From 3d150ba5da604569f075b20cc560e7d04aeac993 Mon Sep 17 00:00:00 2001 From: Sadie Powell Date: Sat, 4 Apr 2026 01:41:38 +0100 Subject: Tighten up the TLS requirements for server links. Servers must now either provide a fingerprint in the link config or provide a valid certificate. There's an undocumented (for now) opt-out in the config but even with this set it still doesn't allow expired, revoked, or otherwise invalid certificates. --- modules/spanningtree/server.cpp | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'modules/spanningtree/server.cpp') diff --git a/modules/spanningtree/server.cpp b/modules/spanningtree/server.cpp index 7c6c08544..6199673ae 100644 --- a/modules/spanningtree/server.cpp +++ b/modules/spanningtree/server.cpp @@ -141,19 +141,26 @@ std::shared_ptr TreeSocket::AuthRemote(const CommandBase::Params& params) if (!ComparePass(*x, password)) { - ServerInstance->SNO.WriteToSnoMask('l', "Invalid password on link: {}", x->Name); + ServerInstance->SNO.WriteToSnoMask('l', "Invalid credentials on link: {}", x->Name); continue; } - if (!CheckDuplicate(sname, sid)) + auto* hook = TLS::GetHook(this); + if (hook && !hook->GetCertificate()->IsUsable(!x->AllowSelfSigned)) + { + this->SendError("Peer provided an unusable (probably self-signed) TLS certificate"); return nullptr; + } - if (TLS::GetHook(this) && !IsLocalRange(capab->remotesa)) + if (!hook && !IsLocalRange(capab->remotesa)) { - this->SendError("Non-local server connections MUST be linked with SSL!"); + this->SendError("Non-local server connections MUST be linked with TLS"); return nullptr; } + if (!CheckDuplicate(sname, sid)) + return nullptr; + ServerInstance->SNO.WriteToSnoMask('l', "Verified server connection " + linkID + " ("+description+")"); return x; } -- cgit v1.3.1-10-gc9f91