[REQ] Module ? ssl::options::fail-if-no-clientcert complementary feature

These are old archives. They are kept for historic purposes only.

Moderators: Gottem, Supporters

Post Reply
HeXiLeD
Posts: 51
Joined: Mon Jan 16, 2017 8:07 pm
Location: online

[REQ] Module ? ssl::options::fail-if-no-clientcert complementary feature

Post by HeXiLeD »

I mentioned this previously here.
In regards to the following feature which is greatly appreciated and useful to control bot attacks and much more.
An additional enhancement should be made to give more control to the admins when several clones are connected.
The best example of such clone situation is the use of tor hidden service to run the ircd, which will cause all clients to have *@127.0.0.1.
Another example would be users doing ssh to remote box and connect to to localhost ircd.
Other examples include places with several machines but that have only one exit gateway wan ip address.

Using the best case described above and in other to allow tor users to connect and prevent almost all abuses from it's usage, the use of a client certificate is excellent but still leaves some gaps such as how to discipline that one specific abuser without causing issues to the rest *@127.0.0.1

For example in a case of a bot attack which although is already severely mitigated by the fail-if-no-clientcert, one could still load all the bots with the same certificate.

The proposed enhancement is to allow channel operators and admins to apply bans, kicks, shuns, glines, zlines, klines and so on, based on client fingerprint.

Such functionality will allow everyone to have the same ip, but still allow traditional (old) disciplinary actions to work based on the client cryptography certificate fingerprint
and a suggestion was made:
Perhaps a new module could be made that sets the host to the SSL client certificate fingerprint.
There are several objectives to achieve with this idea which include things like connection access and able to differentiate users coming from the same host.
Such feature would also be used with services and sasl for greater control.

What do you think ?
Constructive criticism leads to evolution and progress. Negative criticism leads to obsolescence. We are not in the 90's IRC world anymore.
CertFP: d985d21f89fe2977b593c4d381a1a86802e62990d9328d893db76d59f9935244
Post Reply