Tip of the day: If you still have users on plaintext port 6667, consider enabling Strict Transport Security to gently move users to SSL/TLS on port 6697.

SSL/TLS/es

From UnrealIRCd documentation wiki
Jump to navigation Jump to search
This page is a translated version of the page SSL/TLS and the translation is 24% complete.
Other languages:

Cuando usa SSL/TLS en IRC, todo el tráfico de la red está encriptado. Los servidores y redes IRC modernos que tienen SSL/TLS habilitado y configurado correctamente deberían alentar a sus usuarios a utilizarlo.

UnrealIRCd tiene un long history de apoyo y fomento de SSL/TLS, que se remonta al año 2000.

¿Qué es SSL/TLS?

SSL significa Secure Socket Layer. Las versiones posteriores se denominaron TLS (Transport Layer Security). En la documentación de UnrealIRCd, generalmente lo llamamos SSL/TLS porque las personas usan ambos términos para lo mismo.

Cuando utiliza SSL/TLS en una conexión, todo el tráfico entre los dos hosts se cifra. Nadie puede ver/olfatear/espiar los datos. Esto es importante, ya que el tráfico de IRC a menudo incluye cosas como contraseñas y otra información confidencial.

Probablemente, vea sitios https:// en Internet todo el tiempo. HTTPS es simplemente HTTP con SSL y se usa para sitios bancarios, de comercio electrónico y, en la actualidad, también para muchos sitios regulares. La misma tecnología (SSL) se puede utilizar para IRC.

Cómo usar SSL/TLS

Casi todos los clientes de IRC admiten SSL/TLS. Para usarlo, debe conectarse a un puerto que tenga habilitado listen::options::tls, por defecto es puerto 6697 (¡no 6667!).

In your IRC client you need to connect to the SSL-only port in a special way:

  • mIRC: /server name.of.server.net +6697. The + (plus sign) instructs mIRC to use SSL/TLS.
  • irssi: /connect -tls name.of.server 6697. The -tls option says to use SSL/TLS

On other clients it is usually a matter of using a plus sign before the port (+6697) or adding a SSL or TLS option or ticking such a box in the graphical interface.

Be sure to read next section on SSL certificates, especially if your client refuses to connect or complains about an untrusted or invalid certificate.

SSL certificate

By default, UnrealIRCd has created a self-signed certificate for you. However, most clients (rightfully) complain that this cannot be trusted. Some clients will give you a popup or option to accept the certificate (yes/no). Other clients will refuse to connect at all.

We recommend you to get a real certificate for free by Using Let's Encrypt with UnrealIRCd. Note that this does mean you have some labor to do. But after that, your server is really fully setup for SSL/TLS and your users can use IRC in a more secure manner!

Configuration

Global settings

Global SSL/TLS settings can be configured via set::tls. For most users the defaults are fine.

Per-port settings

If you want port-specific SSL setting then these can be configured in the Listen block.
NOTE: Doing so is very rare, most people would not change these at all or change the global SSL/TLS options in set::tls instead.

SNI

UnrealIRCd also support SNI, multiple certificates with different names, which you configure using the Sni block. This is not used much.

Strict Transport Security

"Strict Transport Security" is an IRCv3 specification. If you use it it will:

  1. redirect users with capable clients to the appropriate SSL/TLS port automatically
  2. ensure that these users won't use insecure connections for a specified period of time

To enable this you need to configure two important things:

Step 1: Get a real certificate

You need a 'real' SSL/TLS certificate, not the default / self-signed certificate that many people use. So: get one for free via Let's Encrypt (tutorial) or buy one.

IMPORTANT: Your users must connect to the server with the same hostname as the hostname in the certificate. So if users use /SERVER irc.example.com then your server shouldn't serve a certificate for irc2.example.com. Possible solutions for this are wildcard certificates (this too is possible via Let's Encrypt) or using multiple certificates with a Sni block (rarely used).

It is important for the certificate (and naming) to be correct. Without STS such a misconfiguration will 'only' trigger a certificate warning on the client but with STS the clients will be unable to connect. It is a hard error that clients cannot easily bypass.

Step 2: Configure the set::tls::sts-policy block

The following will configure a STS policy, redirecting capable clients to port 6697 (which must be SSL/TLS): 

set {
    tls {
        sts-policy {
            port 6697;
            duration 5m; /* you can always increase this later */
        };
    };
};

Note that while you can remove the set::tls::sts-policy block at any time, clients will cache the setting for up to set::tls::sts-policy::duration time. So when deploying sts-policy, and when picking a (final) setting, be sure to provide SSL/TLS support for an extended amount of time. This shouldn't be any problem with UnrealIRCd but just to reiterate: only deploy STS if you are serious about offering SSL/TLS to your clients!

You should gradually raise the set::tls::sts-policy::duration time. This to prevent you inadvertently locking users out due to a misconfiguration:

  • Begin with 5 minutes (5m) during testing.
  • After a week, consider raising it to a day (1d).
  • After a month, consider raising it to it's final setting, such as half a year (180d)

Be sure to enforce the same STS policy on all servers on your network (unless you are only testing).

Retrieved from "https://www.unrealircd.org/docwiki/index.php?title=SSL/TLS/es&oldid=10415"