The "sslinfo" Module (v4)

Description

This module adds user facing TLS information, various TLS configuration options, and the /SSLINFO command to look up TLS certificate information for other users.

Configuration

To load this module use the following <module> tag:

<module name="sslinfo">

<connect>

This module extends the core <connect> tags with the following fields:

Name Type Default Value Description
requiressl Text no Whether users must be using TLS to use this class.

The requiressl field should be set to one of the following values:

Value Description
no TLS is not required to use this class.
trusted TLS is required and and a CA-verified client certificate must be provided to use this class.
yes TLS is required to use this class.
Example Usage

Requires users to be using TLS to be assigned to the Secure class:

<connect name="Secure"
         ...
         requiressl="yes">

<oper> & <type>

This module extends the core <oper> and <type> tags with the following fields:

Name Type Default Value Description
fingerprint Text None If defined then a space-delimited list of TLS client certificate fingerprints to check against this server operator's TLS client certificate.
sslonly Boolean No Whether this server operator must be connected using TLS to log into their account.
Example Usage

Requires Sadie to connect with TLS with the TLS client certificate fingerprint 5d7499e1a3537687a2e875fed60b171508a4d1384351e276c4f961ab80729249 in order to log in to their server operator account:

<oper name="Sadie"
      ...
      fingerprint="5d7499e1a3537687a2e875fed60b171508a4d1384351e276c4f961ab80729249"
      sslonly="yes">

Requires server operators of type NetAdmin to connect with TLS with the TLS client certificate fingerprint 5d7499e1a3537687a2e875fed60b171508a4d1384351e276c4f961ab80729249 in order to log in to their server operator account:

<type name="NetAdmin"
      ...
      fingerprint="5d7499e1a3537687a2e875fed60b171508a4d1384351e276c4f961ab80729249"
      sslonly="yes">

<sslinfo>

The <sslinfo> tag defines settings about how the sethost module should behave. This tag can only be defined once.

Name Type Default Value Description
hash Text None The IANA Hash Function Textual Name of the hash algorithm used when getting client fingerprints sent by a WebIRC gateway. Prefix with spki- to use a Subject Public Key Info (SPKI) fingerprint for WebIRC gateway clients instead of a certificate fingerprint.
localsecure Boolean Yes Whether to consider clients connecting from localhost as secure even if they are not using TLS.
operonly Boolean No Whether user TLS certificate fingerprints are only visible to server operators.
warnexpiring Duration 0s The maximum amount of time left that can be left on a TLS client certificate before clients start being warned of the expiration time. If set to 0s then no warning will be sent.
welcomemsg Boolean No Whether to send a welcome message to users that are connecting using TLS containing their server name, ciphersuite and client fingerprint.
Example Usage
<sslinfo hash="sha-256"
         localsecure="yes"
         operonly="no"
         warnexpiring="1w"
         welcomemsg="no">

Commands

Name Parameter Count Syntax Description
SSLINFO 1 <target> Views the TLS certificate information for <target>. If no target is specified then it defaults to the executing user.

Example Usage

Views the TLS certificate information for Sadie:

/SSLINFO Sadie

Views the TLS certificate information for users in #wibble:

/SSLINFO

Views the TLS certificate information for the executing user:

/SSLINFO #wibble

Statistics

Character Description
t Lists the number of local users currently connected using each ciphersuite.

Special Notes

The following TLS (SSL) modules are included with InspIRCd:

Name Module Description
gnutls ssl_gnutls Uses the GnuTLS library.
openssl ssl_openssl Uses the OpenSSL library.