Tip of the day: The Security article gives hands-on tips on how to deal with drone attacks, flooding, spammers, (D)DoS and more.

Link verification

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

When two IRC servers link it is important not only that their passwords match but also that they verify the SSL/TLS certificate of eachother. Not doing so permits a Man-in-the-middle attack. This is currently a warning, but will become a hard error in later UnrealIRCd versions.

Do you use self-signed certificates? Then jump to #Verify by TLS key.

People who use a "real" certificate can choose between #Verify by certificate verification (which is by far the easiest) or #Verify by TLS key (if you are paranoid and only if your SSL keys don't change every XX days. Note that this is not the default with Let's Encrypt).

If you have no idea then jump to #Verify by TLS key.

Verify by TLS key

Most users have a self-signed certificate. Then UnrealIRCd will show something like:

*** You may want to consider verifying this server link.
*** More information about this can be found on https://www.unrealircd.org/Link_verification
*** In short: in the configuration file, change the 'link testlink.test.net {' block to use this as a password:
*** password "AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0=" { spkifp; };
*** And follow the instructions on the other side of the link as well (which will be similar, but will use a different hash)

First of all, before you change anything, make sure you captured the message from above from BOTH sides of the link and have access to the configuration file on both sides of the link (or have a fellow administrator do it).

Let's first deal with the side of the link which outputted the above message.

Say you have a link block like this:

link testlink.test.net {
    incoming {
        mask *;
    };
    password "test";
    class servers;
};

Then change the password as instructed by the server to look like:

link testlink.test.net {
    incoming {
        mask *;
    };
    password "AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0=" { spkifp; }; // <--- MODIFIED
    class servers;
};

Be sure to use the exact password and syntax as instructed to you on IRC by the on-link message.

If you wonder what the AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0= is. It is a hash of the SSL public key from the other side of the link. By using it as a password it helps you verify the link. It's more secure than using a simple password.

Repeat the procedure from above on the other side of the link. Again following the instructions as outputted on THAT side. Note that the password will be different. This is normal.

Once all is done, /REHASH both servers, /SQUIT the server and see if you can link it in again with /CONNECT.

Verify by certificate verification

*** You may want to consider verifying this server link.
*** More information about this can be found on https://www.unrealircd.org/Link_verification
*** In short: in the configuration file, add the following to your 'link testlink.test.net {' block:
*** verify-certificate yes;
*** Alternatively, you could use SPKI fingerprint verification. Then change the password in the link block to be:
*** password "AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0=" { spkifp; };

So, say you have a link block like this:

link testlink.test.net {
    incoming {
        mask *;
    };
    password "test";
    class servers;
};

Then add verify-certificate yes; to it so it looks like:

link testlink.test.net {
    incoming {
        mask *;
    };
    password "test";
    class servers;
    verify-certificate yes; // <---- ADDED
};

Then /REHASH the server.

What this does is tell UnrealIRCd to verify the SSL/TLS certificate of the other side of the link. Making sure it is valid, issued by a trusted Certificate Authority and valid for the hostname.

To test it you may want to /SQUIT the server and re-link it with /CONNECT.

UnrealIRCd also told you an alternative, which is the spkifp. See #Verify by TLS key. Note that you can only use this if your certificate keys don't change. If you use Let's Encrypt then note that by default certbot DOES change keys and thus your spki password will change every 30-90days. Changing this requires special configuration, such as the --reuse-key option in newer versions of certbot (it was added in v0.25.0 on 2018-06-06).