The "sslinfo" Module (v3)
Description
This module adds user facing TLS (SSL) information, various TLS (SSL) configuration options, and the /SSLINFO command to look up TLS (SSL) certificate information for other users.
Configuration
To load this module use the following <module> tag:
<module name="sslinfo">
<connect>
This module extends the core <connect> tags with the following fields:
| Name | Type | Default Value | Description |
|---|---|---|---|
| requiressl | Text | no | Whether users must be using TLS (SSL) to use this class. |
The requiressl field should be set to one of the following values:
| Value | Description |
|---|---|
| no | TLS (SSL) is not required to use this class. |
| trusted | TLS (SSL) is required and and a CA-verified client certificate must be provided to use this class. |
| yes | TLS (SSL) is required to use this class. |
Example Usage
Requires users to be using TLS (SSL) to be assigned to the Secure class:
<connect name="Secure"
...
requiressl="yes">
<oper>
This module extends the core <oper> tag with the following fields:
| Name | Type | Default Value | Description |
|---|---|---|---|
| autologin | Text | no | Whether to automatically log server operators in when they connect to the server. |
| fingerprint | Text | None | If defined then a space-delimited list of TLS (SSL) client certificate fingerprints to check against this server operator's TLS (SSL) client certificate. |
| sslonly | Boolean | No | Whether this server operator must be connected using TLS (SSL) to log into their account. |
The autologin field should be set to one of the following values:
| Value | Description |
|---|---|
| yes | Automatically log users with the specified client certificate fingerprint into this server operator account. |
| if-host-match | Automatically log users with the specified client certificate fingerprint into this server operator account if their hostname matches <oper:host>. |
| no | Do not automatically log users with the specified client certificate into this server operator account. |
Example Usage
<oper name="Sadie"
...
autologin="no"
fingerprint="5d7499e1a3537687a2e875fed60b171508a4d1384351e276c4f961ab80729249"
sslonly="yes">
<sslinfo>
The <sslinfo> tag defines settings about how the sethost module should behave. This tag can only be defined once.
| Name | Type | Default Value | Description |
|---|---|---|---|
| hash | Text | None | The IANA Hash Function Textual Name of the hash algorithm used when getting client certificate fingerprints sent by a WebIRC gateway. |
| operonly | Boolean | No | Whether TLS (SSL) client certificate fingerprints are only visible to server operators. |
| warnexpiring | Duration | 0s | The maximum amount of time left that can be left on a TLS (SSL) client certificate fingerprint before clients start being warned of the expiration time. If set to 0s then no warning will be sent. |
Example Usage
<sslinfo hash="sha-256"
operonly="no"
warnexpiring="1w">
Commands
| Name | Parameter Count | Syntax | Description |
|---|---|---|---|
| SSLINFO | 1 | <target> | Views the TLS (SSL) certificate information for <target>. |
Example Usage
Views the TLS (SSL) certificate information for Sadie:
/SSLINFO Sadie
New in v3.9.0! Views the TLS (SSL) certificate information for users in #wibble:
/SSLINFO #wibble
Special Notes
The following TLS (SSL) modules are included with InspIRCd:
| Name | Module | Description |
|---|---|---|
| gnutls | ssl_gnutls | Uses the GnuTLS library. |
| mbedtls | ssl_mbedtls | Uses the mbedTLS library. |
| openssl | ssl_openssl | Uses the OpenSSL library. |