Tip of the day: Channel mode +f is a powerful anti-flood feature. It is also slightly complex. Enable it in your most important channels, and consider setting a default in set::modes-on-join.
|
Moving users to TLS
Below is a summary of our efforts to move users, opers and servers to use SSL/TLS. It is mainly for historic purposes.
Summary table
| Security measure | Warning | Denied | |
|---|---|---|---|
| SSL/TLS support | |||
| Ship with SSL/TLS port 6697 by default | |||
| Always build with SSL | |||
| Refuse booting without open SSL/TLS port | Feb 2017 | Jul 2019 | |
| Disable SSLv2 | Aug 2002 | ||
| Disable SSLv3 | Dec 2015 | ||
| Disable TLSv1.0 & TLSv1.1 | server links | Mar 2019 | Dec 2019 |
| administrators | Mar 2019 | Dec 2019 | |
| all connections | Mar 2019 | Jan 2023 | |
| Bad ciphers or AES with no Forward Secrecy | server links | Mar 2019 | Dec 2019 |
| administrators | Mar 2019 | Dec 2019 | |
| all connections | Mar 2019 | Jan 2023 | |
| Automatic upgrading from non-TLS to TLS | server links | ||
| user connections | |||
| Disallow non-TLS connections | server links (out) | Dec 2015 | |
| server links (in) | Dec 2015 | Sep 2017 | |
| administrators | Sep 2017 | Dec 2019 | |
| all connections | |||
In this table administrators means IRC Operator (IRCOp) connections - users trying to /OPER.
The table reflects the default UnrealIRCd settings. Server admins have the option to override settings or make other choices (more strict or more loose).
SSL/TLS support added
In the year 2000 UnrealIRCd was one of the first IRC daemons to have built-in SSL/TLS support. (source)
Encouraging SSL/TLS port 6697
From 2004 onwards, with the release of UnrealIRCd 3.2, we actively started promoting using port 6697 as the standard SSL/TLS port in the default example configuration. (source) We were not the first in picking that port number, several networks and stuntour at the time already used this port, but shipping it with the UnrealIRCd default example configuration helped standardizing the SSL/TLS port. Ten years later, in 2014, RFC7194 was adopted to make 6697 the official standard SSL/TLS port for IRC.
Always build with SSL
Previously, building with the OpenSSL library was optional. This was changed to a hard requirement with the release of UnrealIRCd 4.0.0 in December 2015. (source and announcement)
Warn on no TLS port
Although the example conf had SSL/TLS port 6697 open by default, it was possible for admins to remove that listen block or when writing the config file from scratch to accidentally leave it out. So, we started warning if no Listen block was present with an SSL/TLS port in February 2017. (source)
Require a TLS port
Starting July 2019, we actually refuse to boot if there is no Listen block with an SSL/TLS port. (source)
Disable SSLv2
Support for insecure SSLv2 was disabled very early, back in August 2002 (source)
Disable SSLv3
UnrealIRCd disabled SSLv3 by default in UnrealIRCd 4.0.0 which was released December 2015. (source)
For comparisons sake, web browsers disabled it slightly earlier. Such as Firefox 34 in December 2014, Chrome 40 in January 2015 and Internet Explorer in April 2015.
Warn on non-TLS server links
Lots of sensitive data travels between servers links, so it is important for them to use SSL/TLS. Starting with UnrealIRCd 4.0.0, which was released Dec 2015, we did so. (source)
Deny non-TLS server links
Since there really is no good reason for server links to be non-TLS, in UnrealIRCd 4.0.14 this was changed to deny non-TLS server links. Released on September 2017. (source)
For outgoing server links this was already done in UnrealIRCd 4.0.0 (Dec 2015), because this was easier with the automatic STARTTLS upgrade feature, see below (source)
Automatically upgrade non-TLS server connections to TLS
In UnrealIRCd 4.0.0 (Dec 2015) we made it that any non-TLS outgoing connection is automatically upgraded to TLS using STARTTLS. (source).
Strict Transport Policy
In UnrealIRCd 4.0.13, released in August 2017, we implemented support for for Strict Transport Policy (STS), while still a draft specification at that time. What STS does is two things: 1) it automatically redirects non-TLS users to the TLS port, 2) it only allows the server to use "real certificates", ones that are issued by a trusted Certificate Authority such as Let's Encrypt. (source)
Warn when IRCOps use non-TLS
Users with administrative privileges can see sensitive information. Also their credentials can be stolen and misused if you don't use SSL/TLS. Opers receive a warning if not using TLS since UnrealIRCd 4.0.14, released on September 2017. (source)
Deny IRCOps on non-TLS connections
Starting with UnrealIRCd 5.0.0, released on December 2019, we no longer allow admin users (IRCOps) to use non-TLS connections by default. IRCOps must use TLS. (source)
Warning on outdated TLS protocols/ciphers
Some TLS protocols and ciphersuites are considered less secure. It is good to first have a period where we warn the clients with a helpful notice, rather than changing the allowed ciphersuite and protocols and presenting clients with a mysterious connection failure (with no clear error).
In UnrealIRCd 4.2.2, released in March 2019, we started to warn regular users, ircops and on server connections that use insecure ciphers (eg: RC4, 3DES, but also AES if they lack Forward Secrecy) or protocols (anything below TLSv1.2). (source)
Disable TLSv1.0 and TLSv1.1 and outdated ciphers
In UnrealIRCd 5.0.0 (Dec 2019) we already reject server links and administrative (IRCOp) connections if they use <TLSv1.2. The next step was to disable older versions of the TLS protocol (TLS v1.0 and TLS v1.1) completely.
Browsers already disabled these old protocols: Chrome 84 did it in July 2020, Microsoft planned to do it in IE / Classic Edge in spring of 2021 at the earliest (blog post). Note, however, that on the server side, major sites such as google.com still have TLS 1.0 and 1.1 enabled to this day.
In UnrealIRCd we disabled TLS 1.0 and TLS 1.1 by default in UnrealIRCd 6.0.5, released in January 2023 (or more precise: 6.0.5-rc1 released in 7 dec 2022).
At the same moment, with release 6.0.5 in January 2023 we also changed the ciphersuite to require a modern cipher with forward secrecy. This means we refuse SSL/TLS connects from clients which only understand the ciphers as mentioned in Warning on outdated TLS protocols/ciphers.