Link security

UnrealIRCd 4.0.14 adds a concept called link security levels to describe how secure your server/network is.

Levels
Each server has a level assigned of 0, 1 or 2. Older UnrealIRCd servers or services have a level UNKNOWN.

In the end this results in a network score (=the effective link-security level). This is the lowest level of all servers. This is basically the "weakest link" principle and it makes sense. For example, if any server is not using SSL/TLS (=level 0) then the network is degraded to level 0.

What is the risk of level 0
Level 0 means that traffic between (at least one of the) servers travels unencrypted. Someone could possibly wiretap IRC conversations, see user details, passwords, etc.

What is the risk of level 1
With level 1 server traffic is encrypted. However, because SSL certificates are not verified an active attacker could possibly still do a MitM attack, allowing him to decrypt and see IRC conversations, user details, passwords, etc.

How to get from level 0 to level 1
Simple answer: make sure all your servers link using SSL/TLS.

By default UnrealIRCd 4.0.x will always link using SSL/TLS. UnrealIRCd 4.0.14 and later will reject non-SSL/TLS server connections by default. So, normally, and especially if you use 4.0.14 or later, you shouldn't ever sink to level 0 unless you misconfigured your server.

Steps to take:
 * 1) Check out your link blocks, making sure you don't have the insecure option set.
 * 2) Check your services too. Like all servers they should either:
 * 3) link securely using SSL/TLS, OR
 * 4) link via 127.0.0.1 (such localhost server connections are permitted and not counted as insecure).
 * 5) For UnrealIRCd 4.0.14 and later: search for set::plaintext-policy in your configuration file(s). Perhaps you or another administrator deliberately degraded security. Remove the block altogether or use better settings. In particular, the server portion should be set to deny (which is the default).

How to get from level 1 to level 2
Verify your certificates on both sides of the link.

You have two options here:

Use verify-certificate
If you use real SSL certificates (which is really recommended), from Let's Encrypt or bought from a Certificate Authority, then you should use this one:

Edit your link block and add verify-certificate yes; to it, like this: link irc1.test.net { [..your current settings..] verify-certificate yes; }; Note that this assumes that irc1.test.net is serving a valid (not expired) certificate from a trusted Certificate Authority for the name irc1.test.net.

Now /REHASH, /SQUIT the server and /CONNECT it again. Make sure the server linking still works.

Verify by certificate fingerprint
Use this if you don't have a real certificate (not using Let's encrypt or any other CA).

Use the certificate fingerprint in the link { } block as outlined in the Tutorial: Linking servers

Your link block will look something like this link irc1.test.net { [..your current settings..] password "00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF"; };

After making the necessary configuration changes, be sure to rehash and SQUIT + CONNECT the server(s).