After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 749410 - IRC servers don't have alternative name for irc.gnome.org
IRC servers don't have alternative name for irc.gnome.org
Status: RESOLVED FIXED
Product: sysadmin
Classification: Infrastructure
Component: IRC
unspecified
Other Linux
: Normal normal
: ---
Assigned To: GNOME Sysadmins
GNOME Sysadmins
Depends on:
Blocks:
 
 
Reported: 2015-05-15 03:58 UTC by Maciej (Matthew) Piechotka
Modified: 2016-12-22 18:32 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Maciej (Matthew) Piechotka 2015-05-15 03:58:37 UTC 
Currently when connecting via SSL to irc.gnome.org the certificate of chosen server is presented which does not match the irc.gnome.org. They should present certificate valid for irc.gnome.org as otherwise users are thought to ignore SSL errors on irc.gnome.org.
Comment 1 Andrea Veri 2015-05-17 18:04:35 UTC 
This is definitely a problem we were well aware of when we decided to introduce SSL on the network and [1] also comes with an explanation of why the verification of the SSL certificate is going to fail with an ALT name mismatch when irc.gnome.org or irc.gimp.org are used to connect to the network. The DNS entries irc.gnome.org and irc.gimp.org are round robin entries with 4 servers coming from 4 different domains:

 1. irc.eagle.y.se
 2. irc.acc.umu.se
 3. irc.gimp.ca
 4. irc.poop.nl

Right now each of these servers have its own set of certificates which - security speaking - makes the whole setup secure as a compromised server won't allow the attacker to identify itself as the other servers of the network. On the other hand the verification of the certificate is going to fail though. 

At the same time we would need a certificate that includes both the gimp.org and gnome.org domains as both these domains are used to connect to the GIMPNet network. A possible solution we were thinking about was to rename the servers to something like [0-4].irc.gnome.org and generate a certificate with one wildcard ALT name being: *.irc.gnome.org (plus irc.gnome.org), then share it to all the nodes with the downside of having one single point of failure when it comes to the possibility of the certificate itself being compromised.

The current and the proposed setup both have pros and cons:

current:

 1. one certificate for each server. One server being compromised means we can remove it from the rotation, revoke the certificate and rebuild the machine that was compromised having the whole network not being affected at all by this operation.
 2. SSL verification fails when irc.gimp.org and irc.gnome.org are used

proposed:

 1. one certificate for all the servers of the network. One server being compromised means the whole network being affected.
 2. SSL verification would work as expected in case a multi-domain certificate is being used (StartSSL seems to provide that according to [2])
 3. most of the servers are known for their current domain name (i.e irc.acc.umu.se as maswan reported me), so we should be asking their admins whether assigning a different server name / hostname might not be what they really want. Maswan and Stric are CCed on this bug report so they might provide some valuable feedback on this topic. 

[1] https://wiki.gnome.org/Sysadmin/IRC
[2] https://www.startssl.com/?app=2
Comment 2 maswan 2015-06-04 15:11:20 UTC 
We won't switch the certificate on irc.acc.umu.se to anything that doesn't have irc.acc.umu.se in DN/ALT names. We could have another ircd that's in irc.gnome.org if that's needed though and drop irc.acc.umu.se out.
Comment 3 Andrea Veri 2016-12-22 18:32:38 UTC 
This has been resolved. All the ircds were provisioned with a multi-domain certificate installed with all the needed SANs.

Thanks!