TLS implementation#74
Merged
Merged
Conversation
|
I wonder if admins would event want to define ciphers. If no ciphers are provided, which ones will ircu default to? Did IRC clients add TLS support post SSLv3? Just trying to understand if we even need the SSLv3 bits. |
Contributor
Author
|
Hi, this introduces S2S too. |
Yup! Just got to the server part. Edited my comment |
Add a user mode FLAG_TLS (+z) to indicate users connected via SSL or TLS. Add a channel mode MODE_TLSONLY (+Z) to only allow +z users to join or send messages to the channel. Add configuration settings and features to allow configuration of the underlying TLS library. The underlying TLS library is selected by ./configure --with-tls=<NAME>, among several available implementations (include a stub, "none"). By design (to make behavior homogenous across a network), very little code depends on whether TLS is actually available or not.
…plementation is specified in --with-tls
Add ircd_tls_listen() to configure a TLS listener. Require this to succeed on any TLS-enabled listening port. Delete ircd_tls_fingerprint_matches() in favor of cli_tls_fingerprint.
…SL_ERROR_WANT_WRITE
…the connection. start_auth() is now called from ET_WRITE which immediately return
The AX_CHECK_OPENSSL macro (m4/ax_check_openssl.m4) was only found locally because autoconf-archive is installed system-wide. On a clean runner without it, aclocal never searched the committed m4/ directory, leaving AX_CHECK_OPENSSL unexpanded in configure and causing a shell syntax error. Point autoconf/aclocal at m4/ via AC_CONFIG_MACRO_DIRS and ACLOCAL_AMFLAGS.
Close TLS before freeing connections on socket destroy to avoid tearing down state still referenced by the TLS stack. Only accept TLS fingerprint updates in user MODE from servers, not direct clients. Fix numeric reply lookups that aborted asserted builds on secure WHOIS and later codes. Co-authored-by: Cursor <cursoragent@cursor.com>
Move CA trust and peer verification out of global Features and into each Port and Connect block (tls cacertfile, tls cacertdir, tls systemca, tls verifypeer, tls ciphers). TLS_SYSTEMCA remains as the default when systemca is unset and no block-specific CA paths are given; TLS_CACERTFILE, TLS_CACERTDIR, and TLS_ALLOW_SELFSIGNED are removed. Wire the new settings through listener setup: configure TLS before registering sockets, only mark listeners active on success, and reject plaintext accepts on TLS ports. Implement per-listener and per-connect TLS contexts in OpenSSL, GnuTLS, and libtls, and fix peer certificate verification in all three backends when tls verifypeer = yes. Co-authored-by: Cursor <cursoragent@cursor.com>
Centralize peer-cert and PKIX verification in shared helpers and apply them consistently in OpenSSL, GnuTLS, and libtls. Fingerprint-only links pin the cert without enforcing expiry; verifypeer requires full CA validation. Fix OpenSSL/GnuTLS TLS listeners not binding on startup because global TLS init runs after config parse. Log policy failures via Debug() and send an operator notice when inbound server-port TLS negotiation fails. Add Docker TLS test hub/leaf, test PKI, and pytest coverage for client TLS, S2S fingerprint/CA modes, and all three TLS backends. Switch test images to Debian trixie with a selectable TLS_BACKEND build arg. Co-authored-by: Cursor <cursoragent@cursor.com>
REHASH s now rebuilds global, listener, and Connect block TLS state across OpenSSL, GnuTLS, and libtls, preserving existing contexts when reload fails. Add Connect-block hostname checks after SERVER for verifypeer links, with integration tests and documentation for the Port/Connect split. Co-authored-by: Cursor <cursoragent@cursor.com>
Add TLS security regression tests covering the findings from the security
review:
- RPL_WHOISSECURE reported for TLS users, absent for plaintext (M1)
- MODE +z cannot forge secure status or a TLS fingerprint from a client,
and cannot satisfy a fingerprint-pinned oper block (H3)
- handshakes below TLS 1.2 are rejected (M5)
- abrupt close mid-handshake keeps the server healthy (H2)
- a stalled handshake is timed out rather than hanging (L1)
Add a fingerprint-pinned "fpoper" Operator block to the TLS hub config to
drive the H3 oper-bypass test.
Fix flaky hub<->leaf link tests: both configs had autoconnect = yes on the
same link, so the servers dialed each other simultaneously, collided, and
did not retry within the test window (connectfreq is 5 minutes). Disable
autoconnect on those blocks and drive linking deterministically via an
opered CONNECT (new connect_link helper), so each test exercises its named
outbound direction without the race.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.