Tip of the day: If you still have users on plaintext port 6667, consider enabling Strict Transport Security to gently move users to SSL/TLS on port 6697.

SSL/TLS

From UnrealIRCd documentation wiki
Jump to navigation Jump to search
Translate this page
Other languages:

When you use SSL/TLS on IRC, all the network traffic is encrypted. Modern IRC servers and networks have SSL/TLS enabled & configured correctly and should encourage their users to use it.

UnrealIRCd has a long history of supporting and encouraging SSL/TLS, going all the way back to the year 2000.

What is SSL/TLS

SSL stands for Secure Socket Layer. Later versions have been named TLS (Transport Layer Security). In UnrealIRCd documentation we usually call it SSL/TLS because people use both terms to mean the same thing.

When you use SSL/TLS on a connection then all the traffic between the two hosts is encrypted. Nobody can see/sniff/snoop the data. This is important as IRC traffic often includes things like passwords and other sensitive information.

You probably see https:// sites on the internet all the time. HTTPS is simply HTTP with SSL and it's used for banking, e-commerce sites and nowadays a lot of regular sites as well. The same technology (SSL) can be used for IRC.

How to use SSL/TLS

Nearly all IRC clients support SSL/TLS. To use it you need to connect to a port which has listen::options::tls enabled, by default this is port 6697 (not 6667!).

In your IRC client you need to connect to the SSL-only port in a special way:

  • mIRC: /server name.of.server.net +6697. The + (plus sign) instructs mIRC to use SSL/TLS.
  • irssi: /connect -tls name.of.server 6697. The -tls option says to use SSL/TLS

On other clients it is usually a matter of using a plus sign before the port (+6697) or adding a SSL or TLS option or ticking such a box in the graphical interface.

Be sure to read next section on SSL certificates, especially if your client refuses to connect or complains about an untrusted or invalid certificate.

SSL certificate

By default, UnrealIRCd has created a self-signed certificate for you. However, most clients (rightfully) complain that this cannot be trusted. Some clients will give you a popup or option to accept the certificate (yes/no). Other clients will refuse to connect at all.

We recommend you to get a real certificate for free by Using Let's Encrypt with UnrealIRCd. Note that this does mean you have some labor to do. But after that, your server is really fully setup for SSL/TLS and your users can use IRC in a more secure manner!

Configuration

Global settings

Global SSL/TLS settings can be configured via set::tls. For most users the defaults are fine.

Per-port settings

If you want port-specific SSL setting then these can be configured in the Listen block.
NOTE: Doing so is very rare, most people would not change these at all or change the global SSL/TLS options in set::tls instead.

SNI

UnrealIRCd also support SNI, multiple certificates with different names, which you configure using the Sni block. This is not used much.

Strict Transport Security

"Strict Transport Security" is an IRCv3 specification. If you use it it will:

  1. redirect users with capable clients to the appropriate SSL/TLS port automatically
  2. ensure that these users won't use insecure connections for a specified period of time

To enable this you need to configure two important things:

Step 1: Get a real certificate

You need a 'real' SSL/TLS certificate, not the default / self-signed certificate that many people use. So: get one for free via Let's Encrypt (tutorial) or buy one.

IMPORTANT: Your users must connect to the server with the same hostname as the hostname in the certificate. So if users use /SERVER irc.example.com then your server shouldn't serve a certificate for irc2.example.com. Possible solutions for this are wildcard certificates (this too is possible via Let's Encrypt) or using multiple certificates with a Sni block (rarely used).

It is important for the certificate (and naming) to be correct. Without STS such a misconfiguration will 'only' trigger a certificate warning on the client but with STS the clients will be unable to connect. It is a hard error that clients cannot easily bypass.

Step 2: Configure the set::tls::sts-policy block

The following will configure a STS policy, redirecting capable clients to port 6697 (which must be SSL/TLS): 

set {
    tls {
        sts-policy {
            port 6697;
            duration 5m; /* you can always increase this later */
        };
    };
};

Note that while you can remove the set::tls::sts-policy block at any time, clients will cache the setting for up to set::tls::sts-policy::duration time. So when deploying sts-policy, and when picking a (final) setting, be sure to provide SSL/TLS support for an extended amount of time. This shouldn't be any problem with UnrealIRCd but just to reiterate: only deploy STS if you are serious about offering SSL/TLS to your clients!

You should gradually raise the set::tls::sts-policy::duration time. This to prevent you inadvertently locking users out due to a misconfiguration:

  • Begin with 5 minutes (5m) during testing.
  • After a week, consider raising it to a day (1d).
  • After a month, consider raising it to it's final setting, such as half a year (180d)

Be sure to enforce the same STS policy on all servers on your network (unless you are only testing).

Retrieved from "https://www.unrealircd.org/docwiki/index.php?title=SSL/TLS/en&oldid=8577"