TLS Ciphers and protocols

You can configure the permitted SSL/TLS protocols and ciphers using set::tls::protocols, set::tls::ciphers and set::tls::options::ciphersuites. Or, if you want to override these global options, then you can use listen::tls-options or link::tls-options for listen- and link-specific configuration.

Default configuration
The default configuration in UnrealIRCd 6.0.5 looks like this: set { protocols "TLSv1.2,TLSv1.3"; ciphers "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES+SHA384 EECDH+AES+SHA256"; ciphersuites "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256"; ecdh-curves "secp521r1,secp384r1,prime256v1"; }; NOTE: There is no need to copy-paste this to your config file as this is already the default!

Result
With OpenSSL 3.0.7 this results in (output from cipherscan): prio ciphersuite                    protocols  pfs                 curves 1    ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2    ECDH,P-521,521bits  secp521r1,secp384r1 2    ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2    ECDH,P-521,521bits  secp521r1,secp384r1 3    ECDHE-ECDSA-AES256-SHA384      TLSv1.2    ECDH,P-521,521bits  secp521r1,secp384r1 4    ECDHE-ECDSA-AES128-SHA256      TLSv1.2    ECDH,P-521,521bits  secp521r1,secp384r1

NOTE 1: This seems to omit the ECDHE-ECDSA-CHACHA20-POLY1305 ciphers that are also supported.

NOTE 2: TLS 1.3 is also supported in UnrealIRCd. It is not listed in the above result simply because the cipherscan tool does not test for it at the moment.

Rationale
By default we:
 * Require protocol TLSv1.2 or higher
 * Only allows ciphers with Forward Secrecy
 * Use secure and randomly chosen ECDH curves

These minimum requirements can be met by these TLS client libraries:
 * OpenSSL 1.0.1 (released in 2012): for example first used in Fedora 18 (2013), Debian 7 (2013), Ubuntu 14.04 (2014)
 * GnuTLS 3.2.6 (2013): for example used in Ubuntu 16.0.4 (2016)
 * Android 4.4.2 (2013)

Previous less secure setting
The default settings as of UnrealIRCd 6.0.5+ work with these minimum versions of popular TLS client libraries: OpenSSL 1.0.1 (released in 2012), GnuTLS 3.2.6 (2013), Android 4.4.2 (2013).

If you need to permit clients that use an TLS library that is more than 10+ years old, then you have to downgrade the security a bit and revert to these old settings:

set { tls { protocols "All"; /* TLSv1.0 or later */ ciphers "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA"; }; };

History
See also: Moving users to TLS
 * Prior to UnrealIRCd 4.0.7 if you did not have a cipher setting it was left up to your OS/Distro (and ultimately OpenSSL/LibreSSL build parameters) as to which algorithms were enabled. In practice this often meant ciphers such as RC4 and 3DES were enabled which is discouraged today.
 * In UnrealIRCd 4.0.14 the cipher list was updated to include TLSv1.3 ciphers. This means as soon as you upgrade your OpenSSL to a version which supports TLSv1.3, UnrealIRCd will be able to use it.
 * In UnrealIRCd 4.0.18 support was added of setting the ECDH(E) curves via the ecdh-curves option and a default was set. Previously this was left over to the SSL library with a fallback to P-256.
 * In UnrealIRCd 4.0.19 support for cipher setting for TLSv1.3 was changed to match OpenSSL specifics.
 * In UnrealIRCd 4.2.2 we reordered AES-128 and AES-256. In practice, most clients (by far) already negotiated either CHACHA20 or AES-256, but now in the remaining case (non-PFS) we prefer AES-256 as well.
 * In UnrealIRCd 5.0.0 there were no changes but we did change the default generated certificate from RSA-4096 to secp384r1
 * In UnrealIRCd 6.0.5 the requirements changed to TLSv1.2 or later and a cipher with Forward Secrecy (ECDHE). This was previously in a section called A more secure setting but is now the default. The old default is now documented under Previous less secure setting.