Modules/2.0/ssl gnutls

From the makers of InspIRCd.
Jump to: navigation, search

ssl gnutls module (2.0 version)

Current Future
2.0 Documentation 3.0 Documentation
Return to the 2.0 Module List
Allows SSL/TLS connections using the GnuTLS library. See Secure Sockets Layer for information about SSL in general; this page addresses issues specific to the GnuTLS module.
Configuration Tags
Add ssl="gnutls" to a <bind> tag to enable SSL on that port, eg:
<bind address="" port="6667" type="clients" ssl="gnutls">
<bind address="" port="6666" type="servers" ssl="gnutls">

You may use SSL on a port with a type of "clients" or of type "servers". You can also have SSL on port X on address and plaintext on the same port on another address.

There is also a <gnutls> tag with several options:

  • <gnutls:cafile> - The CA file to use, defaults to "ca.pem"
  • <gnutls:crlfile> - The CRL file to use, defaults to "crl.pem"
  • <gnutls:certfile> - The certificate file, defaults to "cert.pem"
  • <gnutls:keyfile> - The private key file, defaults to "key.pem"
  • <gnutls:dhfile> - The file containing DH params, no default
  • <gnutls:dhbits> - The number of bits to use for DH (Diffie Hellman) parameter generation, defaults to 1024. May be 768, 1024, 2048, 3072 or 4096.
  • <gnutls:hash> - The hash to use for fingerprints. Defaults to MD5; you may also specify SHA1.
  • <gnutls:priority> - Priority string, see the GnuTLS manual for more info

All relative paths in the <gnutls> tag are treated as relative to the inspircd config directory, absolute ones are treated as...absolute.


<gnutls certfile="conf/cert.pem" keyfile="conf/key.pem" priority="NORMAL:-MD5" hash="sha1">
See m_sslmodes
Extended Bans (Extbans)
This module implements no extended bans.

This command will cause all the certificates to be reloaded and Diffie Hellman parameters regenerated, <bind> tags are also re-read.


In 1.2 of InspIRCd, clients may send STARTTLS before client registration to switch a plaintext socket to GNUTLS mode. After this point, the server expects the TLS handshake. No further plaintext should be sent and there is no way to revert back to plaintext after this point.

For more information on STARTTLS see the STARTTLS Documentation page. Note that this command only works on plaintext ports - it will give an error on SSL ports, which start their handshake as soon as the connection is begun.

Special Notes
Important: The GnuTLS module can be unloaded with the /unloadmodule command, *however* this will result in *all* users connecting via the module to be killed off the network with the reason "SSL module unloading", eg:
(23-14:53:46)  -» (Om)([email protected]) has quit (SSL module unloading)

Beware of unloading this module!

OpenSSL vs. GnuTLS
GnuTLS has been benchmarked against OpenSSL and GnuTLS is significantly faster, InspIRCd has both GnuTLS and OpenSSL support but we recommend this GnuTLS version over the OpenSSL one! It should outperform it and due to GnuTLS's nicer API the module itself is smaller and neater than the OpenSSL module.

This is the recommended SSL module!

This module requires libgnutls to work. If you are using a GnuTLS version older than 2.12 then libgcrypt is also required. You must have these and the appropriate header files in order to build the module.

Once the module is compiled you need to generate a private key and an ssl certificate, GnuTLS supplies a tool called 'certtool' (or 'gnutls-certtool on OS X) which makes this process fairly easy. Just run these two commands and move the output .pem files to wherever you configured.

certtool --generate-privkey --outfile key.pem
certtool --generate-self-signed --load-privkey key.pem --outfile cert.pem

Of course you may want to vary this to use a private key you already have, or to get the certificate signed by someone else. In which case:

man certtool

Also, some users have had issues with certtool, GnuTLS provide an excellent library but not such a great certificate tool. If your key takes a long time to generate and you also have OpenSSL installed you can generate a key and certificate with the following command:

openssl req -x509 -nodes -newkey rsa:1024 -keyout key.pem -out cert.pem

Also it will aid in the key generation if you cause device activity during the generation, this helps supply random data.

If you are using certificates that need chaining, please note that unlike openssl, GnuTLS expects the server certificate to contain both the server certificate AND the certificate chain (simply concatenating the files will work). There is no separate setting to the certificate chain.

Installation of GnuTLS to your home directory

In the instance where you do not have root access to the place where you will be running InspIRCd, and you still want to use GnuTLS, you must install it to your home directory.

InspIRCd is designed in such a way that if you do this, it will work, so long as the GnuTLS binaries are in the PATH. Usually, most Linux and BSD distributions insert /home/username/bin or ~/bin into the path, so by copying certtool and libgnutls-config to this directory, you can make GnuTLS function as expected with InspIRCd. So long as it can execute these binaries, it can successfully compile, and detect the libraries it needs.

Package Systems

Some distro's have decided to package GnuTLS in a unique manner. You may need to check to make sure you install all the required packages as it may be more than one. pkg-config is also required for GnuTLS detection as of InspIRCd 1.2rc4 and InspIRCd 1.1.23. For example:

Debian 4/Etch

 apt-get install libgnutls13 libgnutls-dev gnutls-bin pkg-config

Debian 5/Lenny

 apt-get install libgnutls26 libgnutls-dev gnutls-bin pkg-config

Ubuntu 8.04 LTS "Hardy Heron" to 16.04

 apt-get install gnutls-bin gnutls-dev pkg-config

Fedora 7

 yum install gnutls gnutls-devel gnutls-utils pkgconfig

Please check with your Distro's documentation and ensure all components are loaded before reporting a fault.

Extra ModuleThis module is an 'extra' module. This means that by default it is not compiled when you type make to build your IRCd. To enable this module follow these steps.