Secure Sockets Layer

From the makers of InspIRCd.

The New Way (1.1)

InspIRCd 1.1 supports SSL through both the use of GnuTLS and OpenSSL. SSL may be used on both server and client connections. See the configuration documentation for more details.

The Slightly-Less-New Way (1.0)

InspIRCd (as of 1.0 final) supports SSL via modules. The currently available modulea use GnuTLS for SSL support and OpenSSL which are both SSLv3 compatible. Please see the linked pages for information on these modules.

The Old Way (Before 1.0)

Before 1.0 final, our plans were documented below. These are no longer valid, but are preserved for historical reasons.

We have had some discussions over implementation of SSL in InspIRCd, we figured it would not be practical to add direct SSL support to the core for two reasons:

• It slows it down to hell, most admins of other IRCds don't notice this, because so few users actually use SSL
• If an exploit is found in SSL (not the IRCd), it has the potential to be exploited, and will take the IRCd down with it.

Unfortunantely, in this day and age, its hard to predict the behaviour of other peoples code, and we do not wish to make InspIRCd vulnerable to attacks because of this. So have come up with a plan..

We plan to 'Rip apart' a piece of software called Stunnel and add some special flags designed for InspIRCd, Users will connect to the tunneler, which will do all the SSL authentication for us, then once complete, the following will happen:

1. The tunnel connects to the IRCd
2. The tunnel sends a specialised string which a module will be programmed to respond to
3. The module will then change the hostname of the connecting user, so they do not appear to be connecting from 'localhost'
4. Any bans will be considered, to prevent using this for evasion
5. All data is then tunneled via SSL to and from the user, and the connection will be established.

If an exploit in SSL is found, and someone attempts to use it to crash InspIRCd, only the SSL tunneler will go down, not the IRCd itself, as they are 2 seperate packages (If this occurs, try upgrading your version of SSL, then recompile the tunneler).

The InspIRCd ssl module will add an <bind:ssl> directive to the config, if set to true, the IRCd will expect to receive the modules initilisation string BEFORE a /USER is sent, there will also be a <ssl:key> directive added, which will contain a special key (incorporated into the tunneler during ./configure) to prevent people from attempting to 'mimic' the behaviour of the tunnel to change their hosts etc. If this key is discovered, its recommended that ./configure be re-run, the tunneler recompiled and restarted, and your configuration file updated to reflect any change that may be made.