Age | Commit message (Collapse) | Author |
|
Closes #559.
|
|
provide net_start_ssl api
|
|
fixes #615
|
|
- X509_get_notBefore becomes X509_get0_notBefore
- X509_get_notAfter becomes X509_get0_notAfter
- ASN1_STRING_data becomes ASN1_STRING_get0_data (and drops the const)
- The whole library is now initialized by OPENSSL_init_ssl
Closes #597
|
|
Right now we only warn the user, the connection keeps going.
Fixes #211
|
|
Original patch by 'Slarky'
According to that ticket, the next major version of solaris won't need
this. Consider reverting this when solaris 11.3 stops being relevant.
|
|
|
|
|
|
Also, plugged a memory leak when retrieving the match position.
|
|
|
|
It was made redundant by the introduction of the pointer to the GRegex
structure.
Silence the compiler warning in textbuffer.c about preg being
initialized by setting it to NULL.
|
|
|
|
enforce check that chatnets are nodelists to handle invalid config
|
|
|
|
|
|
|
|
This patch moves the emitted "tls handshake finished" signal to before
we do validation of the given TLS certificate. This ensures that we
display certificate information before we possibly error out and
disconnects from the server.
|
|
This patch removes support for DANE validation of TLS certificates.
There wasn't enough support in the IRC community to push for this on the
majority of bigger IRC networks. If you believe this should be
reintroduced into irssi, then please come up with an implementation that
does not rely on the libval library. It is causing a lot of troubles for
our downstream maintainers.
|
|
|
|
|
|
|
|
|
|
This patch adds two new options to /CONNECT and /SERVER to let the user
pin either an x509 certificate and/or the public key of a given server.
It is possible to fetch the certificate outside of Irssi itself to
verify the checksum. To fetch the certificate call:
$ openssl s_client -connect chat.freenode.net:6697 < /dev/null 2>/dev/null | \
openssl x509 > freenode.cert
This will download chat.freenode.net:6697's TLS certificate and put it into the
file freenode.cert.
-tls_pinned_cert
----------------
This option allows you to specify the SHA-256 hash of the x509
certificate. When succesfully connected to the server, irssi will verify
that the given server certificate matches the pin set by the user.
The SHA-256 hash of a given certificate can be verified outside of irssi
using the OpenSSL command line tool:
$ openssl x509 -in freenode.cert -fingerprint -sha256 -noout
-tls_pinned_pubkey
------------------
This option allows you to specify the SHA-256 hash of the subject public key
information section of the server certificate. This section contains both the
cryptographic parameters for the public key, but also information about the
algorithm used together with the public key parameters.
When succesfully connected to the server, irssi will verify that the
given public key matches the pin set by the user.
The SHA-256 hash of a public key can be verified outside of irssi using
the OpenSSL command line tool:
$ openssl x509 -in freenode.cert -pubkey -noout | \
openssl pkey -pubin -outform der | \
openssl dgst -sha256 -c | \
tr a-z A-Z
It is possible to specify both -tls_pinned_cert and -tls_pinned_pubkey
together.
|
|
|
|
|
|
|
|
This patch adds the TLS_REC structure. This structure is used to emit
information about the TLS handshake from the core of irssi to the
front-end layers such that we can display connection information to the
user.
|
|
This patch changes the internal name of SSL to TLS. We also add -tls_*
options to /CONNECT and /SERVER, but make sure that the -ssl_* versions
of the commands continue to work like before.
|
|
This patch adds binary_to_hex(), which can take an input buffer and
convert it to colon-delimited hex strings suitable for printing for
fingerprints.
|
|
This patch removes the optional checks for whether to build irssi with
TLS support or not. This will allow us to ship a default configuration
file where we connect to TLS enabled IRC servers out of the box.
|
|
|
|
Clean up misc.c
|
|
|
|
Enum setting implementation
|
|
|
|
Also, use a FORMAT to show the error message.
|
|
Trying to /reconnect unix sockets turned them into inet.
|
|
|
|
|
|
This is useful to let the user choose an option between a finite set of
valid alternatives.
|
|
May fix bugs.debian.org#826525
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The only difference was that the former returned 1 if the buffer was
overflown, but the return value was never checked.
|
|
|
|
|