The "sslinfo" Module (v4)
Description
This module adds user facing TLS information, various TLS configuration options, and the /SSLINFO
command to look up TLS certificate information for other users.
Configuration
To load this module use the following <module>
tag:
<module name="sslinfo">
<connect>
This module extends the core <connect>
tags with the following fields:
Name | Type | Default Value | Description |
---|---|---|---|
requiressl | Text | no | Whether users must be using TLS to use this class. |
The requiressl field should be set to one of the following values:
Value | Description |
---|---|
no | TLS is not required to use this class. |
trusted | TLS is required and and a CA-verified client certificate must be provided to use this class. |
yes | TLS is required to use this class. |
Example Usage
Requires users to be using TLS to be assigned to the Secure class:
<connect name="Secure"
...
requiressl="yes">
<oper>
& <type>
This module extends the core <oper>
and <type>
tags with the following fields:
Name | Type | Default Value | Description |
---|---|---|---|
fingerprint | Text | None | If defined then a space-delimited list of TLS client certificate fingerprints to check against this server operator's TLS client certificate. |
sslonly | Boolean | No | Whether this server operator must be connected using TLS to log into their account. |
Example Usage
Requires Sadie to connect with TLS with the TLS client certificate fingerprint 5d7499e1a3537687a2e875fed60b171508a4d1384351e276c4f961ab80729249
in order to log in to their server operator account:
<oper name="Sadie"
...
fingerprint="5d7499e1a3537687a2e875fed60b171508a4d1384351e276c4f961ab80729249"
sslonly="yes">
Requires server operators of type NetAdmin to connect with TLS with the TLS client certificate fingerprint 5d7499e1a3537687a2e875fed60b171508a4d1384351e276c4f961ab80729249
in order to log in to their server operator account:
<type name="NetAdmin"
...
fingerprint="5d7499e1a3537687a2e875fed60b171508a4d1384351e276c4f961ab80729249"
sslonly="yes">
<sslinfo>
The <sslinfo>
tag defines settings about how the sethost module should behave. This tag can only be defined once.
Name | Type | Default Value | Description |
---|---|---|---|
hash | Text | None | The IANA Hash Function Textual Name of the hash algorithm used when getting client fingerprints sent by a WebIRC gateway. Prefix with spki- to use a Subject Public Key Info (SPKI) fingerprint for WebIRC gateway clients instead of a certificate fingerprint. |
localsecure | Boolean | Yes | Whether to consider clients connecting from localhost as secure even if they are not using TLS. |
operonly | Boolean | No | Whether user TLS certificate fingerprints are only visible to server operators. |
warnexpiring | Duration | 0s | The maximum amount of time left that can be left on a TLS client certificate before clients start being warned of the expiration time. If set to 0s then no warning will be sent. |
welcomemsg | Boolean | No | Whether to send a welcome message to users that are connecting using TLS containing their server name, ciphersuite and client fingerprint. |
Example Usage
<sslinfo hash="sha-256"
localsecure="yes"
operonly="no"
warnexpiring="1w"
welcomemsg="no">
Commands
Name | Parameter Count | Syntax | Description |
---|---|---|---|
SSLINFO | 1 | <target> | Views the TLS certificate information for <target>. If no target is specified then it defaults to the executing user. |
Example Usage
Views the TLS certificate information for Sadie:
/SSLINFO Sadie
Views the TLS certificate information for users in #wibble:
/SSLINFO
Views the TLS certificate information for the executing user:
/SSLINFO #wibble
Statistics
Character | Description |
---|---|
t | Lists the number of local users currently connected using each ciphersuite. |
Special Notes
The following TLS (SSL) modules are included with InspIRCd:
Name | Module | Description |
---|---|---|
gnutls | ssl_gnutls | Uses the GnuTLS library. |
openssl | ssl_openssl | Uses the OpenSSL library. |