[irc/gunnarbeutner/shroudbnc.git] / README.ssl

Secure Socket Layer (SSL)
-------------------------

Using the OpenSSL library shroudBNC supports encrypted client connections. Additionally client
certificates can be used for authenticating users.

Why?
----

IRC is often used over insecure/unencrypted connections. While the problem of monitoring networks
using packet sniffers might not be so obvious for (wired) LAN/WAN connections it becomes apparent
when considering wireless connections, e.g. on a campus, where every other WLAN user can tap into
your data transfers.

Compiling shroudBNC with support for SSL
----------------------------------------

The "configure" script detects whether you have the necessary openssl libraries/headers and
enables SSL support if possible.

How to set up shroudBNC for SSL
-------------------------------

shroudBNC supports two kinds of listeners: unencrypted and encrypted ones. During startup two
configuration settings are read to determine whether the user wants unencrypted, encrypted
listeners or both:

system.port - sets the port for the unencrypted listener
system.sslport - sets the port for the ssl-enabled listener

If neither of those settings are used, shroudBNC falls back to creating an unencrypted listener
on port 9000.

You can remove the "system.port" setting from your configuration file if you just want an
encrypted listener.

These settings can be set in the bouncer's main configuration file: sbnc.conf

Once you've enabled SSL shroudBNC expects to find the following files in your bouncer's directory:

sbnc.crt - the public part of the server's key
sbnc.key - the private part of the server's key

The "openssl" utility can be used to create certificates. You can also use "make sslcert", which
will generate an SSL certificate for you and install it in the appropriate directory.

Please note that you will need to run shroudBNC in the foreground (i.e. using the --foreground
parameter) if your private key has a passphrase. It is therefore recommended to remove the passphrase
(after verifying that the file permissions are sufficiently secure).

Client Certificates
-------------------

Clients like irssi or mIRC which support client certificates can use such certificates for
authentication.

When you want to set the public key you are going to use for your bouncer account you have
to log in using your client certificate AND your password (obviously because the bouncer
doesn't know your public key yet).

Once you're logged in you can use /sbnc savecert to tell shroudBNC that the client certificate you
are currently using is to be trusted for public key authentication.

Use /sbnc showcert to check that the certificate was saved correctly. You should now be able to
log in using this client certificate.

(You can also set your public key by putting a x509 certificate into your users/ directory. The
file's name should be <username>.crt, where <username> is your username. However this requires
a restart as shroudBNC only reads the certificate files during startup.)
Commit	Line	Data
a92888a3 GB	1	Secure Socket Layer (SSL)
	2	-------------------------
	3
71d93507 GB	4	Using the OpenSSL library shroudBNC supports encrypted client connections. Additionally client
71d93507 GB	5	certificates can be used for authenticating users.
a92888a3 GB	6
	7	Why?
	8	----
	9
71d93507 GB	10	IRC is often used over insecure/unencrypted connections. While the problem of monitoring networks
	11	using packet sniffers might not be so obvious for (wired) LAN/WAN connections it becomes apparent
	12	when considering wireless connections, e.g. on a campus, where every other WLAN user can tap into
	13	your data transfers.
a92888a3	14
700470f5 GB	15	Compiling shroudBNC with support for SSL
700470f5 GB	16	----------------------------------------
a92888a3	17
71d93507 GB	18	The "configure" script detects whether you have the necessary openssl libraries/headers and
71d93507 GB	19	enables SSL support if possible.
a92888a3	20
700470f5 GB	21	How to set up shroudBNC for SSL
700470f5 GB	22	-------------------------------
a92888a3	23
700470f5	24	shroudBNC supports two kinds of listeners: unencrypted and encrypted ones. During startup two
71d93507 GB	25	configuration settings are read to determine whether the user wants unencrypted, encrypted
71d93507 GB	26	listeners or both:
a92888a3 GB	27
	28	system.port - sets the port for the unencrypted listener
	29	system.sslport - sets the port for the ssl-enabled listener
	30
700470f5 GB	31	If neither of those settings are used, shroudBNC falls back to creating an unencrypted listener
700470f5 GB	32	on port 9000.
a92888a3	33
71d93507 GB	34	You can remove the "system.port" setting from your configuration file if you just want an
71d93507 GB	35	encrypted listener.
a92888a3 GB	36
	37	These settings can be set in the bouncer's main configuration file: sbnc.conf
	38
700470f5	39	Once you've enabled SSL shroudBNC expects to find the following files in your bouncer's directory:
a92888a3	40
a92888a3 GB	41	sbnc.crt - the public part of the server's key
	42	sbnc.key - the private part of the server's key
	43
890b6f37 GB	44	The "openssl" utility can be used to create certificates. You can also use "make sslcert", which
890b6f37 GB	45	will generate an SSL certificate for you and install it in the appropriate directory.
a92888a3	46
700470f5 GB	47	Please note that you will need to run shroudBNC in the foreground (i.e. using the --foreground
	48	parameter) if your private key has a passphrase. It is therefore recommended to remove the passphrase
	49	(after verifying that the file permissions are sufficiently secure).
	50
a92888a3 GB	51	Client Certificates
	52	-------------------
	53
71d93507 GB	54	Clients like irssi or mIRC which support client certificates can use such certificates for
71d93507 GB	55	authentication.
a92888a3	56
71d93507 GB	57	When you want to set the public key you are going to use for your bouncer account you have
	58	to log in using your client certificate AND your password (obviously because the bouncer
	59	doesn't know your public key yet).
a92888a3	60
700470f5	61	Once you're logged in you can use /sbnc savecert to tell shroudBNC that the client certificate you
71d93507	62	are currently using is to be trusted for public key authentication.
5e1e4011	63
71d93507 GB	64	Use /sbnc showcert to check that the certificate was saved correctly. You should now be able to
71d93507 GB	65	log in using this client certificate.
40dfab3f	66
71d93507 GB	67	(You can also set your public key by putting a x509 certificate into your users/ directory. The
71d93507 GB	68	file's name should be <username>.crt, where <username> is your username. However this requires
700470f5	69	a restart as shroudBNC only reads the certificate files during startup.)