Tip of the day: The blacklist { } block can be used to ban known troublemakers that are listed in blacklists like EfnetRBL and DroneBL.

Moving users to TLS

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

Below is a summary of our efforts to move users, opers and servers to use SSL/TLS. It is mainly for historic purposes.

Summary table

Security measure Warning Denied
SSL/TLS support Available since Q4 2000
Disable SSLv2 Aug 2002
Disable SSLv3 Dec 2015
Disable TLSv1.0 & TLSv1.1 server links Mar 2019 Dec 2019
administrators Mar 2019 Dec 2019
all connections Mar 2019 Jan 2023
Bad ciphers or AES with no Forward Secrecy server links Mar 2019 Dec 2019
administrators Mar 2019 Dec 2019
all connections Mar 2019 Jan 2023
Automatic upgrading from non-TLS to TLS server links Via STARTTLS since Dec 2015
user connections Optional via STS since Aug 2017
Disallow non-TLS connections server links (out) Dec 2015
server links (in) Dec 2015 Sep 2017
administrators Sep 2017 Dec 2019
all connections

In this table administrators means IRC Operator (IRCOp) connections - users trying to /OPER.

The table reflects the default UnrealIRCd settings. Server admins have the option to override settings or make other choices (more strict or more loose).

SSL/TLS support added

In the year 2000 UnrealIRCd was one of the first IRC daemons to have built-in SSL/TLS support. (source)

Disable SSLv2

Support for insecure SSLv2 was disabled very early, back in August 2002 (source)

Disable SSLv3

UnrealIRCd disabled SSLv3 by default in UnrealIRCd 4.0.0 which was released December 2015. (source)

For comparisons sake, web browsers disabled it slightly earlier. Such as Firefox 34 in December 2014, Chrome 40 in January 2015 and Internet Explorer in April 2015.

Warn on non-TLS server links

Lots of sensitive data travels between servers links, so it is important for them to use SSL/TLS. Starting with UnrealIRCd 4.0.0, which was released Dec 2015, we did so. (source)

Deny non-TLS server links

Since there really is no good reason for server links to be non-TLS, in UnrealIRCd 4.0.14 this was changed to deny non-TLS server links. Released on September 2017. (source)

For outgoing server links this was already done in UnrealIRCd 4.0.0 (Dec 2015), because this was easier with the automatic STARTTLS upgrade feature, see below (source)

Automatically upgrade non-TLS server connections to TLS

In UnrealIRCd 4.0.0 (Dec 2015) we made it that any non-TLS outgoing connection is automatically upgraded to TLS using STARTTLS. (source).

Strict Transport Policy

In UnrealIRCd 4.0.13, released in August 2017, we implemented support for for Strict Transport Policy (STS), while still a draft specification at that time. What STS does is two things: 1) it automatically redirects non-TLS users to the TLS port, 2) it only allows the server to use "real certificates", ones that are issued by a trusted Certificate Authority such as Let's Encrypt. (source)

Warn when IRCOps use non-TLS

Users with administrative privileges can see sensitive information. Also their credentials can be stolen and misused if you don't use SSL/TLS. Opers receive a warning if not using TLS since UnrealIRCd 4.0.14, released on September 2017. (source)

Deny IRCOps on non-TLS connections

Starting with UnrealIRCd 5.0.0, released on December 2019, we no longer allow admin users (IRCOps) to use non-TLS connections by default. IRCOps must use TLS. (source)

Warning on outdated TLS protocols/ciphers

At a certain point we will want to adjust our permitted TLS protocols and ciphersuite. It is good to first have a period where we warn the clients with a helpful notice, rather than presenting them with a mysterious connection failure.

In UnrealIRCd 4.2.2, released in March 2019, we started to warn regular users, ircops and on server connections that use insecure ciphers (eg: RC4, 3DES, but also AES if they lack Forward Secrecy) or protocols (anything below TLSv1.2). (source)

Disable TLSv1.0 and TLSv1.1

In UnrealIRCd 5.0.0 (Dec 2019) we already reject server links and administrative (IRCOp) connections if they use <TLSv1.2. The next step was to disable older versions of the TLS protocol (TLS v1.0 and TLS v1.1) completely.

Browsers disabled these old protocols: Chrome 84 did it in July 2020, Microsoft planned to do it in IE / Classic Edge in spring of 2021 at the earliest (blog post). Note, however, that on the server side, major sites such as google.com still have TLS 1.0 and 1.1 enabled to this day.

In UnrealIRCd we disabled TLS 1.0 and TLS 1.1 by default in UnrealIRCd 6.0.5, released in January 2023 (or more precise: 6.0.5-rc1 released in 7 dec 2022).