Client Certs

ircd should accept clients certs in ssl connections from clients.

• The client certificate does not need to be signed by a recognized certification authority. It can be self signed, or its certificate path can be missing or only partial.
• All we care about is the client cert's fingerprint.

This fingerprint can be used in a couple of places:

• In ilines, auth blocks:

  auth {
      client_certificate_hash = "f572d396fae9206628714fb2ce00f72e94f2258f";
      client_certificate_hash = "9591818c07e900db7e1e0bc4b884c945e6a61b24";
  
      class = "supereme-overlords";
  };
  

• In olines, oper blocks:

  operator {
      name = "heyman";
      class = "opers";
  
      user = "heyman@master.universe";
      client_certificate_hash = "30f79bec32243c31dd91a05c0ad7b80f1e301aea";
      client_certificate_hash = "2aa45fe1764d87a0e09c11df00898f7306ee75ff";
      client_certificate_hash = "9e38d7d080d0a68cab934acc32836972082e3813";
  
      password = "$1$1FtsXpEU$q29Ddq3taMABbkxCnzKxh0";
  
      [..]
  };
  

  . If the client is connected with a matching client cert, they can /oper up (given the correct password) even if they are not matching the user mask, i.e. even if they come from a different host.
• ircd should show the client cert's fingerprint in whois to opers and the client. possibly after "is connected via SSL (secure link)"

• For NickServ access: Users can add fingerprints to their registered nickserv accounts. If they connect using a client certificate they are automatically recognized as the owner of their nickname. The following changes will be necessary for nickserv:

  • Database changes:
    • There will be a table of fingerprints.
    • A fingerprint is a VARCHAR(40)
    • A fingerprint also has an id (integer, primary key) for easier handling.
    • A fingerprint has an account_id (references account(id) not null). (Accordingly, an account can have zero, one, or more fingerprints assigned with it. A fingerprint can be assigned to multiple accounts, so it must not be unique.
    • (fingerprint, account_id) should be unique.
    • fingerprints should only consist of characters '0'-'9', and 'a'-'f'. They should be all lowercase.

  • NickServ should automatically recognize clients as a nick's owner if they are connected using a client certificate on the access list. This applies to connecting as well as to changing nicknames.

  • NickServ will need a CERT command with the following subcommands:

    • CERT ADD [fingerprint]: Adds the fingerprint, or the client's current fingerprint to the cert list for the account.
    • CERT LIST: list the certificates associated with this account. Should also show the client's current fingerprint
    • CERT DEL fingerprint|id: deletes a fingerprint by fingerprint or by an ordinal number from LIST.

  • NickServ REGAIN will need to change to allow a 1 param version, changing its syntax to REGAIN <nickname> [password]

• Hmm. For opers, maybe connecting via a client cert should should always satisfy the hostmask limitation and not magically do something about the password? -- weasel 20070610