|Assigned to:||Mirco Bauer||% Done:||
Implement SSL+CertFP support see: http://www.oftc.net/oftc/NickServ/CertFP
|blocked by Smuxi - Task #456||Include SmartIrc4net library||Closed||08/22/2010|
[Engine/Engine-*] Refactored IProtocolManager.Connect() to use ServerModel
Cleanly pass all connection parameters to the protocol manager using the
ServerModel class. This way it is no longer needed to add and save a server
before making use of SSL options.
Also it will make it easier to add multi-identity support (references:
different encoding per server (references: #27),
client certificates (references:
#96) and SASL support (references: #98).
Engine(-IRC), Frontend-GNOME: support CertFP (closes:
as an more secure alternative to the famous "/msg NickServ IDENTIFY my_password"
As this is an internal setting only (for now) you need to configure it using
the /config command like this:
/config Servers/IRC/$SERVER_ID/ClientCertificateFilename = mycert.pfx
The client certificate can be generated using makecert like this:
makecert -eku 126.96.36.199.188.8.131.52.2 -r -cy end -n "CN=$USER" -p12 mycert.pfx ""
The certificate must not use a passphrase, else it can't be loaded. Thus secure
the file against access by other users with:
chmod 400 mycert.pfx
Place the certificate in ~/.config/smuxi/certs/ otherwise specify the full path
On most IRC networks that support CertFP you can verify if the certificate was
used using /whois on your own nickname. A line like this should show up in the
[276 (?) meebey3] has client certificate fingerprint a15aecab43e1d0965a2da43739a9628d790994e0
Special thanks goes to An-Ivoz for finding out how client certificate selection
Updated by Mirco Bauer 2075 days ago
- Target version changed from 0.8 to TBD
CA certs need to be imported into Smuxi and the CA store needs to be populated at runtime somehow... SslStream doesn't need to offer a simple API for this :/
Updated by Mirco Bauer 845 days ago
- Priority changed from Normal to Urgent
- Complexity set to Medium
Cert validation is NOT required as the client only needs to supply a client certificate and the server validates that cert for authentication.
Updated by Mirco Bauer 833 days ago
- % Done changed from 0 to 90
I have implemented a PoC of this feature here:
But it seems like Mono has a bug in its SSL implementation which does not send a client supplied certificate to the server :/
Updated by Mirco Bauer 215 days ago
- Status changed from New to Closed
- % Done changed from 90 to 100
Applied in changeset 83a2ab1c3e64ef4438b8e901891270f65566ea95.