Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Warn user of expired cert #1411

Open
wants to merge 13 commits into
base: develop
Choose a base branch
from
Open

Conversation

michaelortmann
Copy link
Member

@michaelortmann michaelortmann commented Feb 13, 2023

Found by: michaelortmann
Patch by: michaelortmann
Fixes:

One-line summary:
Warn user of expired cert

Additional description (if needed):
This is about the cert loaded from config variable ssl-certificate
The check is done when

  • the cert is loaded in ssl_init()
  • daily
  • when a +n owner logs in

Test cases demonstrating functionality (if applicable):

$ ./eggdrop -t BotA.conf 
[...]
WARNING: certificate expired: BotA.crt

### ENTERING DCC CHAT SIMULATION ###
[...]

Copy link
Member

@thommey thommey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a great idea, and maybe we would want to run this daily and check if it's about to expire soon (within the next 14 days or so) and generate a daily warning for that. But that'd be a different PR, this one is fine with the tiny changes.

src/proto.h Outdated Show resolved Hide resolved
src/tls.c Outdated Show resolved Hide resolved
@vanosg
Copy link
Member

vanosg commented Oct 1, 2023

More "good ideas" to add... maybe make this warning when a +n logs in to the partyline? Would be good for more casual users who aren't on the partyline 24/7 and don't check logs

@michaelortmann
Copy link
Member Author

More "good ideas" to add... maybe make this warning when a +n logs in to the partyline? Would be good for more casual users who aren't on the partyline 24/7 and don't check logs

done :)

@michaelortmann michaelortmann requested a review from thommey January 5, 2024 22:30
@vanosg
Copy link
Member

vanosg commented Jul 9, 2024

With more context for aesthetic review:

Startup:

Loading autoscripts.tcl
Writing channel file...
Userfile loaded, unpacking...
=== testbot: 1 channels, 28 users.

WARNING: SSL/TLS certificate expired.crt expired
You can generate new certificates by running 'make sslcert' from the source directory

Launched into the background  (pid: 1376595)

Partyline:

Commands start with '.' (like '.quit' or '.help')
Everything else goes out to the party line.

WARNING: SSL/TLS certificate expired.crt expired
You can generate new certificates by running 'make sslcert' from the source directory

You have no messages.
*** Geo joined the party line.

@vanosg vanosg added this to the v1.10.0 milestone Jul 9, 2024
@michaelortmann
Copy link
Member Author

Also enhanced openssl autoconf in aclocal.m4, so please run misc/runautotools:

Before:

$ LD_LIBRARY_PATH=/home/michael/opt/openssl-0.9.7m/lib ./configure --with-sslinc=/home/michael/opt/openssl-0.9.7m/include --with-ssllib=/home/michael/opt/openssl-0.9.7m/lib
[...]
checking whether to enable TLS support... yes
checking for openssl/ssl.h... yes
checking for openssl/x509v3.h... yes
checking for X509_digest in -lcrypto... yes
checking for SSL_accept in -lssl... yes
checking for EVP_md5... yes
checking for OPENSSL_buf2hexstr... no
checking for hex_to_string... yes
checking for OPENSSL_hexstr2buf... no
checking for string_to_hex... yes
checking for OpenSSL... yes
checking for ASN1_STRING_get0_data... no
checking for EVP_PKEY_get1_EC_KEY... no
checking for openssl/md5.h... yes
checking for MD5_Init... yes
checking for MD5_Update... yes
checking for MD5_Final... yes
configure: creating ./config.status
config.status: creating Makefile
config.status: creating doc/Makefile
config.status: creating scripts/Makefile
config.status: creating src/Makefile
config.status: creating src/compat/Makefile
config.status: creating src/md5/Makefile
config.status: creating src/mod/Makefile
config.status: creating config.h
config.status: executing eggint.h commands
config.status: creating eggint.h : __EGGINT_H
config.status: executing replace-if-changed commands
creating lush.h
config.status: executing catch-make-rebuild commands

Operating System: Linux 6.9.8-arch1-1
IPv6 Support: yes
Tcl version: 8.6.14 (threaded)
SSL/TLS Support: yes (OpenSSL 0.9.7m 23 Feb 2007)
Threaded DNS core: yes

If you experience any problems compiling Eggdrop, please read the
compile guide, found in doc/COMPILE-GUIDE.

Type 'make config' to configure the modules, or type 'make iconfig'
to interactively choose which modules to compile.

After:

$ LD_LIBRARY_PATH=/home/michael/opt/openssl-0.9.7m/lib ./configure --with-sslinc=/home/michael/opt/openssl-0.9.7m/include --with-ssllib=/home/michael/opt/openssl-0.9.7m/lib
[...]
checking whether to enable TLS support... yes
checking for openssl/ssl.h... yes
checking for openssl/x509v3.h... yes
checking for X509_digest in -lcrypto... yes
checking for SSL_accept in -lssl... yes
checking for EVP_sha1... yes
checking for a2i_IPADDRESS... no
checking for EVP_md5... yes
checking for OPENSSL_buf2hexstr... no
checking for hex_to_string... yes
checking for OPENSSL_hexstr2buf... no
checking for string_to_hex... yes
configure: WARNING: Cannot find OpenSSL library 0.9.8 or newer.
configure: WARNING: Please specify the path to libssl and libcrypto using --with-ssllib=path
checking for OpenSSL... no
* We tried, but couldn't find TLS libraries. If installed, please specify their paths using the configure flags above
* While not recommended, you can continue without TLS protection by specifying the --disable-tls configure flag
configure: error: TLS Libraries not found

@michaelortmann
Copy link
Member Author

Additional test with openssl 0.9.8k was successful:

$ LD_LIBRARY_PATH=/home/michael/opt/openssl-0.9.8k/lib ./eggdrop -t BotA.conf
[...]
WARNING: SSL/TLS certificate BotA.crt expired
You can generate new certificates by running 'make sslcert' from the source directory
[...]
.status
[...]
TLS library: OpenSSL 0.9.8k 25 Mar 2009 (header version OpenSSL 0.9.8k 25 Mar 2009)

@vanosg vanosg modified the milestones: v1.10.0, v1.10.1 Oct 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants