Project

General

Profile

Feature #463

GUI for verifying SSL Certificates

Added by xAFFE about 11 years ago. Updated about 11 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
Quassel Client
Target version:
-
Start date:
01/04/2009
Due date:
% Done:

0%

Estimated time:
OS:
Any

Description

There should be a gui where the fingerprint of the SSL-Certificate is printed, so I can verify the cert.


Related issues

Related to Quassel IRC - Feature #464: Ability to specify a "Certificate Authority"-certificateFeedback2009-01-04

History

#1 Updated by xAFFE about 11 years ago

As mentioned on IRC:

This dialog should be to check the the IRC-Server certificate.

#2 Updated by EgS about 11 years ago

  • Status changed from New to Feedback
  • Assignee set to EgS

As this is obviously related to the CA cert feature request:
wouldn't it suffice, if the CA cert verified the servers authenticity? Also I can think of an option to enforce CA verification, so if it fails that quassel will not continue to connect to the server.

#3 Updated by Sputnick about 11 years ago

It would also be nice to show a different icon ("security-medium" exists for that purpose) in the statusbar in case there were problems with the cert, and maybe a way (tooltip? popup?) to display the warnings generated by cert validation.

Also we should at least warn or outright refuse connection if the core cert's fingerprint has changed; similar to what SSL does. This prevents MITM attacks after the initial connection.

#4 Updated by Sputnick about 11 years ago

One more thing: We need to find a way to make SSL connections by default. Right now, if the core doesn't support SSL, we fail and tell the user to uncheck the box. This is OK, though it would be smoother to just change that directly if the user accepts rather than requiring extra clicks. Need to make sure it works with the mono client too.

#5 Updated by EgS about 11 years ago

Please open another BR as this issue is to ensure that the connected IRC server is trusted.

#6 Updated by xAFFE about 11 years ago

EgS wrote:

As this is obviously related to the CA cert feature request:
wouldn't it suffice, if the CA cert verified the servers authenticity? Also I can think of an option to enforce CA verification, so if it fails that quassel will not continue to connect to the server.

This dialog would only be for manual verification. It should only contain the fingerprint of the server I'm connecting to, maybe this could just printed on the status buffer.

Also available in: Atom PDF