Deprecate link::verify-certificate, as 'Client Authentication EKU' is being

dropped by public certificate authorities (as per Chrome Root Program). The fix is to simply use 'spkifp'. The config warning has all the details.
2026-06-12 17:34:46 +02:00 · 2026-05-01 19:47:28 +02:00
parent 17f78de265
commit c0f68bfd08
2 changed files with 24 additions and 39 deletions
@@ -6969,6 +6969,21 @@ int	_test_link(ConfigFile *conf, ConfigEntry *ce)
 				errors++;
 				continue;
 			}
+			if (config_checkval(cep->value, CFG_YESNO))
+			{
+				unreal_log(ULOG_WARNING, "config", "CONFIG_VERIFY_CERTIFICATE_DEPRECATED", NULL,
+				           "$file:$line_number: link::verify-certificate should no longer be used because public "
+				           "certificate authorities are dropping the 'Client Authentication EKU' from TLS certs, "
+				           "see e.g. https://letsencrypt.org/2025/05/14/ending-tls-client-authentication.\n"
+				           "We recommend using a 'dual certificate setup' as outlined in "
+				           "https://www.unrealircd.org/docs/Using_Let's_Encrypt_with_UnrealIRCd which will give you: "
+				           "1) A short-lived certificate from Let's Encrypt on port 6697 and "
+				           "2) A long-lived self-signed certificate used for linking on serversonly port 6900.\n"
+				           "And then simply use 'spkifp' for linking on port 6900 as outlined in "
+				           "https://www.unrealircd.org/docs/Tutorial:_Linking_servers",
+				           log_data_string("file", cep->file->filename),
+				           log_data_integer("line_number", cep->line_number));
+			}
 		}
 		else if (!strcmp(cep->name, "options"))
 		{
@@ -1739,8 +1739,6 @@ void tls_link_notification_verify(Client *client, ConfigItem_link *aconf)
 {
 	const char *spki_fp;
 	const char *tls_fp;
-	char *errstr = NULL;
-	int verify_ok;

 	if (!MyConnect(client) || !client->local->ssl || !aconf || IsLocalhost(client))
 		return;
@@ -1767,21 +1765,6 @@ void tls_link_notification_verify(Client *client, ConfigItem_link *aconf)
 	if (!tls_fp || !spki_fp)
 		return; /* wtf ? */

-	verify_ok = verify_certificate(client->local->ssl, aconf->servername, &errstr);
-	if (errstr && strstr(errstr, "not valid for hostname"))
-	{
-		unreal_log(ULOG_WARNING, "link", "WARN_UNVERIFIED_LINK_CERTIFICATE", client,
-		          "This server link is not verified (and hence is suspectible to an active MITM attack). "
-		          "In future UnrealIRCd versions this will become a fatal error!\n"
-		          "More information about this can be found on https://www.unrealircd.org/Link_verification\n"
-		          "Unfortunately the certificate of server '$client' has a name mismatch:\n"
-		          "$tls_verify_error\n"
-		          "This isn't a fatal error but it will prevent you from using verify-certificate yes;",
-		          log_data_link_block(aconf),
-		          log_data_string("tls_verify_error", errstr));
-	} else
-	if (!verify_ok)
-	{
 	unreal_log(ULOG_WARNING, "link", "WARN_UNVERIFIED_LINK_CERTIFICATE", client,
 	          "This server link is not verified (and hence is suspectible to an active MITM attack). "
 	          "In future UnrealIRCd versions this will become a fatal error!\n"
@@ -1791,19 +1774,6 @@ void tls_link_notification_verify(Client *client, ConfigItem_link *aconf)
 	          "And follow the instructions on the other side of the link as well (which will be similar, but will use a different hash)",
 	          log_data_link_block(aconf),
 	          log_data_string("spki_fingerprint", spki_fp));
-	} else
-	{
-		unreal_log(ULOG_WARNING, "link", "WARN_UNVERIFIED_LINK_CERTIFICATE", client,
-		          "This server link is not verified (and hence is suspectible to an active MITM attack). "
-		          "In future UnrealIRCd versions this will become a fatal error!\n"
-		          "More information about this can be found on https://www.unrealircd.org/Link_verification\n"
-		          "In short: in the configuration file, add the following to your 'link $client {' block:\n"
-		          "verify-certificate yes;\n"
-		          "Alternatively, you could use SPKI fingerprint verification. Then change the password in the link block to be:\n"
-		          "password \"$spki_fingerprint\" { spki_fp; };",
-		          log_data_link_block(aconf),
-		          log_data_string("spki_fingerprint", spki_fp));
-	}
 }

 /** This will send "to" a full list of the modes for channel channel,