allow to verify ssl connections against a CA.

This adds three new configuration variables to configure SSL verification against a CA. server.ssl_verify: true if it should verify and disconnect if it fails server.ssl_ca_file: a CA file, is set to the systems CA bundle by default (distri. dependent) server.ssl_ca_path: alternativly path to a directory with CA PEM files I tested it and this seems no longer an issue with >= 1.9.3 https://www.braintreepayments.com/braintrust/sslsocket-verify_mode-doesnt-verify
author: Matthias H <apoc@sixserv.org> 2013-09-18 04:00:17 +0200
committer: Matthias Hecker <apoc@sixserv.org> 2013-11-14 12:32:47 +0000
commit: 85ee9672fce67d95bf8310af331a576f3492b863 (patch)
tree: cfe5b649d04ac84bca3811a29a0443cfa0ccce32
parent: a3fa2b3e2f962e1bb8dee7a99c8669bc60c52587 (diff)
2 files changed, 39 insertions, 2 deletions
diff --git a/lib/rbot/ircbot.rb b/lib/rbot/ircbot.rb
index d75d6b54..a1713c2d 100644
--- a/lib/rbot/ircbot.rb
+++ b/lib/rbot/ircbot.rb
@@ -278,6 +278,18 @@ class Bot
     Config.register Config::BooleanValue.new('server.ssl',
       :default => false, :requires_restart => true, :wizard => true,
       :desc => "Use SSL to connect to this server?")
+    Config.register Config::BooleanValue.new('server.ssl_verify',
+      :default => false, :requires_restart => true,
+      :desc => "Verify the SSL connection?",
+      :wizard => true)
+    Config.register Config::StringValue.new('server.ssl_ca_file',
+      :default => default_ssl_ca_file, :requires_restart => true,
+      :desc => "The CA file used to verify the SSL connection.",
+      :wizard => true)
+    Config.register Config::StringValue.new('server.ssl_ca_path',
+      :default => '', :requires_restart => true,
+      :desc => "Alternativly a directory that includes CA PEM files used to verify the SSL connection.",
+      :wizard => true)
     Config.register Config::StringValue.new('server.password',
       :default => false, :requires_restart => true,
       :desc => "Password for connecting to this server (if required)",
@@ -608,7 +620,12 @@ class Bot
         debug "server.list is now #{@config['server.list'].inspect}"
     end
 
-    @socket = Irc::Socket.new(@config['server.list'], @config['server.bindhost'], :ssl => @config['server.ssl'], :penalty_pct =>@config['send.penalty_pct'])
+    @socket = Irc::Socket.new(@config['server.list'], @config['server.bindhost'], 
+                              :ssl => @config['server.ssl'],
+                              :ssl_verify => @config['server.ssl_verify'],
+                              :ssl_ca_file => @config['server.ssl_ca_file'],
+                              :ssl_ca_path => @config['server.ssl_ca_path'],
+                              :penalty_pct => @config['send.penalty_pct'])
     @client = Client.new
 
     @plugins.scan
@@ -804,6 +821,17 @@ class Bot
     trap_signals
   end
 
+  # Determine (if possible) a valid path to a CA certificate bundle. 
+  def default_ssl_ca_file
+    [ '/etc/ssl/certs/ca-certificates.crt', # Ubuntu/Debian
+      '/etc/ssl/certs/ca-bundle.crt', # Amazon Linux
+      '/etc/ssl/ca-bundle.pem', # OpenSUSE
+      '/etc/pki/tls/certs/ca-bundle.crt' # Fedora/RHEL
+    ].find do |file|
+      File.readable? file
+    end
+  end
+
   def repopulate_botclass_directory
     template_dir = File.join Config::datadir, 'templates'
     if FileTest.directory? @botclass
diff --git a/lib/rbot/ircsocket.rb b/lib/rbot/ircsocket.rb
index 029d1ca5..e5131c2b 100644
--- a/lib/rbot/ircsocket.rb
+++ b/lib/rbot/ircsocket.rb
@@ -285,6 +285,9 @@ module Irc
       @lines_sent = 0
       @lines_received = 0
       @ssl = opts[:ssl]
+      @ssl_verify = opts[:ssl_verify]
+      @ssl_ca_file = opts[:ssl_ca_file]
+      @ssl_ca_path = opts[:ssl_ca_path]
       @penalty_pct = opts[:penalty_pct] || 100
     end
 
@@ -331,7 +334,13 @@ module Irc
       if(@ssl)
         require 'openssl'
         ssl_context = OpenSSL::SSL::SSLContext.new()
-        ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        if @ssl_verify
+          ssl_context.ca_file = @ssl_ca_file if @ssl_ca_file and not @ssl_ca_file.empty?
+          ssl_context.ca_path = @ssl_ca_path if @ssl_ca_path and not @ssl_ca_path.empty?
+          ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER 
+        else
+          ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        end
         sock = OpenSSL::SSL::SSLSocket.new(sock, ssl_context)
         sock.sync_close = true
         sock.connect
author	Matthias H <apoc@sixserv.org>	2013-09-18 04:00:17 +0200
committer	Matthias Hecker <apoc@sixserv.org>	2013-11-14 12:32:47 +0000
commit	85ee9672fce67d95bf8310af331a576f3492b863 (patch)
tree	cfe5b649d04ac84bca3811a29a0443cfa0ccce32
parent	a3fa2b3e2f962e1bb8dee7a99c8669bc60c52587 (diff)