diff options
| author | Wim <wim@42.be> | 2022-02-05 21:12:03 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-02-05 21:12:03 +0100 |
| commit | c3644c8d3b4fa87e0a001d8c419edbfbd67ceb5b (patch) | |
| tree | 06dbb17ebd95cec27b2124f146715ce23a408ce2 | |
| parent | 6438a3dba3c4cb241f1e2633ae6b23efd113d684 (diff) | |
| download | matterbridge-msglm-c3644c8d3b4fa87e0a001d8c419edbfbd67ceb5b.tar.gz matterbridge-msglm-c3644c8d3b4fa87e0a001d8c419edbfbd67ceb5b.tar.bz2 matterbridge-msglm-c3644c8d3b4fa87e0a001d8c419edbfbd67ceb5b.zip | |
Add support for client certificate (irc) (#1710)
Supports https://libera.chat/guides/certfp.html
| -rw-r--r-- | bridge/irc/irc.go | 32 | ||||
| -rw-r--r-- | matterbridge.toml.sample | 7 |
2 files changed, 38 insertions, 1 deletions
diff --git a/bridge/irc/irc.go b/bridge/irc/irc.go index 260f66df..4b7b144b 100644 --- a/bridge/irc/irc.go +++ b/bridge/irc/irc.go @@ -2,6 +2,7 @@ package birc import ( "crypto/tls" + "errors" "fmt" "hash/crc32" "io/ioutil" @@ -72,6 +73,10 @@ func (b *Birc) Command(msg *config.Message) string { } func (b *Birc) Connect() error { + if b.GetBool("UseSASL") && b.GetString("TLSClientCertificate") != "" { + return errors.New("you can't enable SASL and TLSClientCertificate at the same time") + } + b.Local = make(chan config.Message, b.MessageQueue+10) b.Log.Infof("Connecting %s", b.GetString("Server")) @@ -300,6 +305,11 @@ func (b *Birc) getClient() (*girc.Client, error) { b.Log.Debugf("setting pingdelay to %s", pingDelay) + tlsConfig, err := b.getTLSConfig() + if err != nil { + return nil, err + } + i := girc.New(girc.Config{ Server: server, ServerPass: b.GetString("Password"), @@ -309,7 +319,7 @@ func (b *Birc) getClient() (*girc.Client, error) { Name: realName, SSL: b.GetBool("UseTLS"), Bind: b.GetString("Bind"), - TLSConfig: &tls.Config{InsecureSkipVerify: b.GetBool("SkipTLSVerify"), ServerName: server}, //nolint:gosec + TLSConfig: tlsConfig, PingDelay: pingDelay, // skip gIRC internal rate limiting, since we have our own throttling AllowFlood: true, @@ -381,3 +391,23 @@ func (b *Birc) storeNames(client *girc.Client, event girc.Event) { func (b *Birc) formatnicks(nicks []string) string { return strings.Join(nicks, ", ") + " currently on IRC" } + +func (b *Birc) getTLSConfig() (*tls.Config, error) { + server, _, _ := net.SplitHostPort(b.GetString("server")) + + tlsConfig := &tls.Config{ + InsecureSkipVerify: b.GetBool("skiptlsverify"), //nolint:gosec + ServerName: server, + } + + if filename := b.GetString("TLSClientCertificate"); filename != "" { + cert, err := tls.LoadX509KeyPair(filename, filename) + if err != nil { + return nil, err + } + + tlsConfig.Certificates = []tls.Certificate{cert} + } + + return tlsConfig, nil +} diff --git a/matterbridge.toml.sample b/matterbridge.toml.sample index fd341ff8..8bc0f6c1 100644 --- a/matterbridge.toml.sample +++ b/matterbridge.toml.sample @@ -24,6 +24,13 @@ Password="" #OPTIONAL (default false) UseTLS=false +#Use client certificate - see CertFP https://libera.chat/guides/certfp.html +#Specify filename which contains private key and cert +#OPTIONAL (default "") +# +#TLSClientCertificate="cert.pem" +TLSClientCertificate="" + #Enable SASL (PLAIN) authentication. (libera requires this from eg AWS hosts) #It uses NickServNick and NickServPassword as login and password #OPTIONAL (default false) |