- Move the config comments to botconfig.py.example where they will be more useful,
and move the bits in settings.py near the other IRC-related settings.
- Removed support for hash types that aren't SHA-256 as we perform all the hashing on
our end (doesn't matter what the server does or does not support), and this greatly
simplifies the code while leaving things secure enough.
- Hardcode a default cipher suite according to mozilla modern standards, as the
builtin ciphersuite in python may be less secure for older python versions.
- Add support for EXTERNAL auth in SASL, if a client certificate is provided. If this
fails, it will fall back to PLAIN auth (to account for the case where a cert is added
to the bot, but has not yet been added to NickServ, so that the bot can connect and add
it to NickServ via !fsend)
- Redact passwords from console/log output so that asking people to pastebin their
--verbose output when reporting issues in #lykos is less fraught with peril.
If a TLS certificate fingerprint is provided, the client will check it against the SHA256 hex digest of the server's certificate. Different hash algorithms can be specified, and multiple fingerprints can be specified for networks with more than one server.
