SSL/TLS

From UnrealIRCd documentation wiki
Jump to: navigation, search
This page contains changes which are not marked for translation.

Other languages:
English • ‎français

SSL stands for Secure Socket Layer. Later this has been renamed to TLS (Transport Layer Security) but most people still call it SSL.

Why use SSL

When you use SSL for a connection then all the traffic between the two endpoints is encrypted. Nobody can see/sniff/snoop the data (theoretically, anyway). This is important as IRC traffic often includes things like passwords and other sensitive information.

You probably see https:// sites on the internet all the time. HTTPS is simply HTTP with SSL and it's used for banking, e-commerce sites and nowadays a lot of regular sites as well. The same technology (SSL) can be used for IRC.

How to use SSL

First of all, you need an SSL-capable client. Fortunately such clients are widespread nowadays: mIRC, XChat and irssi all support SSL.

Second, you need to connect to the server in a special way. There are actually two ways to use SSL:

STARTTLS

This is the easiest method but only a few clients support it. IRC Clients that are capable of using "STARTTLS" can connect on a regular IRC port and then request to 'upgrade' the connection to SSL/TLS. In most clients you'll have to set an option to use this, or use a slightly different syntax when connecting to a server.

For example on mIRC v7.38 and later you use: /server name.of.server.net *6667. The * (asterisk) prefix tells mIRC to use SSL/TLS with STARTTLS.

Special SSL port

You can also use a special "SSL port". This method is supported by more clients, but requires a little bit more work:

  • An SSL port needs to be opened up on the server. The example configuration file opens up port 6697 for this (in the Listen block with listen::options::ssl)
  • You need to connect with an SSL-capable client to the SSL-only port. For example with mIRC you use: /server name.of.server.net +6697. The + (plus) instructs mIRC to use SSL/TLS on an SSL-only port.

Final remarks

  • The UnrealIRCd team recommends to use SSL/TLS as much as possible. At the very least, use it to secure server to server traffic and for IRCOp client connections.
  • For real security you should validate certificates when you connect to servers and not blindly accept any SSL ceritificate. If you don't check them then you are still vulnerable to MitM attacks. That is, however, too off-topic to discuss here. See Wikipedia: Man-in-the-middle-attack for more background information. Clients like mIRC and XChat will show a popup prompt when a new (unknown) SSL certificate is detected.

Configuration

Global settings

Global SSL/TLS settings can be configured via set::ssl. For most users the defaults are fine.

Per-port settings

Per-port SSL settings are configured in the Listen block

SNI

UnrealIRCd also support SNI, multiple certificates with different names, which you configure using the Sni block.

Strict Transport Security

UnrealIRCd 4.0.13 and later come with a feature called "Strict Transport Security". This is an advanced feature that:

  1. Will send users with capable clients to the appropriate SSL/TLS port automatically
  2. Ensures that these users won't use insecure connections for a specified period of time

For full details see the draft/sts specification.

To enable this you need to configure two important things:

Step 1: Get a real certificate

You need a 'real' SSL/TLS certificate, not the default / self-signed certificate that many people use. So: either buy one or get one via Let's Encrypt.

IMPORTANT: Your users must connect to the server with the same hostname as the hostname in the certificate. So if users use /server irc.example.com then your server shouldn't serve a certificate for irc2.example.com. See Sni_block for more information on this (possible solutions are: wildcard certificates or multiple certificates).

It is important to configure the certificate (and naming) correctly. Without STS such a misconfiguration will 'only' trigger a certificate warning on the client but with STS the clients will be unable to connect. It is a hard error.

Step 2: Configure the set::ssl::strict-sts block

The following will configure a STS policy, redirecting capable clients to port 6697 (which must be SSL) and enforces the STS policy for 180 days:

set {
    ssl {
        sts-policy {
            port 6697;
            duration 5m; /* you should bump this to 180d after confirming everything works correctly */
        };
    };
};

It is recommended to use a value such as '5m' (5 minutes) during testing. Only after you've ensured everything works correctly, have had things running for a couple of days, you should raise it to something like 180d (180 days) or more. This is to prevent you inadvertently locking users out due to a misconfiguration.

You will want to enforce the STS policy on all servers on your network