diff options
| author | 2025-11-03 00:29:40 +0000 | |
|---|---|---|
| committer | 2025-11-03 00:30:04 +0000 | |
| commit | bec505fc6c6699283d431ea96aaeb8543bc8bef1 (patch) | |
| tree | 94c7b4f3722989c8807e7c200099021a4d575f8e /modules/sslinfo.cpp | |
| parent | Only cache the package directory on Windows. (diff) | |
| parent | Improve the way client certificates are validated in ssl_openssl. (diff) | |
Merge branch 'insp4' into master.
Diffstat (limited to 'modules/sslinfo.cpp')
| -rw-r--r-- | modules/sslinfo.cpp | 41 |
1 files changed, 30 insertions, 11 deletions
diff --git a/modules/sslinfo.cpp b/modules/sslinfo.cpp index e5686ba91..1d0c0edd8 100644 --- a/modules/sslinfo.cpp +++ b/modules/sslinfo.cpp @@ -67,6 +67,17 @@ public: Delete(user, UnsetRaw(user)); } + static std::string GetFlags(const ssl_cert* cert) + { + std::string ret; + ret.push_back(cert->IsInvalid() ? 'v' : 'V'); + ret.push_back(cert->IsTrusted() ? 'T' : 't'); + ret.push_back(cert->IsRevoked() ? 'R' : 'r'); + ret.push_back(cert->IsUnknownSigner() ? 's' : 'S'); + ret.push_back(cert->GetError().empty() ? 'e' : 'E'); + return ret; + } + std::string ToInternal(const Extensible* container, void* item) const noexcept override { return ToNetwork(container, item); @@ -76,13 +87,7 @@ public: { const ssl_cert* cert = static_cast<ssl_cert*>(item); std::stringstream value; - value - << (cert->IsInvalid() ? "v" : "V") - << (cert->IsTrusted() ? "T" : "t") - << (cert->IsRevoked() ? "R" : "r") - << (cert->IsUnknownSigner() ? "s" : "S") - << (cert->GetError().empty() ? "e" : "E") - << " "; + value << GetFlags(cert) << " "; if (cert->GetError().empty()) value << insp::join(cert->GetFingerprints(), ',') << " " << cert->GetDN() << " " << cert->GetIssuer(); @@ -220,6 +225,7 @@ private: } else { + source->WriteNotice("*** Flags: " + SSLCertExt::GetFlags(cert)); source->WriteNotice("*** Distinguished Name: " + cert->GetDN()); source->WriteNotice("*** Issuer: " + cert->GetIssuer()); for (const auto& fingerprint : cert->GetFingerprints()) @@ -414,13 +420,26 @@ public: return MOD_RES_DENY; } - const std::string fingerprint = oper->GetConfig()->getString("fingerprint"); - if (!fingerprint.empty() && (!cert || !cert->IsUsable() || !MatchFingerprint(cert, fingerprint))) + const auto fingerprint = oper->GetConfig()->getString("fingerprint"); + if (fingerprint.empty()) + return MOD_RES_PASSTHRU; + + const auto cert_usable = cert && cert->IsUsable(); + const auto correct_fp = cert_usable && MatchFingerprint(cert, fingerprint); + if (!correct_fp) { if (!automatic) { - ServerInstance->SNO.WriteGlobalSno('o', "{} ({}) [{}] failed to log into the \x02{}\x02 oper account because they are not using the correct TLS client certificate.", - user->nick, user->GetRealUserHost(), user->GetAddress(), oper->GetName()); + const char* error; + if (!cert) + error = "not using a TLS client certificate"; + else if (!cert_usable) + error = "using an invalid (probably expired) TLS client certificate"; + else + error = "not using the correct TLS client certificate"; + + ServerInstance->SNO.WriteGlobalSno('o', "{} ({}) [{}] failed to log into the \x02{}\x02 oper account because they are {}.", + user->nick, user->GetRealUserHost(), user->GetAddress(), oper->GetName(), error); } return MOD_RES_DENY; } |
