Tip of the day: The blacklist { } block can be used to ban known troublemakers that are listed in blacklists like EfnetRBL and DroneBL.

SSL/TLS

From UnrealIRCd documentation wiki
Jump to navigation Jump to search
This page contains changes which are not marked for translation.
Other languages:

When you use SSL/TLS on IRC, all the network traffic is encrypted. Modern IRC servers and networks have SSL/TLS enabled & configured correctly and should encourage their users to use it.

UnrealIRCd has a long history of supporting and encouraging SSL/TLS, going all the way back to the year 2000.

What is SSL/TLS

SSL stands for Secure Socket Layer. Later versions have been named TLS (Transport Layer Security). In UnrealIRCd documentation we usually call it SSL/TLS because people use both terms to mean the same thing.

When you use SSL/TLS on a connection then all the traffic between the two hosts is encrypted. Nobody can see/sniff/snoop the data. This is important as IRC traffic often includes things like passwords and other sensitive information.

You probably see https:// sites on the internet all the time. HTTPS is simply HTTP with SSL and it's used for banking, e-commerce sites and nowadays a lot of regular sites as well. The same technology (SSL) can be used for IRC.

How to use SSL/TLS

Nearly all IRC clients support SSL/TLS. To use it you need to connect to a port which has listen::options::tls enabled, by default this is port 6697 (not 6667!).

In your IRC client you need to connect to the SSL-only port in a special way:

  • mIRC: /server name.of.server.net +6697. The + (plus sign) instructs mIRC to use SSL/TLS.
  • irssi: /connect -tls name.of.server 6697. The -tls option says to use SSL/TLS

On other clients it is usually a matter of using a plus sign before the port (+6697) or adding a SSL or TLS option or ticking such a box in the graphical interface.

Be sure to read next section on SSL certificates, especially if your client refuses to connect or complains about an untrusted or invalid certificate.

SSL certificate

By default, UnrealIRCd has created a self-signed certificate for you. However, most clients (rightfully) complain that this cannot be trusted. Some clients will give you a popup or option to accept the certificate (yes/no). Other clients will refuse to connect at all.

We highly recommend you to get a real certificate for free by Using Let's Encrypt with UnrealIRCd. Note that this does mean you have some labor to do. But after that, your server is really fully setup for SSL/TLS and your users can use IRC in a more secure manner!

Configuration

Global settings

Global SSL/TLS settings can be configured via set::tls. For most users the defaults are fine.

Per-port settings

If you want port-specific SSL setting then these can be configured in the Listen block.
NOTE: Doing so is rare, most people would not change these at all or change the global SSL/TLS options in set::tls instead.

SNI

UnrealIRCd also support SNI, multiple certificates with different names, which you configure using the Sni block. This is not used much.

Strict Transport Security

Strict Transport Security (STS) on IRC can be used to redirect plaintext users to SSL/TLS automatically (redirect from port 6667 to +6697). See the Strict Transport Security page.

Retrieved from "https://www.unrealircd.org/docwiki/index.php?title=SSL/TLS&oldid=13045"