Moving users to TLS

Below is a summary of our efforts to move users, opers and servers to use SSL/TLS. It is mainly for historic purposes.

Summary table
In this table administrators means IRC Operator (IRCOp) connections - users trying to /OPER.

The table reflects the default UnrealIRCd settings. Server admins have the option to override settings or make other choices (more strict or more loose).

SSL/TLS support added
In the year 2000 UnrealIRCd was one of the first IRC daemons to have built-in SSL/TLS support. (source)

Disable SSLv2
Support for insecure SSLv2 was disabled very early, back in August 2002 (source)

Disable SSLv3
UnrealIRCd disabled SSLv3 by default in UnrealIRCd 4.0.0 which was released December 2015. (source)

For comparisons sake, web browsers disabled it slightly earlier. Such as Firefox 34 in December 2014, Chrome 40 in January 2015 and Internet Explorer in April 2015.

Warn on non-TLS server links
Lots of sensitive data travels between servers links, so it is important for them to use SSL/TLS. Starting with UnrealIRCd 4.0.0, which was released Dec 2015, we did so. (source)

Deny non-TLS server links
Since there really is no good reason for server links to be non-TLS, in UnrealIRCd 4.0.14 this was changed to deny non-TLS server links. Released on September 2017. (source)

For outgoing server links this was already done in UnrealIRCd 4.0.0 (Dec 2015), because this was easier with the automatic STARTTLS upgrade feature, see below (source)

Automatically upgrade non-TLS server connections to TLS
In UnrealIRCd 4.0.0 (Dec 2015) we made it that any non-TLS outgoing connection is automatically upgraded to TLS using STARTTLS. (source).

Strict Transport Policy
In UnrealIRCd 4.0.13, released in August 2017, we implemented support for for Strict Transport Policy (STS), while still a draft specification at that time. What STS does is two things: 1) it automatically redirects non-TLS users to the TLS port, 2) it only allows the server to use "real certificates", ones that are issued by a trusted Certificate Authority such as Let's Encrypt. (source)

Warn when IRCOps use non-TLS
Users with administrative privileges can see sensitive information. Also their credentials can be stolen and misused if you don't use SSL/TLS. Opers receive a warning if not using TLS since UnrealIRCd 4.0.14, released on September 2017. (source)

Deny IRCOps on non-TLS connections
Starting with UnrealIRCd 5.0.0, released on December 2019, we no longer allow admin users (IRCOps) to use non-TLS connections by default. IRCOps must use TLS. (source)

Warning on outdated TLS protocols/ciphers
At a certain point we will want to adjust our permitted TLS protocols and ciphersuite. It is good to first have a period where we warn the clients with a helpful notice, rather than presenting them with a mysterious connection failure.

In UnrealIRCd 4.2.2, released in March 2019, we started to warn regular users, ircops and on server connections that use insecure ciphers (eg: RC4, 3DES, but also AES if they lack Forward Secrecy) or protocols (anything below TLSv1.2). (source)

Disable TLSv1.0 and TLSv1.1
In UnrealIRCd 5.0.0 (Dec 2019) we already reject server links and administrative (IRCOp) connections if they use <TLSv1.2. The next step is to disable older versions of the TLS protocol (TLS v1.0 and TLS v1.1) completely.

Browsers are currently in the process of disabling these old protocols: Chrome 84 did it in July 2020, Microsoft plans to do it in IE / Classic Edge in spring of 2021 at the earliest (blog post). Note, however, that on the server side, major sites such as google.com still have TLS 1.0 and 1.1 enabled.

In UnrealIRCd we expect to disable TLS 1.0 and TLS 1.1 by default when major websites also stop serving it via https.