UnrealIRCd 4.0.14-rc1 released

News about the UnrealIRCd project, including release announcements
Post Reply
Syzop
UnrealIRCd head coder
Posts: 1756
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

UnrealIRCd 4.0.14-rc1 released

Post by Syzop » Fri Sep 08, 2017 6:56 am

Hi everyone,

The first Release Candidate for UnrealIRCd 4.0.14 is now available with a lot of SSL/TLS related improvements. We'd really appreciate some testing by the public before calling this 4.0.14 stable.

Also new is a tutorial called Using Let's Encrypt with UnrealIRCd. Feedback about this tutorial is welcome in this forum thread.

Improvements:
  • New set::plaintext-policy configuration settings. This defines what happens to users/ircops/servers that are not using SSL/TLS.

    Code: Select all

    The default settings are:
    set {
      plaintext-policy {
        user allow; /* allow any user to connect */
        oper warn; /* warn on /OPER if not using SSL/TLS */
        server deny; /* deny servers without SSL/TLS, except localhost */
      };
    };
    You can change each of the three classes to allow, warn or deny. More information: https://www.unrealircd.org/docs/Set_blo ... ext-policy
    If your services do not run on localhost and link without SSL/TLS then you may get an error during linking. In such a case check out this FAQ item.
  • You can now ask UnrealIRCd to verify certificates of server links by:

    Code: Select all

    link irc1.test.net {
        [..]
        verify-certificate yes;
    };
    This will verify the certificate of the link, making sure the certificate is valid, issued for the specified name (irc1.test.net) and given out by a trusted Certificate Authority (like Let's Encrypt).
    Obviously, if you use self-signed certificates then you can't use this.
  • Introduce a concept called link security level. This will rate the security of your network from 0 to 2.
    Whenever security is degraded due to a new server link UnrealIRCd will print a warning about it.
    See https://www.unrealircd.org/docs/Link_security for more information.
    This also adds a new command /LINKSECURITY (IRCop-only).
  • The plaintext-policy and link-security is shown in "CAP LS".
Major issues fixed
  • None
Minor issues fixed
  • If you had a link block named irc1.example.net and did an outgoing connect to that server, then the server could introduce himself under a different name, such as irc1.other.net. Not a security issue since all authentication has to be passed, but this could cause confusing autoconnect attempts.
  • password::sslclientcert did not accept relative paths
  • Compile problem with LibreSSL (regarding SSL_CTX_get0_param)
  • set::modes-on-connect: was refusing certain (old) modes like +N
Other changes:
  • The ssl options 'verify-certificate' and 'no-self-signed' have been removed. Use link::verify-certificate instead. It makes no sense to verify certificates or prevent self signed certificates elsewhere such as in vhost or oper, since there is no hostname to match against.
  • Weak cipher suites such as 3DES and RC4 are disabled by default but previously you could still enable them through set::ssl::ciphers. Now you can no longer, since there is no legitimate reason to do so.
  • Update cipher suite to work with TLS 1.3. This ensures you can use TLS 1.3 in UnrealIRCd 4.0.14+ when OpenSSL supports it (in the future).
  • Bump MODDATA_MAX_CLIENT from 8 to 12: needed if you have a lot of 3rd party modules loaded. Also moved MODDATA_MAX_* to include/config.h
Module coders:
  • You can now attach ModData to server objects as well (including &me).
As always, you can download UnrealIRCd from www.unrealircd.org.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests