[Bug 749410] IRC servers don't have alternative name for irc.gnome.org

From: "sysadmin" (GNOME Bugzilla) <bugzilla gnome org>
To: gnome-infrastructure gnome org
Subject: [Bug 749410] IRC servers don't have alternative name for irc.gnome.org
Date: Sun, 17 May 2015 18:04:35 +0000

Andrea Veri changed bug 749410

What	Removed	Added
CC		andrea.veri@gmail.com

Comment # 1 on bug 749410 from Andrea Veri

This is definitely a problem we were well aware of when we decided to introduce
SSL on the network and [1] also comes with an explanation of why the
verification of the SSL certificate is going to fail with an ALT name mismatch
when irc.gnome.org or irc.gimp.org are used to connect to the network. The DNS
entries irc.gnome.org and irc.gimp.org are round robin entries with 4 servers
coming from 4 different domains:

 1. irc.eagle.y.se
 2. irc.acc.umu.se
 3. irc.gimp.ca
 4. irc.poop.nl

Right now each of these servers have its own set of certificates which -
security speaking - makes the whole setup secure as a compromised server won't
allow the attacker to identify itself as the other servers of the network. On
the other hand the verification of the certificate is going to fail though. 

At the same time we would need a certificate that includes both the gimp.org
and gnome.org domains as both these domains are used to connect to the GIMPNet
network. A possible solution we were thinking about was to rename the servers
to something like [0-4].irc.gnome.org and generate a certificate with one
wildcard ALT name being: *.irc.gnome.org (plus irc.gnome.org), then share it to
all the nodes with the downside of having one single point of failure when it
comes to the possibility of the certificate itself being compromised.

The current and the proposed setup both have pros and cons:

current:

 1. one certificate for each server. One server being compromised means we can
remove it from the rotation, revoke the certificate and rebuild the machine
that was compromised having the whole network not being affected at all by this
operation.
 2. SSL verification fails when irc.gimp.org and irc.gnome.org are used

proposed:

 1. one certificate for all the servers of the network. One server being
compromised means the whole network being affected.
 2. SSL verification would work as expected in case a multi-domain certificate
is being used (StartSSL seems to provide that according to [2])
 3. most of the servers are known for their current domain name (i.e
irc.acc.umu.se as maswan reported me), so we should be asking their admins
whether assigning a different server name / hostname might not be what they
really want. Maswan and Stric are CCed on this bug report so they might provide
some valuable feedback on this topic. 

[1] https://wiki.gnome.org/Sysadmin/IRC
[2] https://www.startssl.com/?app=2

You are receiving this mail because:

You are watching the QA Contact of the bug.
You are watching the assignee of the bug.

References:
- [Bug 749410] New: IRC servers don't have alternative name for irc.gnome.org
  - From: sysadmin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]