Skip to content

IRC - TLS Client Certificates #396

New issue
New issue
Open
Open
IRC - TLS Client Certificates#396
Labels
help wantedAnyone is welcome to help us with this!new changeAdds new capabilities or functionality
@half-duplex

Description

@half-duplex
half-duplex
opened on Apr 26, 2022

Summary

Using SASL for authentication is cleaner and more secure than PRIVMSG NickServ, and client certificates are relatively straightforward to implement.

Background

Is your feature request related to a problem? Please describe:

Some networks, notably freenode, have had issues with the NickServ nick being taken over by someone other than services. SASL mitigates this problem by implementing challenge-response authentication, client certificates, or simply passing credentials over a different channel.

Describe the solution you'd like:

TeleIRC could implement any of the common SASL methods:

  • EXTERNAL (client certificates) is straightforward, just pass a client cert+key to the TLS library
  • PLAIN (plaintext credentials) is straightforward but requires handling CAPs and sending AUTHENTICATEs
    (It appears TeleIRC already supports PLAIN? It isn't clear from the documentation)

Describe alternatives you've considered:

Other methods are also not terrible to implement, but would require additional dependencies and further command handlers. SCRAM-SHA-256 and ECDSA-NIST256P-CHALLENGE are examples.

Outcome

Users of TeleIRC can have the bot authenticate to services using a client certificate instead of a password.

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedAnyone is welcome to help us with this!new changeAdds new capabilities or functionality

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions