Sunday, September 22, 2019

Upgrading to SHA256 for Certificate Fingerprints

Hello all! 🙂

As part of my effort to upgrade Techtronix to InspIRCd 3, I also wanted to take this opportunity to talk about client certificates and how they will be affected by the network upgrade.

Currently, Techtronix uses SHA1 as the hash for client certificate fingerprints, among other things. This will be replaced with SHA256 upon the move to InspIRCd 3, which I anticipate to be somewhat soon, now that I've finally started porting over configuration and modules to the new version.

Unfortunately, this will break NickServ and SASL auth that relies on certificate fingerprints as the server will not know beforehand what the SHA256 hashes are until the new system is in place. In the meantime, I have gone through the database and searched for the users who do have certificate fingerprints stored in NickServ, and intend to reach out to them directly so they are minimally affected as possible.

Techtronix has had the ability to use SHA256 fingerprints for a while now, though I delayed enabling it for this very reason. However, with the major version shift, I feel that this is now a more appropriate time. Further announcements on the network upgrade progress will be available soon, and I regularly talk about this in #lounge.

No comments:

Post a Comment