The "sslinfo" Module (v4)
Description
This module adds user facing TLS information, various TLS configuration options, and the /SSLINFO command to look up TLS certificate information for other users.
Configuration
To load this module use the following <module> tag:
<module name="sslinfo">
<connect>
This module extends the core <connect> tags with the following fields:
| Name | Type | Default Value | Description |
|---|---|---|---|
| requiressl | Text | no | Whether users must be using TLS to use this class. |
The requiressl field should be set to one of the following values:
| Value | Description |
|---|---|
| no | TLS is not required to use this class. |
| trusted | TLS is required and and a CA-verified client certificate must be provided to use this class. |
| yes | TLS is required to use this class. |
Example Usage
Requires users to be using TLS to be assigned to the Secure class:
<connect name="Secure"
...
requiressl="yes">
<oper> & <type>
This module extends the core <oper> and <type> tags with the following fields:
| Name | Type | Default Value | Description |
|---|---|---|---|
| fingerprint | Text | None | If defined then a space-delimited list of TLS client certificate fingerprints to check against this server operator's TLS client certificate. |
| sslonly | Boolean | No | Whether this server operator must be connected using TLS to log into their account. |
Example Usage
Requires Sadie to connect with TLS with the TLS client certificate fingerprint 5d7499e1a3537687a2e875fed60b171508a4d1384351e276c4f961ab80729249 in order to log in to their server operator account:
<oper name="Sadie"
...
fingerprint="5d7499e1a3537687a2e875fed60b171508a4d1384351e276c4f961ab80729249"
sslonly="yes">
Requires server operators of type NetAdmin to connect with TLS with the TLS client certificate fingerprint 5d7499e1a3537687a2e875fed60b171508a4d1384351e276c4f961ab80729249 in order to log in to their server operator account:
<type name="NetAdmin"
...
fingerprint="5d7499e1a3537687a2e875fed60b171508a4d1384351e276c4f961ab80729249"
sslonly="yes">
<sslinfo>
The <sslinfo> tag defines settings about how the sethost module should behave. This tag can only be defined once.
| Name | Type | Default Value | Description |
|---|---|---|---|
| hash | Text | None | The IANA Hash Function Textual Name of the hash algorithm used when getting client fingerprints sent by a WebIRC gateway. Prefix with spki- to use a Subject Public Key Info (SPKI) fingerprint for WebIRC gateway clients instead of a certificate fingerprint. |
| localsecure | Boolean | Yes | Whether to consider clients connecting from localhost as secure even if they are not using TLS. |
| operonly | Boolean | No | Whether user TLS certificate fingerprints are only visible to server operators. |
| warnexpiring | Duration | 0s | The maximum amount of time left that can be left on a TLS client certificate before clients start being warned of the expiration time. If set to 0s then no warning will be sent. |
| welcomemsg | Boolean | No | Whether to send a welcome message to users that are connecting using TLS containing their server name, ciphersuite and client fingerprint. |
Example Usage
<sslinfo hash="sha-256"
localsecure="yes"
operonly="no"
warnexpiring="1w"
welcomemsg="no">
Commands
| Name | Parameter Count | Syntax | Description |
|---|---|---|---|
| SSLINFO | 1 | <target> | Views the TLS certificate information for <target>. If no target is specified then it defaults to the executing user. |
Example Usage
Views the TLS certificate information for Sadie:
/SSLINFO Sadie
Views the TLS certificate information for users in #wibble:
/SSLINFO
Views the TLS certificate information for the executing user:
/SSLINFO #wibble
Statistics
| Character | Description |
|---|---|
| t | Lists the number of local users currently connected using each ciphersuite. |
Special Notes
The following TLS (SSL) modules are included with InspIRCd:
| Name | Module | Description |
|---|---|---|
| gnutls | ssl_gnutls | Uses the GnuTLS library. |
| openssl | ssl_openssl | Uses the OpenSSL library. |