InspIRCd v4 is still early in development!
If you use this branch you may experience crashes, weird behaviour, and unannounced breaking changes.
You probably want to use InspIRCd v3 instead.
The "ssl_gnutls" Module (v4)
This module depends on a third-party library (GnuTLS) and must be manually enabled at compile time.
Once you have installed the dependency you can enable this module using the following command:
./configure --enable-extras ssl_gnutlsDescription
This module allows TLS (SSL) encrypted connections using the GnuTLS library.
Configuration
To load this module use the following <module> tag:
<module name="ssl_gnutls">
<bind>
This module extends the core <bind> tags with the following fields:
| Name | Type | Default Value | Description |
|---|---|---|---|
| sslprofile | Text | None | This MUST be set to the name of a GnuTLS TLS (SSL) profile to listen for secure connections with GnuTLS. |
Example Usage
Listens for GnuTLS encrypted IRC connections on the *:6697 endpoint with an TLS (SSL) profile named "Clients":
<bind address="*"
port="6697"
...
sslprofile="Clients"
type="clients">
Listens for GnuTLS encrypted server connections on the *:7000 endpoint with an TLS (SSL) profile named "Servers":
<bind address="*"
port="7000"
...
sslprofile="Servers"
type="servers">
<gnutls>
The <gnutls> tag defines settings about how the ssl_gnutls module should behave. This tag can only be defined once.
| Name | Type | Default Value | Description |
|---|---|---|---|
| onrehash | Boolean | Yes | Whether TLS (SSL) profiles (see below) should be reloaded as part of a normal rehash. |
Example Usage
<gnutls onrehash="yes">
<sslprofile>
The <sslprofile> tag defines a TLS (SSL) profile for sockets to use. This tag can be defined as many times as required.
| Name | Type | Default Value | Description |
|---|---|---|---|
| name | Text | None | Required! The name of this TLS (SSL) profile. This is used in <bind:ssl> for incoming connections and <link:ssl> for outgoing server connections. |
| provider | Text | None | Required! This MUST be set to "gnutls" to use the GnuTLS library. |
| cafile | Text | ca.pem | The path to the CA in PEM format. |
| certfile | Text | cert.pem | The path to the certificate in PEM format. |
| crlfile | Text | crl.pem | The path to the CRL in PEM format. |
| dhfile | Text | dhparams.pem | The path to the DH parameters in PEM format. This does nothing on GnuTLS 3.6.0+. |
| hash | Text | sha256 | A space-delimited list of hash algorithms used for TLS (SSL) client fingerprints. Prefix with spki- to use a Subject Public Key Info (SPKI) fingerprint for WebIRC gateway clients instead of a certificate fingerprint. |
| keyfile | Text | key.pem | The path to the private key in PEM format. |
| mindhbits | Number | 1024 | The minimum number of bits of the DH parameters file to use in an Diffie-Hellman key exchange. |
| outrecsize | Number | 2048 | The maximum size of an outgoing GnuTLS record. |
| priority | Text | NORMAL | A GnuTLS priority string. |
| requestclientcert | Boolean | Yes | Whether to request a TLS (SSL) certificate from clients. |
| strictpriority | Boolean | No | Whether to require that all tokens in the GnuTLS priority string are valid. |
The hash field should be set to one of the values shown in gnutls-cli --list | grep ^Digests:.
Example Usage
<sslprofile name="Clients"
provider="gnutls"
cafile=""
certfile="cert.pem"
crlfile=""
dhfile="dhparams.pem"
hash="sha256"
keyfile="key.pem"
mindhbits="1024"
outrecsize="2048"
priority="NORMAL"
requestclientcert="yes"
strictpriority="no">
Special Notes
If you are using a version of GnuTLS older than 3.6.0 you will also need to provide a DH parameters file. This file can be generated using certtool --generate-dh-params --sec-param normal --outfile dhparams.pem and then be placed in your config directory. You may need to use gnutls-certtool instead of certtool on macOS.
If you are having trouble getting InspIRCd to read your .pem files then check that it has read access to the full path up to the location of them. If you are using a system that uses AppArmor (such as our Debian and Ubuntu packages) you may need to edit the AppArmor profile to allow InspIRCd to read them too.
If you are using Let's Encrypt and are having problems with missing intermediate certificates then make sure you are using fullchain.pem from Certbot/Dehydrated/etc in <sslprofile:certfile> instead of cert.pem as the latter does not contain intermediate certificates.
If you are encountering "Handshake Failed - No supported cipher suites have been found" errors then your server is probably using too strict a value for <sslprofile:priority>. If your client is very old then you should consider upgrading; otherwise, setting it to NORMAL should solve this problem.