SSL/TLS

SSL stands for Secure Socket Layer. Later this has been renamed to TLS (Transport Layer Security) but most people still call it SSL.

Why use SSL
When you use SSL for a connection then all the traffic between the two endpoints is encrypted. Nobody can see/sniff/snoop the data (theoretically, anyway). This is important as IRC traffic often includes things like passwords and other sensitive information.

You probably see https:// sites on the internet all the time. HTTPS is simply HTTP with SSL and it's used for banking, e-commerce sites and nowadays a lot of regular sites as well. The same technology (SSL) can be used for IRC.

How to use SSL
First of all, you need an SSL-capable client. Fortunately such clients are widespread nowadays: mIRC, XChat and irssi all support SSL.

Second, you need to connect to the server in a special way. There are actually two ways to use SSL:

STARTTLS
This is the easiest method but only a few clients support it. IRC Clients that are capable of using "STARTTLS" can connect on a regular IRC port and then request to 'upgrade' the connection to SSL/TLS. In most clients you'll have to set an option to use this, or use a slightly different syntax when connecting to a server.

For example on mIRC v7.38 and later you use:. The * (asterisk) prefix tells mIRC to use SSL/TLS with STARTTLS.

Special SSL port
You can also use a special "SSL port". This method is supported by more clients, but requires a little bit more work:
 * An SSL port needs to be opened up on the server. The example configuration file opens up port 6697 for this (in the Listen block with listen::options::ssl)
 * You need to connect with an SSL-capable client to the SSL-only port. For example with mIRC you use: . The + (plus) instructs mIRC to use SSL/TLS on an SSL-only port.

Final remarks

 * The UnrealIRCd team recommends to use SSL/TLS as much as possible. At the very least, use it to secure server to server traffic and for IRCOp client connections.


 * For real security you should validate certificates when you connect to servers and not blindly accept any SSL ceritificate. If you don't check them then you are still vulnerable to MitM attacks. That is, however, too off-topic to discuss here. See Wikipedia: Man-in-the-middle-attack for more background information. Clients like mIRC and XChat will show a popup prompt when a new (unknown) SSL certificate is detected.

Configuration

 * Global SSL/TLS settings can be configured via set::ssl (although most users don't touch this)
 * Per-port SSL settings are configured in the Listen block
 * UnrealIRCd also support SNI, multiple certificates with different names, which you configure using the Sni block.