#583548 please allow setting an "expected cert name" for servers

Package:
irssi
Source:
irssi
Description:
terminal based IRC client
Submitter:
Peter Palfrader
Date:
2010-05-31 22:18:02 UTC
Severity:
normal
#583548#5
Date:
2010-05-28 09:16:41 UTC
From:
To:
Irssi now verifies remote certificate names.

One of my use cases for irssi is to connect to individual servers in
the irc.oftc.net rotation for adminstrative purposes (with my OFTC noc
hat on).

I do this by connecting to specific IP addresses on the ssl port of the
server, and I really would like to verify the remote site.

| Fri 11:10:23 -!- Irssi: Looking up 207.192.72.99
| Fri 11:10:23 -!- Irssi: Reconnecting to 207.192.72.99 [207.192.72.99] port 6697 - use /RMRECONNS to abort
| Fri 11:10:23 -!- Irssi: warning None of the Subject Alt Names in the certificate match hostname '207.192.72.99'
| Fri 11:10:23 -!- Irssi: Connection lost to 207.192.72.99

The certificate is made out to irc.oftc.net, and to the server's name
but that name is not in DNS - hence the use of IP addresses for
connecting.

[The cert does not contain the IP address (all the IP addresses) of a
 server, and I'd really prefer not to have to add it.  But even if I
 added it that wouldn't work yet - see my other bug report.]

Unfortunately all this results in that I can no longer connect properly
to my servers.


It'd be nice if irssi had a server option like 'ssl-hostname' or
'expected-cert-hostname' or something like that, which I could set
to "irc.oftc.net", and that would be the hostname irssi expects and
demands in the certificate.


Then I could simply add 'ssl-hostname="irc.oftc.net"' to my many server
definitions and all would be fine.

Cheers,
weasel