From 85ee9672fce67d95bf8310af331a576f3492b863 Mon Sep 17 00:00:00 2001 From: Matthias H Date: Wed, 18 Sep 2013 04:00:17 +0200 Subject: allow to verify ssl connections against a CA. This adds three new configuration variables to configure SSL verification against a CA. server.ssl_verify: true if it should verify and disconnect if it fails server.ssl_ca_file: a CA file, is set to the systems CA bundle by default (distri. dependent) server.ssl_ca_path: alternativly path to a directory with CA PEM files I tested it and this seems no longer an issue with >= 1.9.3 https://www.braintreepayments.com/braintrust/sslsocket-verify_mode-doesnt-verify --- lib/rbot/ircbot.rb | 30 +++++++++++++++++++++++++++++- lib/rbot/ircsocket.rb | 11 ++++++++++- 2 files changed, 39 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/rbot/ircbot.rb b/lib/rbot/ircbot.rb index d75d6b54..a1713c2d 100644 --- a/lib/rbot/ircbot.rb +++ b/lib/rbot/ircbot.rb @@ -278,6 +278,18 @@ class Bot Config.register Config::BooleanValue.new('server.ssl', :default => false, :requires_restart => true, :wizard => true, :desc => "Use SSL to connect to this server?") + Config.register Config::BooleanValue.new('server.ssl_verify', + :default => false, :requires_restart => true, + :desc => "Verify the SSL connection?", + :wizard => true) + Config.register Config::StringValue.new('server.ssl_ca_file', + :default => default_ssl_ca_file, :requires_restart => true, + :desc => "The CA file used to verify the SSL connection.", + :wizard => true) + Config.register Config::StringValue.new('server.ssl_ca_path', + :default => '', :requires_restart => true, + :desc => "Alternativly a directory that includes CA PEM files used to verify the SSL connection.", + :wizard => true) Config.register Config::StringValue.new('server.password', :default => false, :requires_restart => true, :desc => "Password for connecting to this server (if required)", @@ -608,7 +620,12 @@ class Bot debug "server.list is now #{@config['server.list'].inspect}" end - @socket = Irc::Socket.new(@config['server.list'], @config['server.bindhost'], :ssl => @config['server.ssl'], :penalty_pct =>@config['send.penalty_pct']) + @socket = Irc::Socket.new(@config['server.list'], @config['server.bindhost'], + :ssl => @config['server.ssl'], + :ssl_verify => @config['server.ssl_verify'], + :ssl_ca_file => @config['server.ssl_ca_file'], + :ssl_ca_path => @config['server.ssl_ca_path'], + :penalty_pct => @config['send.penalty_pct']) @client = Client.new @plugins.scan @@ -804,6 +821,17 @@ class Bot trap_signals end + # Determine (if possible) a valid path to a CA certificate bundle. + def default_ssl_ca_file + [ '/etc/ssl/certs/ca-certificates.crt', # Ubuntu/Debian + '/etc/ssl/certs/ca-bundle.crt', # Amazon Linux + '/etc/ssl/ca-bundle.pem', # OpenSUSE + '/etc/pki/tls/certs/ca-bundle.crt' # Fedora/RHEL + ].find do |file| + File.readable? file + end + end + def repopulate_botclass_directory template_dir = File.join Config::datadir, 'templates' if FileTest.directory? @botclass diff --git a/lib/rbot/ircsocket.rb b/lib/rbot/ircsocket.rb index 029d1ca5..e5131c2b 100644 --- a/lib/rbot/ircsocket.rb +++ b/lib/rbot/ircsocket.rb @@ -285,6 +285,9 @@ module Irc @lines_sent = 0 @lines_received = 0 @ssl = opts[:ssl] + @ssl_verify = opts[:ssl_verify] + @ssl_ca_file = opts[:ssl_ca_file] + @ssl_ca_path = opts[:ssl_ca_path] @penalty_pct = opts[:penalty_pct] || 100 end @@ -331,7 +334,13 @@ module Irc if(@ssl) require 'openssl' ssl_context = OpenSSL::SSL::SSLContext.new() - ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE + if @ssl_verify + ssl_context.ca_file = @ssl_ca_file if @ssl_ca_file and not @ssl_ca_file.empty? + ssl_context.ca_path = @ssl_ca_path if @ssl_ca_path and not @ssl_ca_path.empty? + ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER + else + ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE + end sock = OpenSSL::SSL::SSLSocket.new(sock, ssl_context) sock.sync_close = true sock.connect -- cgit v1.2.3