Skip to content

TLS implementation#74

Merged
Ratler merged 27 commits into
UndernetIRC:mainfrom
MrIron-no:tls
Jul 10, 2026
Merged

TLS implementation#74
Ratler merged 27 commits into
UndernetIRC:mainfrom
MrIron-no:tls

Conversation

@MrIron-no

Copy link
Copy Markdown
Contributor

No description provided.

@eaescob

eaescob commented Mar 11, 2026

Copy link
Copy Markdown

I wonder if admins would event want to define ciphers. If no ciphers are provided, which ones will ircu default to? Did IRC clients add TLS support post SSLv3? Just trying to understand if we even need the SSLv3 bits.

@MrIron-no

Copy link
Copy Markdown
Contributor Author

Hi, this introduces S2S too.

@eaescob

eaescob commented Mar 11, 2026

Copy link
Copy Markdown

Hi, this introduces S2S too.

Yup! Just got to the server part. Edited my comment

entrope and others added 19 commits March 27, 2026 17:37
Add a user mode FLAG_TLS (+z) to indicate users connected via SSL or TLS.
Add a channel mode MODE_TLSONLY (+Z) to only allow +z users to join or
send messages to the channel.
Add configuration settings and features to allow configuration of the
underlying TLS library.

The underlying TLS library is selected by ./configure --with-tls=<NAME>,
among several available implementations (include a stub, "none").  By
design (to make behavior homogenous across a network), very little code
depends on whether TLS is actually available or not.
Add ircd_tls_listen() to configure a TLS listener.  Require this to
succeed on any TLS-enabled listening port.
Delete ircd_tls_fingerprint_matches() in favor of cli_tls_fingerprint.
…the connection. start_auth() is now called from ET_WRITE which immediately return
MrIron-no and others added 6 commits May 22, 2026 13:27
The AX_CHECK_OPENSSL macro (m4/ax_check_openssl.m4) was only found
locally because autoconf-archive is installed system-wide. On a clean
runner without it, aclocal never searched the committed m4/ directory,
leaving AX_CHECK_OPENSSL unexpanded in configure and causing a shell
syntax error. Point autoconf/aclocal at m4/ via AC_CONFIG_MACRO_DIRS
and ACLOCAL_AMFLAGS.
Close TLS before freeing connections on socket destroy to avoid tearing
down state still referenced by the TLS stack. Only accept TLS fingerprint
updates in user MODE from servers, not direct clients. Fix numeric reply
lookups that aborted asserted builds on secure WHOIS and later codes.

Co-authored-by: Cursor <cursoragent@cursor.com>
Move CA trust and peer verification out of global Features and into
each Port and Connect block (tls cacertfile, tls cacertdir,
tls systemca, tls verifypeer, tls ciphers). TLS_SYSTEMCA remains as
the default when systemca is unset and no block-specific CA paths are
given; TLS_CACERTFILE, TLS_CACERTDIR, and TLS_ALLOW_SELFSIGNED are
removed.

Wire the new settings through listener setup: configure TLS before
registering sockets, only mark listeners active on success, and reject
plaintext accepts on TLS ports. Implement per-listener and per-connect
TLS contexts in OpenSSL, GnuTLS, and libtls, and fix peer certificate
verification in all three backends when tls verifypeer = yes.

Co-authored-by: Cursor <cursoragent@cursor.com>
Centralize peer-cert and PKIX verification in shared helpers and apply
them consistently in OpenSSL, GnuTLS, and libtls. Fingerprint-only links
pin the cert without enforcing expiry; verifypeer requires full CA validation.

Fix OpenSSL/GnuTLS TLS listeners not binding on startup because global
TLS init runs after config parse. Log policy failures via Debug() and
send an operator notice when inbound server-port TLS negotiation fails.

Add Docker TLS test hub/leaf, test PKI, and pytest coverage for client
TLS, S2S fingerprint/CA modes, and all three TLS backends. Switch test
images to Debian trixie with a selectable TLS_BACKEND build arg.

Co-authored-by: Cursor <cursoragent@cursor.com>
MrIron-no and others added 2 commits July 10, 2026 23:52
REHASH s now rebuilds global, listener, and Connect block TLS state across
OpenSSL, GnuTLS, and libtls, preserving existing contexts when reload fails.
Add Connect-block hostname checks after SERVER for verifypeer links, with
integration tests and documentation for the Port/Connect split.

Co-authored-by: Cursor <cursoragent@cursor.com>
Add TLS security regression tests covering the findings from the security
review:
  - RPL_WHOISSECURE reported for TLS users, absent for plaintext (M1)
  - MODE +z cannot forge secure status or a TLS fingerprint from a client,
    and cannot satisfy a fingerprint-pinned oper block (H3)
  - handshakes below TLS 1.2 are rejected (M5)
  - abrupt close mid-handshake keeps the server healthy (H2)
  - a stalled handshake is timed out rather than hanging (L1)

Add a fingerprint-pinned "fpoper" Operator block to the TLS hub config to
drive the H3 oper-bypass test.

Fix flaky hub<->leaf link tests: both configs had autoconnect = yes on the
same link, so the servers dialed each other simultaneously, collided, and
did not retry within the test window (connectfreq is 5 minutes). Disable
autoconnect on those blocks and drive linking deterministically via an
opered CONNECT (new connect_link helper), so each test exercises its named
outbound direction without the race.
@Ratler Ratler merged commit f4b5e75 into UndernetIRC:main Jul 10, 2026
1 check passed
@MrIron-no MrIron-no deleted the tls branch July 10, 2026 23:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants