#60 starttls, anyone?

closed
nobody
Engine (16)
4
2011-02-15
2009-09-10
Efreak
No

I love the single port for webadmin/irc connections.
Would it be possible to implement starttls for ZNC so we can use the same port for plaintext and ssl connections?

Maybe what I'm thinking of is protoctl. I'm not quite clear on the difference between the two. Regardless, it would be nice not to have to specify a port.

Discussion

  • Psychon

    Psychon - 2009-09-10

    Hi,

    First some basics:
    "classic" SSL like ZNC uses it:
    Some client connects and you immediately start with an SSL handshake. There is no way (afaik) to do port sharing between encrypted and unencrypted ports here.

    STARTTLS like it is most famous from IMAP:
    You start with an unencrypted connections and (with IMAP) the server tells you that it supports the STARTTLS command (an attacker could remove this "I support this" message - it's not protected by ssl after all!). You then send the STARTTLS command and an ssl handshake starts afterwards. Since the connection starts unencrypted and STARTTLS is then negotiated, you can use this port both encrypted and unencrypted.

    I'm not sure if there is a STARTTLS extension for HTTP (I don't think so), but for IRC there is this (which requires CAP, another protocol extension that ZNC doesn't support):
    http://wiki.inspircd.org/STARTTLS_Documentation

    With this protocol extension we could do webadmin, irc and irc+ssl on the same port, *if* the client supports STARTTLS (afaik only one client does), but I bet this would confuse people even more since they'd wonder why we can't do some starttls-like thingie for HTTP.

    and PROTOCTL is something different again. ;) It's an IRC protocol extension, too, but it's only used after the authentication phase while CAP is used before.

    So I don't think this will happen any time soon, sorry. :(

     
  • Psychon

    Psychon - 2009-09-10
    • priority: 5 --> 4
     
  • Efreak

    Efreak - 2009-09-16

    Oh well :(
    Thanks for explaining it, at least.

     
  • Psychon

    Psychon - 2010-02-27

    FYI, it might be possible to do "proper" SSL (without STARTTLS) and plain text on the same port.
    But don't expect too much too soon. ;)

     
  • Psychon

    Psychon - 2011-02-15
    • status: open --> closed
     
  • Psychon

    Psychon - 2011-02-15

    Not going to happen, sorry. STARTTLS by itself is insecure because an attacker could just pretend that the other side doesn't know STARTTLS and so he gets the plain text traffic. This means when STARTTLS is enabled, the client has to reject talking plain text. At this point, you get nothing from STARTTLS which plain old SSL (or rather TLS) doesn't get you, too.

     

Log in to post a comment.