]>
Commit | Line | Data |
---|---|---|
a92888a3 GB |
1 | Secure Socket Layer (SSL) |
2 | ------------------------- | |
3 | ||
71d93507 GB |
4 | Using the OpenSSL library shroudBNC supports encrypted client connections. Additionally client |
5 | certificates can be used for authenticating users. | |
a92888a3 GB |
6 | |
7 | Why? | |
8 | ---- | |
9 | ||
71d93507 GB |
10 | IRC is often used over insecure/unencrypted connections. While the problem of monitoring networks |
11 | using packet sniffers might not be so obvious for (wired) LAN/WAN connections it becomes apparent | |
12 | when considering wireless connections, e.g. on a campus, where every other WLAN user can tap into | |
13 | your data transfers. | |
a92888a3 | 14 | |
700470f5 GB |
15 | Compiling shroudBNC with support for SSL |
16 | ---------------------------------------- | |
a92888a3 | 17 | |
71d93507 GB |
18 | The "configure" script detects whether you have the necessary openssl libraries/headers and |
19 | enables SSL support if possible. | |
a92888a3 | 20 | |
700470f5 GB |
21 | How to set up shroudBNC for SSL |
22 | ------------------------------- | |
a92888a3 | 23 | |
700470f5 | 24 | shroudBNC supports two kinds of listeners: unencrypted and encrypted ones. During startup two |
71d93507 GB |
25 | configuration settings are read to determine whether the user wants unencrypted, encrypted |
26 | listeners or both: | |
a92888a3 GB |
27 | |
28 | system.port - sets the port for the unencrypted listener | |
29 | system.sslport - sets the port for the ssl-enabled listener | |
30 | ||
700470f5 GB |
31 | If neither of those settings are used, shroudBNC falls back to creating an unencrypted listener |
32 | on port 9000. | |
a92888a3 | 33 | |
71d93507 GB |
34 | You can remove the "system.port" setting from your configuration file if you just want an |
35 | encrypted listener. | |
a92888a3 GB |
36 | |
37 | These settings can be set in the bouncer's main configuration file: sbnc.conf | |
38 | ||
700470f5 | 39 | Once you've enabled SSL shroudBNC expects to find the following files in your bouncer's directory: |
a92888a3 | 40 | |
a92888a3 GB |
41 | sbnc.crt - the public part of the server's key |
42 | sbnc.key - the private part of the server's key | |
43 | ||
890b6f37 GB |
44 | The "openssl" utility can be used to create certificates. You can also use "make sslcert", which |
45 | will generate an SSL certificate for you and install it in the appropriate directory. | |
a92888a3 | 46 | |
700470f5 GB |
47 | Please note that you will need to run shroudBNC in the foreground (i.e. using the --foreground |
48 | parameter) if your private key has a passphrase. It is therefore recommended to remove the passphrase | |
49 | (after verifying that the file permissions are sufficiently secure). | |
50 | ||
a92888a3 GB |
51 | Client Certificates |
52 | ------------------- | |
53 | ||
71d93507 GB |
54 | Clients like irssi or mIRC which support client certificates can use such certificates for |
55 | authentication. | |
a92888a3 | 56 | |
71d93507 GB |
57 | When you want to set the public key you are going to use for your bouncer account you have |
58 | to log in using your client certificate AND your password (obviously because the bouncer | |
59 | doesn't know your public key yet). | |
a92888a3 | 60 | |
700470f5 | 61 | Once you're logged in you can use /sbnc savecert to tell shroudBNC that the client certificate you |
71d93507 | 62 | are currently using is to be trusted for public key authentication. |
5e1e4011 | 63 | |
71d93507 GB |
64 | Use /sbnc showcert to check that the certificate was saved correctly. You should now be able to |
65 | log in using this client certificate. | |
40dfab3f | 66 | |
71d93507 GB |
67 | (You can also set your public key by putting a x509 certificate into your users/ directory. The |
68 | file's name should be <username>.crt, where <username> is your username. However this requires | |
700470f5 | 69 | a restart as shroudBNC only reads the certificate files during startup.) |