UnrealIRCd 4.0.18-rc1 available for testing

News about the UnrealIRCd project, including release announcements
Post Reply
Syzop
UnrealIRCd head coder
Posts: 1801
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

UnrealIRCd 4.0.18-rc1 available for testing

Post by Syzop » Mon Jun 11, 2018 11:16 am

The first Release Candidate for UnrealIRCd 4.0.18 is now available for download.
UPDATE: there's now a newer second release candidate.

Improvements:
  • Support for checking IPv6 addresses in DNS blacklists.
  • The blacklist module now checks WEBIRC users as well.
  • For SSL/TLS we now set the default ECDH(E) curves to be X25519:secp521r1:secp384r1:prime256v1 if using a recent version of OpenSSL/LibreSSL. This can be overridden via set::ssl::ecdh-curve.
  • You can now require SASL authentication for clients via the allow block (for example, on a dedicated server that permits proxies/tor):
    allow { ip *; class clients; maxperip 2; options { require-sasl; }; };
Major issues fixed
  • Compile issues on macOS
  • Bug in blacklist module which could have caused false negatives, allowing bad guys in which should have been denied.
  • The new optional feature 'set::cloak-method ip' caused identical cloaks
Minor issues fixed
  • When using '/REHASH -ssl' or './unrealircd reloadtls' it did not reload the SSL certificate/key if you were using ssl-options in listen, sni or link blocks. In short: it only reloaded the ones from set::ssl until now.
  • m_ircops sent a conflicting numeric, confusing some clients.
  • Starting UnrealIRCd through a non-interactive(!) ssh session could cause the ssh session to hang.
Removed:
  • Various old config.h settings that didn't have any effect.
  • A few config.h settings that should never be turned off have been removed altogether (eg: NO_FLOOD_AWAY is now always on).
  • The deprecated and unused commands "CAP CLEAR" and "CAP ACK".
Other changes:
  • The built-in time synchronization feature is now disabled by default.
    TimeSynch was added back in 2006 when lots of operating systems did not ship with time synchronization turned on by default. Since incorrect time severely breaks IRC networks this was a major problem. Nowadays this is completely different with most Linux distro's, OS X, Windows, etc. doing time synchronization out of the box. Since UnrealIRCd's implementation is less precise and lacks authentication it's best left over to the system.
    You can still re-enable timesynch via: set { timesynch { enabled yes; }; };
    .. but you should really use NTP or similar for system-wide time synchronization instead.
  • For developers there's now the --with-werror compile option which will add -Werror.
  • Added a lot more Travis-CI tests: various LibreSSL/OpenSSL versions and also test macOS. This to prevent us from releasing broken stuff.
  • Various code cleanups to get rid of lots of needless casts and to eliminate compiler warnings.
  • Just as a reminder (this change was already in version 4.0.17):
    UnrealIRCd will no longer give user mode +z to users on WEBIRC gateways using SSL/TLS IRC, unless the WEBIRC gateway gives us some assurance that the client<->webirc gateway connection is also secure (eg: https).
    This is the regular WEBIRC format:
    WEBIRC password gateway hostname ip
    This indicates a secure client connection (NEW):
    WEBIRC password gateway hostname ip :secure
    Naturally, WEBIRC gateways MUST NOT send the "secure" option if the client is using http or some other insecure protocol.
For module coders:
  • HOOKTYPE_CHANNEL_SYNCED prototype changed, the 'merge' and 'removetheirs' is now no longer an 'unsigned short' but an 'int' instead.
  • HOOKTYPE_MODE_DEOP prototype changed, the 'modechar' is now no longer a 'char' but an 'int' instead.
  • In addition to safestrdup() there's now also safestrldup() which allows you to specify a maximum allocated length (so including the nul byte). This is used in m_pass.c and m_topic.c.
  • New hook HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION
Future versions (heads up):
  • We intend to change the default plaintext oper policy from warn to deny later this year. This will deny /OPER when issued from a non-SSL connection. For security, IRC Operators should really use SSL/TLS when connecting to an IRC server!
As always, you can download UnrealIRCd from www.unrealircd.org.

Post Reply