From 85ee9672fce67d95bf8310af331a576f3492b863 Mon Sep 17 00:00:00 2001
From: Matthias H <apoc@sixserv.org>
Date: Wed, 18 Sep 2013 04:00:17 +0200
Subject: allow to verify ssl connections against a CA.

This adds three new configuration variables to configure
SSL verification against a CA.

server.ssl_verify: true if it should verify and disconnect
                   if it fails

server.ssl_ca_file: a CA file, is set to the systems CA
                    bundle by default (distri. dependent)

server.ssl_ca_path: alternativly path to a directory with
                    CA PEM files

I tested it and this seems no longer an issue with >= 1.9.3
https://www.braintreepayments.com/braintrust/sslsocket-verify_mode-doesnt-verify
---
 lib/rbot/ircbot.rb    | 30 +++++++++++++++++++++++++++++-
 lib/rbot/ircsocket.rb | 11 ++++++++++-
 2 files changed, 39 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/rbot/ircbot.rb b/lib/rbot/ircbot.rb
index d75d6b54..a1713c2d 100644
--- a/lib/rbot/ircbot.rb
+++ b/lib/rbot/ircbot.rb
@@ -278,6 +278,18 @@ class Bot
     Config.register Config::BooleanValue.new('server.ssl',
       :default => false, :requires_restart => true, :wizard => true,
       :desc => "Use SSL to connect to this server?")
+    Config.register Config::BooleanValue.new('server.ssl_verify',
+      :default => false, :requires_restart => true,
+      :desc => "Verify the SSL connection?",
+      :wizard => true)
+    Config.register Config::StringValue.new('server.ssl_ca_file',
+      :default => default_ssl_ca_file, :requires_restart => true,
+      :desc => "The CA file used to verify the SSL connection.",
+      :wizard => true)
+    Config.register Config::StringValue.new('server.ssl_ca_path',
+      :default => '', :requires_restart => true,
+      :desc => "Alternativly a directory that includes CA PEM files used to verify the SSL connection.",
+      :wizard => true)
     Config.register Config::StringValue.new('server.password',
       :default => false, :requires_restart => true,
       :desc => "Password for connecting to this server (if required)",
@@ -608,7 +620,12 @@ class Bot
         debug "server.list is now #{@config['server.list'].inspect}"
     end
 
-    @socket = Irc::Socket.new(@config['server.list'], @config['server.bindhost'], :ssl => @config['server.ssl'], :penalty_pct =>@config['send.penalty_pct'])
+    @socket = Irc::Socket.new(@config['server.list'], @config['server.bindhost'], 
+                              :ssl => @config['server.ssl'],
+                              :ssl_verify => @config['server.ssl_verify'],
+                              :ssl_ca_file => @config['server.ssl_ca_file'],
+                              :ssl_ca_path => @config['server.ssl_ca_path'],
+                              :penalty_pct => @config['send.penalty_pct'])
     @client = Client.new
 
     @plugins.scan
@@ -804,6 +821,17 @@ class Bot
     trap_signals
   end
 
+  # Determine (if possible) a valid path to a CA certificate bundle. 
+  def default_ssl_ca_file
+    [ '/etc/ssl/certs/ca-certificates.crt', # Ubuntu/Debian
+      '/etc/ssl/certs/ca-bundle.crt', # Amazon Linux
+      '/etc/ssl/ca-bundle.pem', # OpenSUSE
+      '/etc/pki/tls/certs/ca-bundle.crt' # Fedora/RHEL
+    ].find do |file|
+      File.readable? file
+    end
+  end
+
   def repopulate_botclass_directory
     template_dir = File.join Config::datadir, 'templates'
     if FileTest.directory? @botclass
diff --git a/lib/rbot/ircsocket.rb b/lib/rbot/ircsocket.rb
index 029d1ca5..e5131c2b 100644
--- a/lib/rbot/ircsocket.rb
+++ b/lib/rbot/ircsocket.rb
@@ -285,6 +285,9 @@ module Irc
       @lines_sent = 0
       @lines_received = 0
       @ssl = opts[:ssl]
+      @ssl_verify = opts[:ssl_verify]
+      @ssl_ca_file = opts[:ssl_ca_file]
+      @ssl_ca_path = opts[:ssl_ca_path]
       @penalty_pct = opts[:penalty_pct] || 100
     end
 
@@ -331,7 +334,13 @@ module Irc
       if(@ssl)
         require 'openssl'
         ssl_context = OpenSSL::SSL::SSLContext.new()
-        ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        if @ssl_verify
+          ssl_context.ca_file = @ssl_ca_file if @ssl_ca_file and not @ssl_ca_file.empty?
+          ssl_context.ca_path = @ssl_ca_path if @ssl_ca_path and not @ssl_ca_path.empty?
+          ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER 
+        else
+          ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        end
         sock = OpenSSL::SSL::SSLSocket.new(sock, ssl_context)
         sock.sync_close = true
         sock.connect
-- 
cgit v1.2.3


From c4d629ad86aae3b8bb4669650df57875252bea92 Mon Sep 17 00:00:00 2001
From: Matthias Hecker <apoc@sixserv.org>
Date: Thu, 14 Nov 2013 13:41:16 +0000
Subject: always print FATAL and ERROR logmessages to STDERR

This adds a print to $stderr for log messages with the
level ERROR or FATAL. I did this because in the past errors
connecting to the server weren't immediately obvious but
rather hidden in the logfile. I think it should be right
in-your-face when the connection doesn't work.

It would probaply be better to extend Logger to print
to STDERR but this apparently requires monkeypatching ruby's
Logger. Anyhow I think my solution works for now.
---
 lib/rbot/ircbot.rb | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'lib')

diff --git a/lib/rbot/ircbot.rb b/lib/rbot/ircbot.rb
index a1713c2d..108d0b1d 100644
--- a/lib/rbot/ircbot.rb
+++ b/lib/rbot/ircbot.rb
@@ -66,6 +66,10 @@ def rawlog(level, message=nil, who_pos=1)
     qmsg.push [level, l.chomp, who]
     who = ' ' * who.size
   }
+  # Also output (fatal) errors to STDERR:
+  if level == Logger::Severity::ERROR or level == Logger::Severity::FATAL
+    $stderr.puts str
+  end
   $log_queue.push qmsg
 end
 
-- 
cgit v1.2.3