View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006278 | unreal | ircd | public | 2023-06-05 09:03 | 2025-07-13 09:51 |
| Reporter | syzop | Assigned To | syzop | ||
| Priority | normal | Severity | feature | Reproducibility | N/A |
| Status | resolved | Resolution | fixed | ||
| Product Version | 6.1.1-rc1 | ||||
| Fixed in Version | 6.2.0-beta1 | ||||
| Summary | 0006278: Complain if server certificate is not from trusted CA | ||||
| Description | Right now the build process creates a self-signed certificate. That is fine for server linking and for testing purposes, but we should push admins more actively to Let's Encrypt for servers that actually hold clients. We have been doing that in documentation but not from the software side yet. Since you can have multiple certificates loaded, i want to have a "is ANY certificate issued by a trusted CA?" function. And if that returns 0, then we should raise some warning. I am thinking of raising a warning on-boot only for now, and not on rehash, to not make it too annoying. Also, ideally this would not affect hubs, and there would be some possibility to turn off this warning... but only after the user has given it some thought. I think this is too late for 6.1.1, so will be for 6.1.2 the soonest. | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
| related to | 0006500 | new | Improve set::best-practices adding only-tls-port directive. |
|
|
Two years later this is now finally done in https://github.com/unrealircd/unrealircd/commit/29ce0ce29ad7adf246650510490d8ed3290d3b48 and https://github.com/unrealircd/unrealircd/commit/369f55063a3e083caadc387cec59f32f6d7eff4e That's commit 29ce0ce29ad7adf246650510490d8ed3290d3b48 Author: Bram Matthys <[email protected]> Date: Sun Jul 13 09:25:39 2025 +0200 Best Practices: If zero SSL/TLS certs are issued by a trusted CA, complain and suggest to use Let's Encrypt. This can be turned off via set::best-practices::trusted-cert, see https://www.unrealircd.org/docs/Set_block#set::best-practices Oh yeah, and this only works at OpenSSL 1.1.0 and higher, i didn't bother with people running ancient versions. And commit 369f55063a3e083caadc387cec59f32f6d7eff4e (HEAD -> unreal60_dev, origin/unreal60_dev, origin/HEAD) Author: Bram Matthys <[email protected]> Date: Sun Jul 13 09:44:33 2025 +0200 For bestpractices::trusted-cert add some crude heuristics so hubs and such are not (always) affected by this. We now check if there is any client port exposed (to non-localhost). So if you have a hub with no client ports or only at localhost then you won't get this bestpractices advice. And also fix compile error on OpenSSL < 1.1.0 (undeclared var, duh) |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-06-05 09:03 | syzop | New Issue | |
| 2023-06-05 09:03 | syzop | Summary | Complain if server certificate is not from official CA => Complain if server certificate is not from trusted CA |
| 2025-07-13 09:22 | syzop | View Status | private => public |
| 2025-07-13 09:50 | syzop | Assigned To | => syzop |
| 2025-07-13 09:50 | syzop | Status | new => resolved |
| 2025-07-13 09:50 | syzop | Resolution | open => fixed |
| 2025-07-13 09:50 | syzop | Fixed in Version | => 6.2.0-beta1 |
| 2025-07-13 09:50 | syzop | Note Added: 0023453 | |
| 2025-07-13 09:50 | syzop | Note Edited: 0023453 | |
| 2025-07-13 09:50 | syzop | Note Edited: 0023453 | |
| 2025-07-13 09:50 | syzop | Note Edited: 0023453 | |
| 2025-07-13 09:51 | syzop | Note Edited: 0023453 | |
| 2025-07-13 09:51 | syzop | Relationship added | related to 0006500 |
