Re: [dev] [ii] connect to servers with self signed tls certificates

From: Jan Klemkow <j.klemkow_AT_wemelug.de>
Date: Sat, 29 Oct 2022 23:48:35 +0200

Hi Fernando and Hiltjo,

On Sat, Oct 29, 2022 at 08:18:22PM +0200, Hiltjo Posthuma wrote:
> On Sat, Oct 29, 2022 at 11:38:10AM -0500, fernandoreyesavila3 wrote:
> > I am hosting an ergo irc server with self signed certificates.
> > Connecting to any public irc server works as expected. ii prints the
> > following when I try to connect to my server.
> >
> > $ ii -s servername.com -p 6697
> > NICK nando
> > USER nando localhost servername.com :nando
> >
> > ii: remote host closed connection: No such file or directory
> >
> > I patched ii with tls encryption support and ran
> >
> > $ ii -t -s servername.com -p 6697
> > ii: tls_handshake: certificate verification failed: self signed certificate
> >
> > I connected through hexchat by accepting invalid ssl certificates.
> > Is there a similair option for ii? Any help would be appreciated.
>
> With LibreSSL libtls: you could set a certificate file:
>
> https://man.openbsd.org/tls_config_set_ca_file
>
> Maybe you could add a command-line flag that allows to set this certificate so it
> can be set per server.

For those use cases, I would just add a "don't check anything" flag.
The API of libtls is to detailed, to expose every knob as an option to
ii. Maybe an -F <fingerprint> option could be a compromise for selfsign
certs?!

I'll think about it and make a change to the tls patch.

Thanks,
Jan
Received on Sat Oct 29 2022 - 23:48:35 CEST

This archive was generated by hypermail 2.3.0 : Sun Oct 30 2022 - 00:00:19 CEST