Client Certs
ircd should accept clients certs in ssl connections from clients.
- The client certificate does not need to be signed by a recognized certification authority. It can be self signed, or its certificate path can be missing or only partial.
- All we care about is the client cert's fingerprint.
This fingerprint can be used in a couple of places:
In ilines, auth blocks:
auth { client_certificate_hash = "f572d396fae9206628714fb2ce00f72e94f2258f"; client_certificate_hash = "9591818c07e900db7e1e0bc4b884c945e6a61b24"; class = "supereme-overlords"; };In olines, oper blocks:
operator { name = "heyman"; class = "opers"; user = "heyman@master.universe"; client_certificate_hash = "30f79bec32243c31dd91a05c0ad7b80f1e301aea"; client_certificate_hash = "2aa45fe1764d87a0e09c11df00898f7306ee75ff"; client_certificate_hash = "9e38d7d080d0a68cab934acc32836972082e3813"; password = "$1$1FtsXpEU$q29Ddq3taMABbkxCnzKxh0"; [..] };. If the client is connected with a matching client cert, they can /oper up (given the correct password) even if they are not matching the user mask, i.e. even if they come from a different host.- ircd should show the client cert's fingerprint in whois to opers and the client. possibly after "is connected via SSL (secure link)"
For NickServ access: Users can add fingerprints to their registered nickserv accounts. If they connect using a client certificate they are automatically recognized as the owner of their nickname. The following changes will be necessary for nickserv:
- Database changes:
- There will be a table of fingerprints.
- A fingerprint is a VARCHAR(40)
- A fingerprint also has an id (integer, primary key) for easier handling.
- A fingerprint has an account_id (references account(id) not null). (Accordingly, an account can have zero, one, or more fingerprints assigned with it. A fingerprint can be assigned to multiple accounts, so it must not be unique.
- (fingerprint, account_id) should be unique.
- fingerprints should only consist of characters '0'-'9', and 'a'-'f'. They should be all lowercase.
NickServ should automatically recognize clients as a nick's owner if they are connected using a client certificate on the access list. This applies to connecting as well as to changing nicknames.
NickServ will need a CERT command with the following subcommands:
- CERT ADD [fingerprint]: Adds the fingerprint, or the client's current fingerprint to the cert list for the account.
- CERT LIST: list the certificates associated with this account. Should also show the client's current fingerprint
- CERT DEL fingerprint|id: deletes a fingerprint by fingerprint or by an ordinal number from LIST.
NickServ REGAIN will need to change to allow a 1 param version, changing its syntax to REGAIN <nickname> [password]
- Database changes:
- Hmm. For opers, maybe connecting via a client cert should should always satisfy the hostmask limitation and not magically do something about the password? -- weasel 20070610
