-
-
Notifications
You must be signed in to change notification settings - Fork 319
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
irc: allow specifying SSL CA per server #1262
base: master
Are you sure you want to change the base?
Conversation
hook_connect->callback_data, | ||
*HOOK_CONNECT(hook_connect, gnutls_sess), | ||
NULL, 0, NULL, 0, NULL, | ||
WEECHAT_HOOK_CONNECT_GNUTLS_CB_INIT_XCRED); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this isn't the best to call the GnuTLS callbacks function when simply initializing the trust list because strictly it isn't a callback for a GnuTLS function. INIT_XCRED
could also be added as a case under the usual hook_connect
callback if that's more appropriate, although to me it seems more related to using GnuTLS specifically and most connections will not need to touch that part.
Of the GnuTLS functions used for this implementation the highest version requirement is >=3.3.0 for gnutls_credentials_get.
47ab1de
to
8d031ce
Compare
Codecov Report
@@ Coverage Diff @@
## master #1262 +/- ##
==========================================
- Coverage 27.69% 27.66% -0.03%
==========================================
Files 201 201
Lines 81939 81976 +37
==========================================
- Hits 22693 22681 -12
- Misses 59246 59295 +49
Continue to review full report at Codecov.
|
Closes #438.
This PR is an improvement of PR #613 (credit to @ManiacTwister), which started in the right direction but has some still unresolved issues:
hook_connect
still have no way to manipulate the trust list for their connection only.This PR tries to solve these problems and hopefully finally bring per server SSL CAs to weechat. Every
hook_connect
user can choose to manipulate the trust list however they see fit: clear it (or not), add CAs from file (or elsewhere).Turns out GnuTLS >=3.3.0 is required to manipulate the trust list like this. This is a significantly higher requirement than otherwise is needed but it only affects the added
ssl_ca_file
option use and should be fine on most cases (even the old Ubuntu 16.04 has GnuTLS 3.4).Happy Hacktoberfest!