svn.irssi.org/repos/irssi/trunk@4782 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: http://svn.irssi.org/repos/irssi/trunk@4705 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
an error, e.g. bad bind address, localhost connection
refused.
git-svn-id: http://svn.irssi.org/repos/irssi/trunk@4577 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
the connection immediately. Also clarify the error message
when the SSL handshake fails.
This bug was introduced after 0.8.11.
git-svn-id: http://svn.irssi.org/repos/irssi/trunk@4576 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: http://svn.irssi.org/repos/irssi/trunk@4536 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: http://svn.irssi.org/repos/irssi/trunk@4509 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: http://svn.irssi.org/repos/irssi/trunk@4490 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
|
git-svn-id: http://svn.irssi.org/repos/irssi/trunk@4489 dbcabf3a-b0e7-0310-adc4-f8d773084564
|
