mirror of
https://github.com/irssi/irssi.git
synced 2024-10-27 05:20:20 -04:00
5146ce9631
This patch adds two new options to /CONNECT and /SERVER to let the user pin either an x509 certificate and/or the public key of a given server. It is possible to fetch the certificate outside of Irssi itself to verify the checksum. To fetch the certificate call: $ openssl s_client -connect chat.freenode.net:6697 < /dev/null 2>/dev/null | \ openssl x509 > freenode.cert This will download chat.freenode.net:6697's TLS certificate and put it into the file freenode.cert. -tls_pinned_cert ---------------- This option allows you to specify the SHA-256 hash of the x509 certificate. When succesfully connected to the server, irssi will verify that the given server certificate matches the pin set by the user. The SHA-256 hash of a given certificate can be verified outside of irssi using the OpenSSL command line tool: $ openssl x509 -in freenode.cert -fingerprint -sha256 -noout -tls_pinned_pubkey ------------------ This option allows you to specify the SHA-256 hash of the subject public key information section of the server certificate. This section contains both the cryptographic parameters for the public key, but also information about the algorithm used together with the public key parameters. When succesfully connected to the server, irssi will verify that the given public key matches the pin set by the user. The SHA-256 hash of a public key can be verified outside of irssi using the OpenSSL command line tool: $ openssl x509 -in freenode.cert -pubkey -noout | \ openssl pkey -pubin -outform der | \ openssl dgst -sha256 -c | \ tr a-z A-Z It is possible to specify both -tls_pinned_cert and -tls_pinned_pubkey together.
44 lines
1.6 KiB
Plaintext
44 lines
1.6 KiB
Plaintext
|
|
%9Syntax:%9
|
|
|
|
@SYNTAX:connect@
|
|
|
|
%9Parameters:%9
|
|
|
|
-4: Connects using IPv4.
|
|
-6: Connects using IPv6.
|
|
-tls: Connects using TLS encryption.
|
|
-tls_cert: The TLS client certificate file.
|
|
-tls_pkey: The TLS client private key, if not included in the certificate file.
|
|
-tls_pass: The password for the TLS client private key or certificate.
|
|
-tls_verify: Verifies the TLS certificate of the server.
|
|
-tls_cafile: The file with the list of CA certificates.
|
|
-tls_capath: The directory which contains the CA certificates.
|
|
-tls_ciphers: TLS cipher suite preference lists.
|
|
-tls_pinned_cert: Pinned x509 certificate fingerprint.
|
|
-tls_pinned_pubkey: Pinned public key fingerprint.
|
|
-noproxy: Ignores the global proxy configuration.
|
|
-network: The network this connection belongs to.
|
|
-host: The hostname you would like to connect from.
|
|
-rawlog: Immediately open rawlog after connecting.
|
|
-!: Doesn't autojoin channels.
|
|
-noautosendcmd: Doesn't execute autosendcmd.
|
|
|
|
A network or server to connect to; you can optionally specify a custom port,
|
|
password and nickname.
|
|
|
|
%9Description:%9
|
|
|
|
Opens a new connection to the specified network or server; existing
|
|
connections are kept.
|
|
|
|
%9Examples:%9
|
|
|
|
/CONNECT Freenode
|
|
/CONNECT -6 Freenode
|
|
/CONNECT -4 -! -host staff.irssi.org -network Freenode orwell.freenode.net
|
|
/CONNECT irc.irssi.org 6667 WzerT8zq mike
|
|
|
|
%9See also:%9 DISCONNECT, RMRECONNS, SERVER
|
|
|