Convos::Core::Connection will generate custom certs for tls connections #525
Conversation
There was a problem hiding this comment.
Some thoughts:
Do we need a separate CA for this purpose?
And, _openssl_detect reads openssl.cnf/%ENV and set misc certificate parameters, this could be a bit overkill in the case of Freenode. They say: "You will be prompted for various pieces of information about the certificate. The contents do not matter for our purposes, but openssl needs at least one of them to be non-empty."
Creating a self signed certificate using OpenSSL can be accomplished with an openssl oneliner:
openssl req -new -sha256 -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/CN=$nick/O=Convos" -keyout self_signed_client.key -out self_signed_client.crt
If rsa is hard coded, we should default the key size to 3072 or 4096 bits. https://www.keylength.com/
Just to be sure, is this the correct flow we're going for?
- Generate a selfsigned cert for the connection
- Connect to the irc server with the client certificate
- Log in to NickServ
- Do /msg NickServ CERT ADD to pin the self signed cert
I don't know to be honest. I hope not, since I think that would make the process a lot more difficult.
Ah, I see. That makes the code a lot simpler 👍
Let's go for 4096.
I think that is the flow for #380. I haven't been able to try out #356. There's some buggy code in https://github.com/Nordaaker/convos/tree/jhthorsen/sasl-certp, but I was not able to connect with SASL. |
4446030 to
585061d
Compare
|
Cool! 👍 Sorry for not being able to contribute with code for this PR :-/ |
This PR will generate custom certificates for each connection. I'm pretty sure this is required for #356 and #380.