-
-
Notifications
You must be signed in to change notification settings - Fork 266
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support verifying links (spanningtree) by CA instead of fingerprint #2029
Comments
FWIW you can define multiple |
I think this is more of a bug than an enhancement. |
Description
Currently to verify a linked host with TLS, fingerprints are used. This feature request would allow using a certificate authority to verify instead.
This could look something like:
If the hosts certificate validates with the ca, then it is deemed valid (i.e, the certificate is not expired, etc). Revocation should ideally be supported.
The design of the feature must allow multiple CA roots to facilitate root rotations. A subject filter may be desirable if using a CA that is not isolated to the InspIRCd setup. For example:
Why this would be useful
Routine certificate renewals require updating the fingerprints in all hosts which makes certificate rotation more complicate, CAs are the standard in which most PKI operates.
Further, it would be nice to not even have to declare servers via a link block and fully trust PKI. Currently servers must share information about each other out of bound.
The text was updated successfully, but these errors were encountered: