irkerd: Initial SSL/TLS implementation
This is pretty basic, just using as much of Python's ssl module as the
host Python implementation supports. I also added error-level logging
of IRCServerConnectionError instances, to get helpful messages like:
Invalid SSL/TLS certificate:
hostname 'localhost' doesn't match 'irc.example.net'
and:
Couldn't connect to socket: _ssl.c:334: No root certificates
specified for verification of other-side certificates.
Important milestones in the standard library's ssl module:
* Python 2.5 [1,2]: No ssl module at all
* Python 2.6 [1,2]: ssl module added
* Python 3.2 [3,4]: ssl.SSLContext class added, with
SSLContext.set_default_verify_paths [4]. ssl.match_hostname is also
added [5], which can be used with the existing getpeercert [6] to
ensure the server certificate belongs to the target host.
So for full verification, we need Python 3.2. We can scrape by with
2.6 and later, by manually supplying a ca_certs path and ignoring
hostname mismatches. That's more succeptible to man-in-the-middle
attacks, but still better than sending server, nick, and channel
passwords in plaintext.
[1]: http://docs.python.org/2/library/ssl.html
[2]: http://docs.python.org/2/whatsnew/2.6.html#improved-ssl-support
[3]: http://docs.python.org/3/whatsnew/3.2.html#ssl
[4]: http://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_default_verify_paths
[5]: http://docs.python.org/3/library/ssl.html#ssl.match_hostname
[6]: http://docs.python.org/2/library/ssl.html#ssl.SSLSocket.getpeercert
projects / irker.git / commit