Skip to content

Commit 5b97d81

Browse files
jobe1986jobe1986
authored
Add certfp and spkifp options to WEBIRC (#463)
Add option parameters to WEBIRC specification to allow forwarding of tls client certificate fingerprints through WebIRC gateways.
1 parent 2a06f62 commit 5b97d81

File tree

1 file changed

+10
-0
lines changed

1 file changed

+10
-0
lines changed

extensions/webirc.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,12 @@ These options are defined and may be sent by clients while connecting:
4545
- `secure`: This flag indicates that the client has a TLS-secured connection to the gateway. Servers MUST ONLY treat the connection as secure if this flag is sent and the connection from the gateway to the server is also secure with TLS.
4646
- `remote-port=<port>`: This flag indicates the remote port the client has connected to the gateway from.
4747
- `local-port=<port>`: This flag indicates the port the gateway accepted the client connection on (e.g. `6697`, `6667`).
48+
- `certfp-<algo>=<fingerprint>`: This flag indicates the tls client certificate fingerprint supplied to the WebIRC gateway by the user's actual client application.
49+
- `spkifp-<algo>=<fingerprint>`: This flag indicates the public key fingerprint for the tls client certificate supplied to the WebIRC gateway by the user's actual client application.
50+
51+
`<algo>` should be the hash algorithm used to produce the fingerprint supplied such as `sha-256`. Its value should be taken from IANA's [Hash Function Textual Names](https://www.iana.org/assignments/hash-function-text-names/hash-function-text-names.xhtml) registry, or if using an algorithm not listed should use a name consisting of only lower case letters, numbers or hyphens.
52+
53+
`<fingerprint>` should be the hash of the certificate (certfp) or public key (spkifp) encoded in hexadecimal without colon (:) sepertators. Servers should accept either upper case or lower case hexadecimal characters.
4854

4955
Servers MUST be able to handle options that don't currently have defined values gaining values in the future. For example, they MUST treat the options `secure` and `secure=examplevalue123` in exactly the same way.
5056

@@ -70,6 +76,10 @@ Secure connection with ports passed through.
7076

7177
WEBIRC hunter2 ExampleGateway 198.51.100.3 198.51.100.3 :secure=examplevalue local-port=6697 remote-port=21726
7278

79+
Secure connection including a client certificate fingerprint using the sha-256 hash algorithm.
80+
81+
WEBIRC hunter2 ExampleGateway 198.51.100.3 198.51.100.3 :secure local-port=6697 remote-port=21726 certfp-sha-256=22e88c7d6da9b73fbb515ed6a8f6d133c680527a799e3069ca7ce346d90649b2
82+
7383
Error from invalid password.
7484

7585
ERROR :Invalid WebIRC password

0 commit comments

Comments
 (0)