Page 1 of 1

[REQ] Module ? ssl::options::fail-if-no-clientcert complementary feature

Posted: Sat Sep 09, 2017 2:08 pm
by HeXiLeD
I mentioned this previously here.
In regards to the following feature which is greatly appreciated and useful to control bot attacks and much more.
An additional enhancement should be made to give more control to the admins when several clones are connected.
The best example of such clone situation is the use of tor hidden service to run the ircd, which will cause all clients to have *@
Another example would be users doing ssh to remote box and connect to to localhost ircd.
Other examples include places with several machines but that have only one exit gateway wan ip address.

Using the best case described above and in other to allow tor users to connect and prevent almost all abuses from it's usage, the use of a client certificate is excellent but still leaves some gaps such as how to discipline that one specific abuser without causing issues to the rest *@

For example in a case of a bot attack which although is already severely mitigated by the fail-if-no-clientcert, one could still load all the bots with the same certificate.

The proposed enhancement is to allow channel operators and admins to apply bans, kicks, shuns, glines, zlines, klines and so on, based on client fingerprint.

Such functionality will allow everyone to have the same ip, but still allow traditional (old) disciplinary actions to work based on the client cryptography certificate fingerprint
and a suggestion was made:
Perhaps a new module could be made that sets the host to the SSL client certificate fingerprint.
There are several objectives to achieve with this idea which include things like connection access and able to differentiate users coming from the same host.
Such feature would also be used with services and sasl for greater control.

What do you think ?