Package: irssi Version: 1.4.3-2 Severity: wishlist Tags: upstream X-Debbugs-Cc: [email protected]
The OFTC onion server is: ircs://oftcnet6xg6roj6d7id4y4cu6dchysacqj2ldgea73qzdagufflqxrid.onion:6697 That onion has some load balancing function so there are multiple different hosts that could handle the handshaking. ATM, these two fingerprints are possible: * 63:0F:19:BB:AF:61:5A:9F:B1:03:98:0A:70:4A:DA:E9:E6:C9:73:9E:1F:53:AD:DD:83:43:E4:E1:71:3A:50:B5 * 2C:12:F2:C6:1B:01:DD:99:0F:3A:BC:1D:1C:6B:75:87:CC:B8:18:97:84:F9:B5:21:2A:18:2D:18:CC:D4:96:EC depending on which non-deterministic host answers the connection. IRSSI is only capable of pinning one fingerprint. And the user has no control over which host will be selected. I tagged this as wishlist but it might actually be a severe bug. I have been unable to test further. But it’s important to realise that if you use socat to tunnel to an onion host, the hostname of “localhost” will fail a TLS check, thus forcing TLS verification to be disabled. Of course under those circumstances pubkey pinning is critically important. Being able to pin multiple keys is therefore important. -- System Information: Debian Release: 12.10 APT prefers stable-updates APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-28-amd64 (SMP w/2 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages irssi depends on: ii libc6 2.36-9+deb12u10 ii libglib2.0-0 2.74.6-2+deb12u5 ii libperl5.36 5.36.0-7+deb12u1 ii libssl3 3.0.15-1~deb12u1 ii libtinfo6 6.4-4 ii perl 5.36.0-7+deb12u1 ii perl-base [perlapi-5.36.0] 5.36.0-7+deb12u1 irssi recommends no packages. Versions of packages irssi suggests: ii irssi-scripts 20220704 -- no debconf information
