Strict Transport Security (sts) support?
lol768 opened this issue · comments
Any plans to implement this?
Yes, I plan to support most if not all of IRCv3. This is just one I haven't gotten around to yet.
Just FYI, I started working on this on/off the past few days, should be done with it soon. Sorry it took so long!
I believe I've completed STS functionality (in https://github.com/lrstanley/girc/tree/feature/sts) with the exception of a persistent store for the policies. For now, it will only be in-memory based storage (but the goal is this persists connections, as clients should be re-used).
I will eventually get around to creating some kind of policy storage interface that allows users to store policies however they define, but for now I think this is a good enough replacement for STARTTLS, even without the additional STS functionality of persisted enforcement, even after restarts.
If anyone wants to test it out before I merge: @nmeum @42wim @puffrfish @bmeh @qaisjp and anyone else I can remember off the top of my head.
See: https://ircv3.net/specs/extensions/sts
And: https://ircv3.net/support/networks (Oragono Testnet is a good test network)
Note the implications -- it WILL by default disconnect from irc and reconnect when the server provides an STS policy (this should mean little to handlers unless you have on-connect stuff, as it should happen before registration). It will fallback by default on the first attempt if it fails to the original non-secure connection. If it successfully makes a connection with a valid policy (and fails after), it will continue failing until the policy expires. Connections made over tls won't do anything different.
Merged in 634e679.