Tip of the day: Did you know that users are put in the security-group known-users based on their reputation score or if they are identified to Services?

Users in this group receive a number of benefits, such as being able to send more messages per minute.

SSL/TLS

From UnrealIRCd documentation wiki
Jump to navigation Jump to search
This page is a translated version of the page SSL/TLS and the translation is 8% complete.
Outdated translations are marked like this.
Other languages:

SSL signifie Secure Socket Layer. Il a été renommé plus tard en TLS (Transport Layer Security), mais SSL est souvent utilisé.

UnrealIRCd has a long history of supporting and encouraging SSL/TLS, going all the way back to the year 2000.

Pourquoi utiliser SSL/TLS ?

Lorsque vous utilisez SSL/TLS pour une connexion, tout le trafic entre les deux correspondants est chiffré. Personne ne peut voir ou modifier les données (du moins, théoriquement). C'est important car le trafic IRC contient souvent des informations sensibles comme des mots de passe.

When you use SSL/TLS on a connection then all the traffic between the two hosts is encrypted. Nobody can see/sniff/snoop the data. This is important as IRC traffic often includes things like passwords and other sensitive information.

Vous voyez sans doute des sites en https:// tout le temps sur internet. HTTPS est simplement HTTP avec SSL/TLS et est utilisé par les banques, les sites de e-commerce et un grand nombre d'autres sites web. La même technologie (SSL/TLS) peut être utilisée pour IRC.

How to use SSL/TLS

Nearly all IRC clients support SSL/TLS. To use it you need to connect to a port which has listen::options::tls enabled, by default this is port 6697 (not 6667!).

In your IRC client you need to connect to the SSL-only port in a special way:

  • mIRC: /server name.of.server.net +6697. The + (plus sign) instructs mIRC to use SSL/TLS.
  • irssi: /connect -tls name.of.server 6697. The -tls option says to use SSL/TLS

On other clients it is usually a matter of using a plus sign before the port (+6697) or adding a SSL or TLS option or ticking such a box in the graphical interface.

Be sure to read next section on SSL certificates, especially if your client refuses to connect or complains about an untrusted or invalid certificate.

SSL certificate

By default, UnrealIRCd has created a self-signed certificate for you. However, most clients (rightfully) complain that this cannot be trusted. Some clients will give you a popup or option to accept the certificate (yes/no). Other clients will refuse to connect at all.

We recommend you to get a real certificate for free by Using Let's Encrypt with UnrealIRCd. Note that this does mean you have some labor to do. But after that, your server is really fully setup for SSL/TLS and your users can use IRC in a more secure manner!

Configuration

Global settings

Global SSL/TLS settings can be configured via set::tls. For most users the defaults are fine.

Per-port settings

If you want port-specific SSL setting then these can be configured in the Listen block.
NOTE: Doing so is very rare, most people would not change these at all or change the global SSL/TLS options in set::tls instead.

SNI

UnrealIRCd also support SNI, multiple certificates with different names, which you configure using the Sni block. This is not used much.

Strict Transport Security

"Strict Transport Security" is an IRCv3 specification. If you use it it will:

  1. redirect users with capable clients to the appropriate SSL/TLS port automatically
  2. ensure that these users won't use insecure connections for a specified period of time

To enable this you need to configure two important things:

Step 1: Get a real certificate

You need a 'real' SSL/TLS certificate, not the default / self-signed certificate that many people use. So: get one for free via Let's Encrypt (tutorial) or buy one.

IMPORTANT: Your users must connect to the server with the same hostname as the hostname in the certificate. So if users use /SERVER irc.example.com then your server shouldn't serve a certificate for irc2.example.com. Possible solutions for this are wildcard certificates (this too is possible via Let's Encrypt) or using multiple certificates with a Sni block (rarely used).

It is important for the certificate (and naming) to be correct. Without STS such a misconfiguration will 'only' trigger a certificate warning on the client but with STS the clients will be unable to connect. It is a hard error that clients cannot easily bypass.

Step 2: Configure the set::tls::sts-policy block

The following will configure a STS policy, redirecting capable clients to port 6697 (which must be SSL/TLS):

set {
    tls {
        sts-policy {
            port 6697;
            duration 5m; /* you can always increase this later */
        };
    };
};

Note that while you can remove the set::tls::sts-policy block at any time, clients will cache the setting for up to set::tls::sts-policy::duration time. So when deploying sts-policy, and when picking a (final) setting, be sure to provide SSL/TLS support for an extended amount of time. This shouldn't be any problem with UnrealIRCd but just to reiterate: only deploy STS if you are serious about offering SSL/TLS to your clients!

You should gradually raise the set::tls::sts-policy::duration time. This to prevent you inadvertently locking users out due to a misconfiguration:

  • Begin with 5 minutes (5m) during testing.
  • After a week, consider raising it to a day (1d).
  • After a month, consider raising it to it's final setting, such as half a year (180d)

Be sure to enforce the same STS policy on all servers on your network (unless you are only testing).