| Tip of the day: The blacklist { } block can be used to ban known troublemakers that are listed in blacklists like EfnetRBL and DroneBL. |
Moving users to TLS
Below is a summary of our efforts to move users, opers and servers to use SSL/TLS. It is mainly for historic purposes.
Summary table
| Security measure | Warning | Denied | |
|---|---|---|---|
| SSL/TLS support | Available since Q4 2000 | ||
| Disable SSLv2 | Aug 2002 | ||
| Disable SSLv3 | Dec 2015 | ||
| Disable TLSv1.0 & TLSv1.1 | server links | Mar 2019 | Dec 2019 |
| administrators | Mar 2019 | Dec 2019 | |
| all connections | Mar 2019 | Jan 2023 | |
| Bad ciphers or AES with no Forward Secrecy | server links | Mar 2019 | Dec 2019 |
| administrators | Mar 2019 | Dec 2019 | |
| all connections | Mar 2019 | Jan 2023 | |
| Automatic upgrading from non-TLS to TLS | server links | Via STARTTLS since Dec 2015 | |
| user connections | Optional via STS since Aug 2017 | ||
| Disallow non-TLS connections | server links (out) | Dec 2015 | |
| server links (in) | Dec 2015 | Sep 2017 | |
| administrators | Sep 2017 | Dec 2019 | |
| all connections | |||
In this table administrators means IRC Operator (IRCOp) connections - users trying to /OPER.
The table reflects the default UnrealIRCd settings. Server admins have the option to override settings or make other choices (more strict or more loose).
SSL/TLS support added
In the year 2000 UnrealIRCd was one of the first IRC daemons to have built-in SSL/TLS support. (source)
Disable SSLv2
Support for insecure SSLv2 was disabled very early, back in August 2002 (source)
Disable SSLv3
UnrealIRCd disabled SSLv3 by default in UnrealIRCd 4.0.0 which was released December 2015. (source)
For comparisons sake, web browsers disabled it slightly earlier. Such as Firefox 34 in December 2014, Chrome 40 in January 2015 and Internet Explorer in April 2015.
Warn on non-TLS server links
Lots of sensitive data travels between servers links, so it is important for them to use SSL/TLS. Starting with UnrealIRCd 4.0.0, which was released Dec 2015, we did so. (source)
Deny non-TLS server links
Since there really is no good reason for server links to be non-TLS, in UnrealIRCd 4.0.14 this was changed to deny non-TLS server links. Released on September 2017. (source)
For outgoing server links this was already done in UnrealIRCd 4.0.0 (Dec 2015), because this was easier with the automatic STARTTLS upgrade feature, see below (source)
Automatically upgrade non-TLS server connections to TLS
In UnrealIRCd 4.0.0 (Dec 2015) we made it that any non-TLS outgoing connection is automatically upgraded to TLS using STARTTLS. (source).
Strict Transport Policy
In UnrealIRCd 4.0.13, released in August 2017, we implemented support for for Strict Transport Policy (STS), while still a draft specification at that time. What STS does is two things: 1) it automatically redirects non-TLS users to the TLS port, 2) it only allows the server to use "real certificates", ones that are issued by a trusted Certificate Authority such as Let's Encrypt. (source)
Warn when IRCOps use non-TLS
Users with administrative privileges can see sensitive information. Also their credentials can be stolen and misused if you don't use SSL/TLS. Opers receive a warning if not using TLS since UnrealIRCd 4.0.14, released on September 2017. (source)
Deny IRCOps on non-TLS connections
Starting with UnrealIRCd 5.0.0, released on December 2019, we no longer allow admin users (IRCOps) to use non-TLS connections by default. IRCOps must use TLS. (source)
Warning on outdated TLS protocols/ciphers
At a certain point we will want to adjust our permitted TLS protocols and ciphersuite. It is good to first have a period where we warn the clients with a helpful notice, rather than presenting them with a mysterious connection failure.
In UnrealIRCd 4.2.2, released in March 2019, we started to warn regular users, ircops and on server connections that use insecure ciphers (eg: RC4, 3DES, but also AES if they lack Forward Secrecy) or protocols (anything below TLSv1.2). (source)
Disable TLSv1.0 and TLSv1.1
In UnrealIRCd 5.0.0 (Dec 2019) we already reject server links and administrative (IRCOp) connections if they use <TLSv1.2. The next step was to disable older versions of the TLS protocol (TLS v1.0 and TLS v1.1) completely.
Browsers disabled these old protocols: Chrome 84 did it in July 2020, Microsoft planned to do it in IE / Classic Edge in spring of 2021 at the earliest (blog post). Note, however, that on the server side, major sites such as google.com still have TLS 1.0 and 1.1 enabled to this day.
In UnrealIRCd we disabled TLS 1.0 and TLS 1.1 by default in UnrealIRCd 6.0.5, released in January 2023 (or more precise: 6.0.5-rc1 released in 7 dec 2022).