-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CA-based system for client certificates #1369
Comments
I have noticed a problem with regards to Oragono using Self-Signed/Created SSL Certs and using mIRC 7.61 For example when I connect I get this all the time: Until I delete this file:
Now I can connect perfectly fine: [16:32:46] * Connecting to (+6697) NOTE: This does not happen on any other IRCdeamon (unreal, etc) only Oragono rejects the SSL Cert until I remove "servers.ini" which then fixes this problem I can only assume either Oragono is sending the wrong SSL Cert Hash to mIRC and mIRC is storing it, and as it does not match the Oragono Certificate it is failing on a new connection (unless the "servers.ini" is deleted, which then allows connection) |
Hey @Amiga60077! This issue's about client authentication certificates, rather than the TLS certificate that the server advertises. The issue you're having is just that your IRC client won't connect to a network that's advertising a self-signed certificate. To change mIRC to allow this, you need to go to the settings menu, then Connect -> Options -> SSL -> and then change Server Certificates to Display for approval, like here: This isn't really an issue of Oragono, it's just that by default newer versions of mIRC don't support self-signed TLS certs (not sure whether older versions did). But since this issue's about client authentication certificates anyway this isn't the right issue for this kinda issue regardless ehe~ |
Ok thanks for that - I just thought as it only affected my Oragono server, that it was an issue related to that, my apologies |
This was #414 and we already declared victory on this. But this still interests me as the best option for enterprise hardening of Oragono: with native support for this, we could immediately reject any connection that doesn't have a valid certificate. (In a hypothetical enterprise setting, rapidly expiring certificates would then be distributed by a management agent.)
The text was updated successfully, but these errors were encountered: