ssl gnutls module (2.0 version)
|2.0 Documentation||3.0 Documentation|
|Return to the 2.0 Module List|
|Allows SSL/TLS connections using the GnuTLS library. See Secure Sockets Layer for information about SSL in general; this page addresses issues specific to the GnuTLS module.|
| Add ssl="gnutls" to a <bind> tag to enable SSL on that port, eg:
<bind address="" port="6667" type="clients" ssl="gnutls"> <bind address="" port="6666" type="servers" ssl="gnutls">
You may use SSL on a port with a type of "clients" or of type "servers". You can also have SSL on port X on address 18.104.22.168 and plaintext on the same port on another address.
There is also a <gnutls> tag with several options:
All relative paths in the <gnutls> tag are treated as relative to the inspircd config directory, absolute ones are treated as...absolute.
<gnutls certfile="conf/cert.pem" keyfile="conf/key.pem" priority="NORMAL:-MD5" hash="sha1">
|This module implements no extended bans.|
This command will cause all the certificates to be reloaded and Diffie Hellman parameters regenerated, <bind> tags are also re-read.
In 1.2 of InspIRCd, clients may send STARTTLS before client registration to switch a plaintext socket to GNUTLS mode. After this point, the server expects the TLS handshake. No further plaintext should be sent and there is no way to revert back to plaintext after this point.
For more information on STARTTLS see the STARTTLS Documentation page. Note that this command only works on plaintext ports - it will give an error on SSL ports, which start their handshake as soon as the connection is begun.
| Important: The GnuTLS module can be unloaded with the /unloadmodule command, *however* this will result in *all* users connecting via the module to be killed off the network with the reason "SSL module unloading", eg:
(23-14:53:46) -» (Om)([email protected]) has quit (SSL module unloading)
Beware of unloading this module!
| GnuTLS has been benchmarked against OpenSSL and GnuTLS is significantly faster, InspIRCd has both GnuTLS and OpenSSL support but we recommend this GnuTLS version over the OpenSSL one! It should outperform it and due to GnuTLS's nicer API the module itself is smaller and neater than the OpenSSL module.
This is the recommended SSL module!
| This module requires libgnutls to work. If you are using a GnuTLS version older than 2.12 then libgcrypt is also required. You must have these and the appropriate header files in order to build the module.