Add network-specific config for cert validation

Added the following two network-specific configuration options that can be changed via controlpanel or webadmin: * TrustAllCerts: Will trust ALL certificates when enabled, effectively disabling TLS certificate validation. Default value: false * TrustPKI: Whether or not to trust PKI-valid certificates. Setting this to false will make znc trust only trusted certificates added by the user. Default value: true With default values, behavior is exactly the same as before. This is based on the work of Roelf Wichertjes. See YourBNC/znc@5c747598. See znc/znc#866.
2026-03-28 17:42:41 +01:00 · 2016-05-20 01:17:26 +02:00
parent c5db7793d3
commit 409ed4b6bc
8 changed files with 69 additions and 2 deletions
--- a/src/IRCNetwork.cpp
+++ b/src/IRCNetwork.cpp
@@ -140,6 +140,8 @@ CIRCNetwork::CIRCNetwork(CUser* pUser, const CString& sName)
      m_vQueries(),
      m_sChanPrefixes(""),
      m_bIRCConnectEnabled(true),
+      m_bTrustAllCerts(false),
+      m_bTrustPKI(true),
      m_sIRCServer(""),
      m_vServers(),
      m_uServerIdx(0),
@@ -377,6 +379,8 @@ bool CIRCNetwork::ParseConfig(CConfig* pConfig, CString& sError,
        };
        TOption<bool> BoolOptions[] = {
            {"ircconnectenabled", &CIRCNetwork::SetIRCConnectEnabled},
+            {"trustallcerts", &CIRCNetwork::SetTrustAllCerts},
+            {"trustpki", &CIRCNetwork::SetTrustPKI},
        };
        TOption<double> DoubleOptions[] = {
            {"floodrate", &CIRCNetwork::SetFloodRate},
@@ -545,6 +549,8 @@ CConfig CIRCNetwork::ToConfig() const {

    config.AddKeyValuePair("IRCConnectEnabled",
                           CString(GetIRCConnectEnabled()));
+    config.AddKeyValuePair("TrustAllCerts", CString(GetTrustAllCerts()));
+    config.AddKeyValuePair("TrustPKI", CString(GetTrustPKI()));
    config.AddKeyValuePair("FloodRate", CString(GetFloodRate()));
    config.AddKeyValuePair("FloodBurst", CString(GetFloodBurst()));
    config.AddKeyValuePair("JoinDelay", CString(GetJoinDelay()));
@@ -1272,6 +1278,8 @@ bool CIRCNetwork::Connect() {
    CIRCSock* pIRCSock = new CIRCSock(this);
    pIRCSock->SetPass(pServer->GetPass());
    pIRCSock->SetSSLTrustedPeerFingerprints(m_ssTrustedFingerprints);
+    pIRCSock->SetTrustAllCerts(GetTrustAllCerts());
+    pIRCSock->SetTrustPKI(GetTrustPKI());

    DEBUG("Connecting user/network [" << m_pUser->GetUserName() << "/"
                                      << m_sName << "]");