View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0004424 | unreal | ircd | public | 2015-10-13 19:36 | 2015-10-23 18:55 |
| Reporter | Betaman2k | Assigned To | syzop | ||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | closed | Resolution | unable to duplicate | ||
| Product Version | 4.0.0-rc1 | ||||
| Fixed in Version | 4.0.0-rc1 | ||||
| Summary | 0004424: Oper by SSL Client certificates | ||||
| Description | Generating a SSL cert Example: openssl x509 -in name-of-pem-file.pem -sha256 -noout -fingerprint i get this message: E7:4D:46:F1:9F:F4:68:F5:E8:E3:49:CC:28:5D:F9:65:85:BA:4F:16:B6:49:02:E3:34:E6:E7:6A:FE:76:A7:98 now i put this info into the config: oper test { password "E7:4D:46:F1:9F:F4:68:F5:E8:E3:49:CC:28:5D:F9:65:85:BA:4F:16:B6:49:02:E3:34:E6:E7:6A:FE:76:A7:98" { sslclientcertfp; }; class clients; }; Server startet without problems, i try with /oper test or /oper test xyz i get no IRC Operator ( wrong password ) Now i used the fingerprint, what unreal sayed ( login with your irc client ) Example: cab82cca71e6a8759a5b0ad044e7719c7000cc84d9245745914f3d8bace7af22 i put the fingerprint on my config oper test { password "cab82cca71e6a8759a5b0ad044e7719c7000cc84d9245745914f3d8bace7af22" { sslclientcertfp; }; class clients; }; i test again with /oper test , now i get IRC Operator ( what is wrong with the finger print, if i used this command on ur wiki: openssl x509 -in name-of-pem-file.pem -sha256 -noout -fingerprint | ||||
| Attached Files | blub_syz.pem (5,065 bytes) | ||||
| 3rd party modules | |||||
|
|
Whoops. Ignore previous. *re-post* mirc>c:\openssl\bin\openssl x509 -in my_key.pem -sha256 -noout -fingerprint SHA256 Fingerprint=D1:43:91:93:02:0E:C0:CE:98:D6:60:4E:3F:6B:16:F3:49:E4:85:00:10:FB:53:EE:90:23:4F:0D:60:51:B1:2A [19:28:35] -maintest.test.net- *** Your SSL fingerprint is d1439193020ec0ce98d6604e3f6b16f349e4850010fb53ee90234f0d6051b12a vhost { vhost i.am.teh.secure; mask *; login ssl; password "D1:43:91:93:02:0E:C0:CE:98:D6:60:4E:3F:6B:16:F3:49:E4:85:00:10:FB:53:EE:90:23:4F:0D:60:51:B1:2A" { sslclientcertfp; }; }; Then using '/vhost ssl' works fine here. So.... What .pem file are you running the openssl command on? Are you sure it's the right file? I tried mixing private key / certificate files, but then it normally refuses so it's hard to make a mistake... unless in your client you're actually using a different SSL certificate/key.... I think that's the problem. |
|
|
Hi perhaps wrong cmd line for generating the cert + privat key ? openssl req -nodes -newkey rsa:4096 -keyout blub.pem -x509 -days 3650 -out blub.pem -subj "/CN=underground" |
|
|
openssl req -nodes -newkey rsa:4096 -keyout blub.pem -x509 -days 3650 -out blub.pem -subj "/CN=underground" Loading 'screen' into random state - done Generating a 4096 bit RSA private key ......++ ...............++ writing new private key to 'blub.pem' ----- openssl x509 -in blub.pem -sha256 -noout -fingerprint SHA256 Fingerprint=10:E8:10:63:EE:A8:99:9E:3A:BE:F5:1B:1E:C7:89:81:76:4C:76:2D:F9:E6:87:31:48:27:FE:BB:A0:DC:C9:ED ----- Then using mIRC to pick 'blub.pem', and connect to a server: -maintest.test.net- *** Your SSL fingerprint is 10e81063eea8999e3abef51b1ec78981764c762df9e687314827febba0dcc9ed So that's good. What client are you using ? Ccould you double check it's indeed using the pem file you are running these commands on? Do the fingerprints still differ if you restart the client (not server)? |
|
|
Hi iam used mirc. hmmm u put ur fingerprint on unreal config oper and testet ? openssl x509 -in blub.pem -sha256 -noout -fingerprint SHA256 Fingerprint=10:E8:10:63:EE:A8:99:9E:3A:BE:F5:1B:1E:C7:89:81:76:4C:76:2D:F9:E6:87:31:48:27:FE:BB:A0:DC:C9:ED oper test { password "10:E8:10:63:EE:A8:99:9E:3A:BE:F5:1B:1E:C7:89:81:76:4C:76:2D:F9:E6:87:31:48:27:FE:BB:A0:DC:C9:ED" { sslclientcertfp; }; class clients; }; work 4 u /oper test ? yeah i get a fingerprint too from unreal irc, but /oper test dont work for me cya |
|
|
Yes I can oper or vhost fine with it when I use password "10:E8:10:63:EE:A8:99:9E:3A:BE:F5:1B:1E:C7:89:81:76:4C:76:2D:F9:E6:87:31:48:27:FE:BB:A0:DC:C9:ED" { sslclientcertfp; }; |
|
|
My key attached, feel free to test with it ;) |
|
|
Hi yeah i testet with ur file, i get no oper, i get only a message wrong password :( i put the fingerprint on my unreal config and stop my irc server and start new, perhaps wrong only rehash ? cya |
|
|
hi ok i tested with normal password, works perfect ( You are now an IRC Operator ) , i change the unreal config with fingerprint etc. I rehash only my irc server, now works perfect. with /oper test ( You are now an IRC Operator ) Now i stop the irc server and start new, now i try to get oper /oper test , i get only a message wrong password. can u confirmed ? |
|
|
Hi i test again but now with this cmd openssl req -nodes -newkey rsa:4096 -keyout blubber.pem -x509 -sha256 -days 3650 -out blubber.pem -subj "/CN=real doman name to irc ip" i test again now works perfect, i think that was the mistake can u confirmed ? |
|
|
That command has nothing to do with it (the CN name). But you can no longer reproduce the issue, right? Yeah probably a mistake you did earlier somewhere. No problem. Keep on testing :) |
|
|
Oh I missed reading 2 messages from you. Perhaps there's something wrong with your oper block? You can copy-paste it here, the one you used with my test certificate. Also, are you really using "/oper test" and not "/oper Test" (name is case sensitive!) I've been using SSL fingerprints a lot, and it doesn't matter if I rehash or restart etc.. they are always correct and always working :) |
|
|
Hi hmmm i tested again xD with random CN name, dont work /oper test works only with real CN name ( doman to irc ip ) cya |
|
|
that's not possible, sorry, it must be something else. |
|
|
Hi oper test { class clients; /* Required items: */ mask *@*; password "8C:C3:2D:80:D4:F1:14:7E:58:F0:46:A7:49:43:5F:56:D7:F2:A5:25:2A:D4:62:F9:41:E8:E2:2C:1F:91:7E:73" { sslclientcertfp; }; /* password "xxxxxxx"; */ operclass netadmin; /* swhois "is a Network Administrator"; */ vhost xyz.xxx; snomask cFfkoSsqNG; }; that works with real CN name /oper test openssl req -nodes -newkey rsa:4096 -keyout blubber.pem -x509 -sha256 -days 3650 -out blubber.pem -subj "/CN=real doman name to irc ip" ************************** oper test { class clients; /* Required items: */ mask *@*; password "10:E8:10:63:EE:A8:99:9E:3A:BE:F5:1B:1E:C7:89:81:76:4C:76:2D:F9:E6:87:31:48:27:FE:BB:A0:DC:C9:ED" { sslclientcertfp; }; /* password "xxxxxxx"; */ operclass netadmin; /* swhois "is a Network Administrator"; */ vhost xyz.xxx; snomask cFfkoSsqNG; }; dont works with random CN name /oper test ( wrong password ) openssl req -nodes -newkey rsa:4096 -keyout blubber.pem -x509 -sha256 -days 3650 -out blubber.pem -subj "/CN=woman" cya |
|
|
If anyone else can reproduce something like this I'll be sure to dig this up. Until then I'm closing it :p |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2015-10-13 19:36 | Betaman2k | New Issue | |
| 2015-10-16 19:30 | syzop | Status | new => feedback |
| 2015-10-16 19:32 | syzop | Note Added: 0018748 | |
| 2015-10-16 20:28 | Betaman2k | Note Added: 0018749 | |
| 2015-10-17 11:19 | syzop | Note Added: 0018751 | |
| 2015-10-17 11:28 | Betaman2k | Note Added: 0018752 | |
| 2015-10-17 11:30 | Betaman2k | Note Edited: 0018752 | |
| 2015-10-17 11:48 | syzop | Note Added: 0018754 | |
| 2015-10-17 11:49 | syzop | File Added: blub_syz.pem | |
| 2015-10-17 11:50 | syzop | Note Added: 0018755 | |
| 2015-10-17 12:09 | Betaman2k | Note Added: 0018758 | |
| 2015-10-17 13:26 | Betaman2k | Note Added: 0018759 | |
| 2015-10-17 13:28 | Betaman2k | Note Edited: 0018759 | |
| 2015-10-17 13:29 | Betaman2k | Note Edited: 0018759 | |
| 2015-10-17 13:29 | Betaman2k | Note Edited: 0018759 | |
| 2015-10-17 13:57 | Betaman2k | Note Added: 0018760 | |
| 2015-10-17 13:58 | Betaman2k | Note Edited: 0018760 | |
| 2015-10-17 14:36 | syzop | Note Added: 0018761 | |
| 2015-10-17 14:48 | syzop | Note Added: 0018765 | |
| 2015-10-17 14:51 | Betaman2k | Note Added: 0018766 | |
| 2015-10-17 14:52 | syzop | Note Added: 0018767 | |
| 2015-10-17 15:26 | Betaman2k | Note Added: 0018768 | |
| 2015-10-23 18:55 | syzop | Note Added: 0018779 | |
| 2015-10-23 18:55 | syzop | Status | feedback => closed |
| 2015-10-23 18:55 | syzop | Assigned To | => syzop |
| 2015-10-23 18:55 | syzop | Resolution | open => unable to duplicate |
| 2015-10-23 18:55 | syzop | Fixed in Version | => 4.0.0-rc1 |
