ssl gnutls module (InspIRCd-1.2 version)
|1.1 Documentation||1.2 Documentation||2.0 Documentation||2.1 Documentation|
|Return to the 1.2 Module List|
|Allows you to specify ports to accept clients using SSLv3. See Secure_Sockets_Layer for information about SSL in general; this page addresses issues specific to the GnuTLS module.|
| Add ssl="gnutls" to a <bind> tag to enable SSL on that port, eg:
<bind address="" port="6667" type="clients" ssl="gnutls">
You may use SSL on a port with a type of "clients" or of type "servers", however if you use ssl on a server port, you must define a 'transport' value:
<bind address="" port="6666" type="servers" transport="gnutls">
You cannot have SSL on port X on address 220.127.116.11 and plaintext on the same port on another address.
There is also a <gnutls> tag with several options:
All relative paths in the <gnutls> tag are treated as relative to the inspircd config directory, absolute ones are treated as...absolute.
<gnutls cafile="ca.pem" crlfile="crl.pem" certfile="cert.pem" keyfile="key.pem" dh_bits="1024" certcount="4">
Extended Bans (Extbans)
|This module implements no extended bans.|
This command will cause all the certificates to be reloaded and Diffie Hellman parameters regenerated, <bind> tags are also re-read.
In 1.2 of InspIRCd, clients may send STARTTLS before client registration to switch a plaintext socket to GNUTLS mode. After this point, the server expects the TLS handshake. No further plaintext should be sent and there is no way to revert back to plaintext after this point.
For more information on STARTTLS see the STARTTLS Documentation page. Note that this command only works on plaintext ports - it will give an error on SSL ports, which start their handshake as soon as the connection is begun.
| Important: The GnuTLS module can be unloaded with the /unloadmodule command, *however* this will result in *all* users connecting via the module to be killed off the network with the reason "SSL module unloading", eg:
(23-14:53:46) -» (Om)(~om@NetAdmin.easnet.net) has quit (SSL module unloading)
Beware of unloading this module!
OpenSSL vs. GnuTLS
| GnuTLS has been benchmarked against OpenSSL and GnuTLS is significantly faster, InspIRCd has both GnuTLS and OpenSSL support but we recommend this GnuTLS version over the OpenSSL one! It should outperform it and due to GnuTLS's nicer API the module itself is smaller and neater than the OpenSSL module.
This is the recommended SSL module!
| This module requires libgnutls to work, currently it has been tested with the 1.2, 1.3, 2.2, 2.4 and 2.6 series of libgnutls. You must have this and the appropriate header files in order to build the module.