From: SourceForge.net <no...@so...> - 2009-09-10 02:33:14
|
Feature Requests item #2855716, was opened at 2009-09-09 19:33 Message generated for change (Tracker Item Submitted) made by efreakbnc You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=672824&aid=2855716&group_id=115828 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Engine Group: None Status: Open Priority: 5 Private: No Submitted By: Efreak (efreakbnc) Assigned to: Nobody/Anonymous (nobody) Summary: starttls, anyone? Initial Comment: I love the single port for webadmin/irc connections. Would it be possible to implement starttls for ZNC so we can use the same port for plaintext and ssl connections? Maybe what I'm thinking of is protoctl. I'm not quite clear on the difference between the two. Regardless, it would be nice not to have to specify a port. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=672824&aid=2855716&group_id=115828 |
From: SourceForge.net <no...@so...> - 2011-02-15 16:03:11
|
Feature Requests item #2855716, was opened at 2009-09-10 04:33 Message generated for change (Comment added) made by psychon You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=672824&aid=2855716&group_id=115828 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Engine Group: None >Status: Closed Priority: 4 Private: No Submitted By: Efreak (efreakbnc) Assigned to: Nobody/Anonymous (nobody) Summary: starttls, anyone? Initial Comment: I love the single port for webadmin/irc connections. Would it be possible to implement starttls for ZNC so we can use the same port for plaintext and ssl connections? Maybe what I'm thinking of is protoctl. I'm not quite clear on the difference between the two. Regardless, it would be nice not to have to specify a port. ---------------------------------------------------------------------- >Comment By: Psychon (psychon) Date: 2011-02-15 17:03 Message: Not going to happen, sorry. STARTTLS by itself is insecure because an attacker could just pretend that the other side doesn't know STARTTLS and so he gets the plain text traffic. This means when STARTTLS is enabled, the client has to reject talking plain text. At this point, you get nothing from STARTTLS which plain old SSL (or rather TLS) doesn't get you, too. ---------------------------------------------------------------------- Comment By: Psychon (psychon) Date: 2010-02-27 08:49 Message: FYI, it might be possible to do "proper" SSL (without STARTTLS) and plain text on the same port. But don't expect too much too soon. ;) ---------------------------------------------------------------------- Comment By: Efreak (efreakbnc) Date: 2009-09-16 05:46 Message: Oh well :( Thanks for explaining it, at least. ---------------------------------------------------------------------- Comment By: Psychon (psychon) Date: 2009-09-10 08:03 Message: Hi, First some basics: "classic" SSL like ZNC uses it: Some client connects and you immediately start with an SSL handshake. There is no way (afaik) to do port sharing between encrypted and unencrypted ports here. STARTTLS like it is most famous from IMAP: You start with an unencrypted connections and (with IMAP) the server tells you that it supports the STARTTLS command (an attacker could remove this "I support this" message - it's not protected by ssl after all!). You then send the STARTTLS command and an ssl handshake starts afterwards. Since the connection starts unencrypted and STARTTLS is then negotiated, you can use this port both encrypted and unencrypted. I'm not sure if there is a STARTTLS extension for HTTP (I don't think so), but for IRC there is this (which requires CAP, another protocol extension that ZNC doesn't support): http://wiki.inspircd.org/STARTTLS_Documentation With this protocol extension we could do webadmin, irc and irc+ssl on the same port, *if* the client supports STARTTLS (afaik only one client does), but I bet this would confuse people even more since they'd wonder why we can't do some starttls-like thingie for HTTP. and PROTOCTL is something different again. ;) It's an IRC protocol extension, too, but it's only used after the authentication phase while CAP is used before. So I don't think this will happen any time soon, sorry. :( ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=672824&aid=2855716&group_id=115828 |