1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1102388: irssi: Support for multiple pinned public keys needed

    From Manny@21:1/5 to All on Tue Apr 8 16:10:02 2025
    Package: irssi
    Version: 1.4.3-2
    Severity: wishlist
    Tags: upstream
    X-Debbugs-Cc: debbug.irssi@sideload.33mail.com

    The OFTC onion server is:

    ircs://oftcnet6xg6roj6d7id4y4cu6dchysacqj2ldgea73qzdagufflqxrid.onion:6697

    That onion has some load balancing function so there are multiple
    different hosts that could handle the handshaking. ATM, these two
    fingerprints are possible:

    * 63:0F:19:BB:AF:61:5A:9F:B1:03:98:0A:70:4A:DA:E9:E6:C9:73:9E:1F:53:AD:DD:83:43:E4:E1:71:3A:50:B5
    * 2C:12:F2:C6:1B:01:DD:99:0F:3A:BC:1D:1C:6B:75:87:CC:B8:18:97:84:F9:B5:21:2A:18:2D:18:CC:D4:96:EC

    depending on which non-deterministic host answers the
    connection. IRSSI is only capable of pinning one fingerprint. And the
    user has no control over which host will be selected.

    I tagged this as wishlist but it might actually be a severe bug. I
    have been unable to test further. But it’s important to realise that
    if you use socat to tunnel to an onion host, the hostname of
    “localhost” will fail a TLS check, thus forcing TLS verification to be disabled. Of course under those circumstances pubkey pinning is
    critically important. Being able to pin multiple keys is therefore
    important.

    -- System Information:
    Debian Release: 12.10
    APT prefers stable-updates
    APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990, 'stable'), (500, 'oldstable')
    Architecture: amd64 (x86_64)
    Foreign Architectures: i386

    Kernel: Linux 5.10.0-28-amd64 (SMP w/2 CPU threads)
    Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
    Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)
    LSM: AppArmor: enabled

    Versions of packages irssi depends on:
    ii libc6 2.36-9+deb12u10
    ii libglib2.0-0 2.74.6-2+deb12u5
    ii libperl5.36 5.36.0-7+deb12u1
    ii libssl3 3.0.15-1~deb12u1
    ii libtinfo6 6.4-4
    ii perl 5.36.0-7+deb12u1
    ii perl-base [perlapi-5.36.0] 5.36.0-7+deb12u1

    irssi recommends no packages.

    Versions of packages irssi suggests:
    ii irssi-scripts 20220704

    -- no debconf information

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)