The InspIRCd Project
Home | Developers | Wiki | Forums | Bug Tracker | SVN | Download | Blog | Stats

Modules/1.1/ssl openssl

From the makers of InspIRCd.

(Redirected from Modules/ssl openssl)
Jump to: navigation, search

ssl openssl module (InspIRCd-1.1 version)

1.1 Documentation 1.2 Documentation 2.0 Documentation 2.1 Documentation
Return to the 1.1 Module List
Description
Allows you to specify ports to accept clients using SSLv3. See Secure_Sockets_Layer for information about SSL in general; this page addresses issues specific to the OpenSSL module.
Configuration Tags
Add <ssl="openssl" to a <bind> tag to enable SSL on that port, eg: 
<bind address="" port="6666" type="clients" ssl="openssl">

You may use SSL on a port with a type of "clients" or of type "servers", however if you use ssl on a server port, you must define a 'transport' value: 

<bind address="" port="6666" type="servers" transport="openssl">

In 1.2 and earlier, you cannot have SSL on port X on address 1.2.3.4 and plaintext on the same port on another address.

There is also a <openssl> tag with several options:

  • <openssl:cafile> - The CA file to use, defaults to "ca.pem"
  • <openssl:certfile> - The certificate file, defaults to "cert.pem"
  • <openssl:keyfile> - The private key file, defaults to "key.pem"
  • <openssl:dhfile> - The file containing the DH (Diffie Hellman) parameters used, defaults to "dhparams.pem"
  • <openssl:hash> - The hash to use for fingerprints. Defaults to MD5, in 2.0 and later you may also specify SHA1.

All relative paths in the <openssl> tag are treated as relative to the inspircd config directory, absolute ones are treated as...absolute.

Example: 

<openssl cafile="ca.pem" certfile="cert.pem" keyfile="key.pem" dhfile="dhparams.pem">
Modes
See m_sslmodes.so
Extended Bans (Extbans)
This module implements no extended bans.
Commands
Issuing: 
/rehash ssl

Will cause all the certificates and Diffie Hellman parameters to be reloaded, <bind> tags are also re-read.

Special Notes
Important: The OpenSSL module can be unloaded with the /unloadmodule command, *however* this will result in *all* users connecting via the module to be killed off the network with the reason "SSL module unloading", eg: 
(23-14:53:46)  -ยป (Om)(~om@NetAdmin.easnet.net) has quit (SSL module unloading)

Beware of unloading this module!


OpenSSL vs. GnuTLS
GnuTLS has been benchmarked against OpenSSL and GnuTLS is significantly faster, InspIRCd has both GnuTLS and OpenSSL support but we recommend the GnuTLS version over this one! It should outperform it and due to GnuTLS's nicer API the module itself is smaller and neater than the OpenSSL module.

GnuTLS Recommended!


Installation
This module requires libssl to work, currently it has been tested with the 0.9 versions of libssl. You must have this and the appropriate header files in order to build the module.

Once the module is compiled you need to generate a private key, DH parameters and a ssl certificate, OpenSSL supplies a tool called 'openssl' which makes this process fairly easy. Just this command and move the output .pem files to wherever you configured. 

openssl req -x509 -nodes -newkey rsa:1024 -keyout key.pem -out cert.pem
openssl dhparam -out dhparams.pem 1024

Of course you may want to vary this to use a private key you already have, or to get the certificate signed by someone else. In which case: 

man openssl
man req

Also it will aid in the key generation if you cause device activity during the generation, this helps supply random data.

Extra ModuleThis module is an 'extra' module. This means that by default it is not compiled when you type make to build your IRCd. To enable this module follow these steps.
Retrieved from "http://wiki.inspircd.org/Modules/1.1/ssl_openssl"
Personal tools
head
Navigation
head
head
head
head
 
head
head
Toolbox
head
head