InspIRCd v4 is still early in development!
If you use this branch you may experience crashes, weird behaviour, and unannounced breaking changes.
You probably want to use InspIRCd v3 instead.
The "sslinfo" Module (v4)
Description
This module adds user facing TLS information, various TLS configuration options, and the /SSLINFO command to look up TLS certificate information for other users.
Configuration
To load this module use the following <module> tag:
<module name="sslinfo">
<connect>
This module extends the core <connect> tags with the following fields:
| Name | Type | Default Value | Description |
|---|---|---|---|
| requiressl | Text | no | Whether users must be using TLS to use this class. |
The requiressl field should be set to one of the following values:
| Value | Description |
|---|---|
| no | TLS is not required to use this class. |
| trusted | TLS is required and and a CA-verified client certificate must be provided to use this class. |
| yes | TLS is required to use this class. |
Example Usage
Requires users to be using TLS to be assigned to the Secure class:
<connect name="Secure"
...
requiressl="yes">
<oper> & <type>
This module extends the core <oper> and <type> tags with the following fields:
| Name | Type | Default Value | Description |
|---|---|---|---|
| fingerprint | Text | None | If defined then a space-delimited list of TLS client certificate fingerprints to check against this server operator's TLS client certificate. |
| sslonly | Boolean | No | Whether this server operator must be connected using TLS to log into their account. |
Example Usage
Requires Sadie to connect with TLS with the TLS client certificate fingerprint 5d7499e1a3537687a2e875fed60b171508a4d1384351e276c4f961ab80729249 in order to log in to their server operator account:
<oper name="Sadie"
...
fingerprint="5d7499e1a3537687a2e875fed60b171508a4d1384351e276c4f961ab80729249"
sslonly="yes">
Requires server operators of type NetAdmin to connect with TLS with the TLS client certificate fingerprint 5d7499e1a3537687a2e875fed60b171508a4d1384351e276c4f961ab80729249 in order to log in to their server operator account:
<type name="NetAdmin"
...
fingerprint="5d7499e1a3537687a2e875fed60b171508a4d1384351e276c4f961ab80729249"
sslonly="yes">
<sslinfo>
The <sslinfo> tag defines settings about how the sethost module should behave. This tag can only be defined once.
| Name | Type | Default Value | Description |
|---|---|---|---|
| hash | Text | None | The IANA Hash Function Textual Name of the hash algorithm used when getting client fingerprints sent by a WebIRC gateway. |
| localsecure | Boolean | Yes | Whether to consider clients connecting from localhost as secure even if they are not using TLS. |
| operonly | Boolean | No | Whether user TLS certificate fingerprints are only visible to server operators. |
| spkifp | Boolean | No | Whether to use a Subject Public Key Info (SPKI) fingerprint for WebIRC gateway clients instead of a certificate fingerprint. |
| warnexpiring | Duration | 0s | The maximum amount of time left that can be left on a TLS client certificate before clients start being warned of the expiration time. If set to 0s then no warning will be sent. |
Example Usage
<sslinfo hash="sha-256"
localsecure="yes"
operonly="no"
spkifp="no"
warnexpiring="1w">
Commands
| Name | Parameter Count | Syntax | Description |
|---|---|---|---|
| SSLINFO | 1 | <target> | Views the TLS certificate information for <target>. |
Example Usage
Views the TLS certificate information for Sadie:
/SSLINFO Sadie
Views the TLS certificate information for users in #wibble:
/SSLINFO #wibble
Special Notes
The following TLS (SSL) modules are included with InspIRCd:
| Name | Module | Description |
|---|---|---|
| gnutls | ssl_gnutls | Uses the GnuTLS library. |
| mbedtls | ssl_mbedtls | Uses the mbedTLS library. |
| openssl | ssl_openssl | Uses the OpenSSL library. |