Tip of the day: Channel mode +H provides Channel history to modern clients. Optionally, it can be stored on-disk to be preserved between server restarts.

Link verification

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

When two IRC servers link it is important not only that their passwords match but also that they verify the SSL/TLS certificate of eachother. Not doing so permits a Man-in-the-middle attack. Since 2017 we print a message on-link about this and it will become a hard error in later UnrealIRCd versions (in Q2 2026 or so).

Now, to proceed:

  • Do you use a self-signed certificate for server linking? Then jump to #Verify by TLS key. This is by far the most common case. It's what we use in our server linking guide and also in Using Let's Encrypt with UnrealIRCd.
  • People who use a real certificate also for server linking (this is less common, usually people only use real certs for the client ports), then you can choose between #Verify by certificate verification (which is by far the easiest) or #Verify by TLS key (if you are paranoid and only if your SSL keys don't change every XX days. Note that this is not the default with Let's Encrypt).
  • If you have no idea then jump to #Verify by TLS key.

Verify by TLS key

Most users have a self-signed certificate. Then UnrealIRCd will show something like: 

*** You may want to consider verifying this server link.
*** More information about this can be found on https://www.unrealircd.org/Link_verification
*** In short: in the configuration file, change the 'link testlink.test.net {' block to use this as a password:
*** password "AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0=" { spkifp; };
*** And follow the instructions on the other side of the link as well (which will be similar, but will use a different hash)

First of all, before you change anything, make sure you captured the message from above from BOTH sides of the link and have access to the configuration file on both sides of the link (or have a fellow administrator do it).

Let's first deal with the side of the link which outputted the above message.

Say you have a link block like this: 

link testlink.test.net {
    incoming {
        mask *;
    };
    password "test";
    class servers;
};

Then change the password as instructed by the server to look like: 

link testlink.test.net {
    incoming {
        mask *;
    };
    password "AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0=" { spkifp; }; // <--- MODIFIED
    class servers;
};

Be sure to use the exact password and syntax as instructed to you on IRC by the on-link message.

If you wonder what the AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0= is. It is a hash of the SSL public key from the other side of the link. By using it as a password it helps you verify the link. It's more secure than using a simple password.

Repeat the procedure from above on the other side of the link. Again following the instructions as outputted on THAT side. Note that the password will be different. This is normal.

Once all is done, /REHASH both servers, /SQUIT the server and see if you can link it in again with /CONNECT.

Verify by certificate verification

*** You may want to consider verifying this server link.
*** More information about this can be found on https://www.unrealircd.org/Link_verification
*** In short: in the configuration file, add the following to your 'link testlink.test.net {' block:
*** verify-certificate yes;
*** Alternatively, you could use SPKI fingerprint verification. Then change the password in the link block to be:
*** password "AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0=" { spkifp; };

So, say you have a link block like this: 

link testlink.test.net {
    incoming {
        mask *;
    };
    password "test";
    class servers;
};

Then add verify-certificate yes; to it so it looks like: 

link testlink.test.net {
    incoming {
        mask *;
    };
    password "test";
    class servers;
    verify-certificate yes; // <---- ADDED
};

Then /REHASH the server.

What this does is tell UnrealIRCd to verify the SSL/TLS certificate of the other side of the link. Making sure it is valid, issued by a trusted Certificate Authority and valid for the hostname.

To test it you may want to /SQUIT the server and re-link it with /CONNECT.

UnrealIRCd also told you an alternative, which is the spkifp. See #Verify by TLS key. You can only use that alternative if your certificate keys don't change. By default if you use Let's Encrypt then your keys WILL change every 30-90days and thus you will have to edit your config file to adjust the key every 30-90 days which is BAD. It is possible to use the same keys, for example with --reuse-key in certbot, but you must explicitly configure that. TL;DR: If you use Let's Encrypt then use verify-certificate yes; as explained above. Only use the alternative if you know what you are doing.

Turning it off

The warning/error can be turned off via link::options::no-certificate-check, eg: 

link irc1.example.net {
...
     options { no-certificate-verification; }
}

Note that this is in link::options and not in link::outgoing::options.

Turning it off is NOT RECOMMENDED unless you know what you are doing. Note that TLS linking over localhost does not trigger this warning/error, so no need for turning it off in such a case.

Retrieved from "https://www.unrealircd.org/docwiki/index.php?title=Link_verification&oldid=14761"