From the makers of InspIRCd.
ssl openssl module (2.0 version)
| Allows SSL/TLS connections using the OpenSSL library. See Secure_Sockets_Layer for information about SSL in general; this page addresses issues specific to the OpenSSL module.
| Add <ssl="openssl" to a <bind> tag to enable SSL on that port, eg:
<bind address="" port="6666" type="clients" ssl="openssl">
You may use SSL on a bind block of any type. The following example shows a port for servers that uses OpenSSL:
<bind address="" port="6650" type="servers" ssl="openssl">
There is also a <openssl> tag with several options:
- <openssl:cafile> - The CA file to use, defaults to "ca.pem"
- <openssl:certfile> - The certificate file, defaults to "cert.pem"
- <openssl:keyfile> - The private key file, defaults to "key.pem"
- <openssl:dhfile> - The file containing the DH (Diffie Hellman) parameters used, defaults to "dhparams.pem"
- <openssl:hash> - The hash to use for certificate fingerprints. Defaults to MD5, you may also specify SHA1.
- <openssl:ciphers> - Cipher string, see the OpenSSL manual for more info
- <openssl:customcontextoptions> - Allows custom context options to be set if true. This is required for the following options to have any effect. Available in 2.0.18 and later.
- <openssl:cipherserverpref> - If on, when choosing a cipher, use the server's preferences instead of the client preferences. When not set, the SSL server will always follow the clients preferences. When set, the SSLv3/TLSv1 server will choose following its own preferences.
- <openssl:compression> - Set to false to disallow compression.
- <openssl:sslv3> - Set to false to disallow usage of the SSLv3 protocol.
- <openssl:tlsv1> - Set to false to disallow usage of the TLSv1 protocol.
All relative paths in the <openssl> tag are treated as relative to the inspircd config directory, absolute ones are treated as...absolute.
<openssl certfile="conf/cert.pem" keyfile="conf/key.pem" dhfile="conf/dhparams.pem" hash="sha1">
The following config options are NOT REQUIRED and should only be set if you know what you are doing.
Using the following options it is possible to set or clear any context option supported by OpenSSL:
- <openssl:serversetoptions> - Raw integer value of options to set on the server context.
- <openssl:serverclearoptions> - Raw integer value of options to clear on the server context.
- <openssl:clientsetoptions> - Raw integer value of options to set on the client context.
- <openssl:clientclearoptions> - Raw integer value of options to clear on the client context.
This OpenSSL manual page explains some of the options.
You DO NOT need to set these options normally!
Extended Bans (Extbans)
| This module implements no extended bans.
Will cause all the certificates and Diffie Hellman parameters to be reloaded, <bind> tags are also re-read.
| Important: The OpenSSL module can be unloaded with the /unloadmodule command, *however* this will result in *all* users connecting via the module to be killed off the network with the reason "SSL module unloading", eg:
(23-14:53:46) -» (Om)([email protected]) has quit (SSL module unloading)
Beware of unloading this module!
OpenSSL vs. GnuTLS
| GnuTLS has been benchmarked against OpenSSL and GnuTLS is significantly faster, InspIRCd has both GnuTLS and OpenSSL support but we recommend the GnuTLS version over this one! It should outperform it and due to GnuTLS's nicer API the module itself is smaller and neater than the OpenSSL module.
| This module requires libssl to work, currently it has been tested with the 0.9 versions of libssl. You must have this and the appropriate header files in order to build the module.
|Extra Module||This module is an 'extra' module. This means that by default it is not compiled when you type make to build your IRCd. To enable this module follow these steps.|
Once the module is compiled you need to generate a private key, DH parameters and a ssl certificate, OpenSSL supplies a tool called 'openssl' which makes this process fairly easy. Just this command and move the output .pem files to wherever you configured.
openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem
openssl dhparam -out dhparams.pem 2048
Of course you may want to vary this to use a private key you already have, or to get the certificate signed by someone else. In which case:
Also it will aid in the key generation if you cause device activity during the generation, this helps supply random data.