[ngIRCd-ML] [Announce]: Initial certificate support for openssl backend

Florian Westphal fw at strlen.de
Mon May 18 01:08:04 CEST 2009


Hi all,

a patch (mostly untested 8->) that adds initial support for certificates
to the openssl backend is located here:

http://strlen.de/ngircd/0001-SSL-TLS-add-initial-certificate-support-to-openssl.patch.bz2
(signature:
http://strlen.de/ngircd/0001-SSL-TLS-add-initial-certificate-support-to-openssl.patch.sig)

The patch applies to ngircd release 14.1.

For those that want to follow up on changes/patches, please consider
tracking my repository at
git://git.breakpoint.cc/fw/ngircd-tls.git , the certificate changes are
in the "tls-master" branch.
(gitweb:
http://git.breakpoint.cc/cgi-bin/gitweb.cgi?p=fw/ngircd-tls.git;a=summary)

By "initial" i mean that the basic functionality appears to work, but
has not been tested much; noone has reviewed the code so far, there is
no support for things like "accept this cerificate only from ip X", etc.

Although I do not know when I can work on this again, I ask that
everyone interested in seeing this feature in ngircd and with some spare
time and a ngircd test installation to try out this patch and report
any bugs/change requests, thanks a lot!

The patch adds a few new config options:

in GLOBAL section:

SSLCAFile = /the/file/with/trusted/ca/certificates
	Filename pointing to the Trusted CA Certificates. Required for
	verifying peer certificates.

SSLCRLFile = /the/file/with/revoked/certificates (WARNING: not tested AT ALL)

SSLRequireClientCert = (yes|no)
	Do not accept incoming SSL connections from clients that do not
	have a valid certificate.

in [SERVER] section:

SSLVerify: (yes|no)

Verify Server Peer Certificate. If this is an active connection
(i.e. ngircd connects to the peer), the ssl handshake
is aborted if the certificate of the remote server cannot be
validated.

If this is a passive connection (ngircd waits for the remote server to
connect) and SSLRequireClientCert is false, the server link will only
be established if the password matches and a valid certificate
was received.  (obvioulsy, because its not possible to know in advance if the
incoming connection is from a server or an irc client, the ssl handshake
always completes; the connection will be shut down again once the
SERVER command is received and the connection was established without
/invalid certificate.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://arthur.barton.de/pipermail/ngircd-ml/attachments/20090518/d6bd247f/attachment.pgp>


More information about the ngIRCd-ML mailing list