diff --git a/NEWS b/NEWS index e4431839..1709fbc3 100644 --- a/NEWS +++ b/NEWS @@ -46,6 +46,14 @@ v0.8.21-head 2016-xx-xx The Irssi team openssl dgst -sha256 -c | \ tr a-z A-Z + + Remove support for DANE validation of TLS certificates. + + There wasn't enough support in the IRC community to push for this on the + majority of bigger IRC networks. If you believe this should be + reintroduced into irssi, then please come up with an implementation that + does not rely on the libval library. It is causing a lot of troubles for + our downstream maintainers. + - IP addresses are no longer stored when resolve_reverse_lookup is used. - /names and $[...] now uses utf8 string operations (#40, #411). diff --git a/configure.ac b/configure.ac index 629dd590..32a3ebfd 100644 --- a/configure.ac +++ b/configure.ac @@ -135,15 +135,6 @@ AC_ARG_WITH(perl, fi, want_perl=static) -AC_ARG_ENABLE(dane, -[ --enable-dane Enable DANE support], - if test x$enableval = xno ; then - want_dane=no - else - want_dane=yes - fi, - want_dane=no) - AC_ARG_ENABLE(true-color, [ --enable-true-color Build with true color support in terminal], if test x$enableval = xno ; then @@ -537,17 +528,6 @@ COMMON_LIBS="$FE_COMMON_LIBS $COMMON_NOUI_LIBS" AC_SUBST(COMMON_NOUI_LIBS) AC_SUBST(COMMON_LIBS) -have_dane=no -if test "x$want_dane" = "xyes"; then - AC_MSG_CHECKING([for DANE]) - AC_CHECK_LIB(val-threads, val_getdaneinfo, - [ - LIBS="$LIBS -lval-threads -lsres" - AC_DEFINE([HAVE_DANE], [], [DANE support]) - have_dane=yes - ], [], [-lssl -lcrypto -lsres -lpthread]) -fi - if test "x$want_truecolor" = "xyes"; then AC_DEFINE([TERM_TRUECOLOR], [], [true color support in terminal]) else @@ -667,7 +647,6 @@ echo "Install prefix ................... : $prefix" echo echo "Building with 64bit DCC support .. : $offt_64bit" -echo "Building with DANE support ....... : $have_dane" echo "Building with true color support.. : $want_truecolor" echo diff --git a/docs/signals.txt b/docs/signals.txt index 47db3575..7776dad7 100644 --- a/docs/signals.txt +++ b/docs/signals.txt @@ -56,9 +56,6 @@ modules.c: "module error", int error, char *text, char *rootmodule, char *submodule network-openssl.c: - "tlsa available", SERVER_REC - "tlsa verification success", SERVER_REC - "tlsa verification failed", SERVER_REC "tls handshake finished", SERVER_REC, TLS_REC nicklist.c: diff --git a/src/core/network-openssl.c b/src/core/network-openssl.c index 4c6b75dd..e28c8c14 100644 --- a/src/core/network-openssl.c +++ b/src/core/network-openssl.c @@ -32,11 +32,6 @@ #include #include -#ifdef HAVE_DANE -#include -#include -#endif - /* ssl i/o channel object */ typedef struct { @@ -207,40 +202,6 @@ static gboolean irssi_ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, i { long result; -#ifdef HAVE_DANE - int dane_ret; - struct val_daneparams daneparams; - struct val_danestatus *danestatus = NULL; - - // Check if a TLSA record is available. - daneparams.port = port; - daneparams.proto = DANE_PARAM_PROTO_TCP; - - dane_ret = val_getdaneinfo(NULL, hostname, &daneparams, &danestatus); - - if (dane_ret == VAL_DANE_NOERROR) { - signal_emit("tlsa available", 1, server); - } - - if (danestatus != NULL) { - int do_certificate_check = 1; - - if (val_dane_check(NULL, ssl, danestatus, &do_certificate_check) != VAL_DANE_NOERROR) { - g_warning("DANE: TLSA record for hostname %s port %d could not be verified", hostname, port); - signal_emit("tlsa verification failed", 1, server); - val_free_dane(danestatus); - return FALSE; - } - - signal_emit("tlsa verification success", 1, server); - val_free_dane(danestatus); - - if (do_certificate_check == 0) { - return TRUE; - } - } -#endif - result = SSL_get_verify_result(ssl); if (result != X509_V_OK) { g_warning("Could not verify TLS servers certificate: %s", X509_verify_cert_error_string(result));