Configuring SSL

thekey · Post by **thekey** » Wed Mar 16, 2005 6:01 pm

Hi,
I'm trying to configure SSL ports on my network, I do the following:

- I've added a listen block:

listen         69.90.159.99:6697
{
    options
    {
	 clientsonly;
         ssl;
    };
};

- I recompiled the Unreal with SSL support.

Do I need anything else? Because by the moment it doesn't work (I'm afraid I need a lot of things else

)

Thanx!

Dukat · Post by **Dukat** » Wed Mar 16, 2005 7:22 pm

What do you mean by "it doesn't work"? What's the exact error?

thekey · Post by **thekey** » Wed Mar 16, 2005 7:41 pm

Dukat wrote:What do you mean by "it doesn't work"? What's the exact error?

So when I do: /server myserver:+6697
I get: *** Unable to connect (Connection timed out)

I've heard about some SSL certificated, but I don't know if I need one or it's optional. What else do I need?

Matridom · Post by **Matridom** » Wed Mar 16, 2005 8:29 pm

thekey wrote:
Dukat wrote:What do you mean by "it doesn't work"? What's the exact error?
So when I do: /server myserver:+6697
I get: *** Unable to connect (Connection timed out)

I've heard about some SSL certificated, but I don't know if I need one or it's optional. What else do I need?

does your client support ssl properly? (i know mirc requires seperate DLL downloads to work with SSL)

thekey · Post by **thekey** » Wed Mar 16, 2005 8:46 pm

Matridom wrote:
thekey wrote:
Dukat wrote:What do you mean by "it doesn't work"? What's the exact error?
So when I do: /server myserver:+6697
I get: *** Unable to connect (Connection timed out)

I've heard about some SSL certificated, but I don't know if I need one or it's optional. What else do I need?
does your client support ssl properly? (i know mirc requires seperate DLL downloads to work with SSL)

Yes, I'm using mirc v 6.16 and I've downloaded the necessary dll files to make that work... but it still doesn't

jewles · Post by **jewles** » Wed Mar 16, 2005 9:01 pm

i suggest doing a stat P and seeing if your ssl port is open
(15:58:17) -elmo.yatesdev.com- *** Listener on 10.10.1.1:6667, clients 1. is PERM clientsonly SSL

if it is, good, then you did everything correctly. If not then please produce the error preventing you from connectioning...

(16:00:11) * Connecting to 10.10.1.1 (6667)
(16:00:11) * [10053] Software caused connection abort
(16:00:11) * Disconnected

which is me attempting to connect to a ssl port from a non-ssl supported client.

thekey · Post by **thekey** » Wed Mar 16, 2005 9:51 pm

jewles wrote:i suggest doing a stat P and seeing if your ssl port is open
(15:58:17) -elmo.yatesdev.com- *** Listener on 10.10.1.1:6667, clients 1. is PERM clientsonly SSL

if it is, good, then you did everything correctly. If not then please produce the error preventing you from connectioning...

(16:00:11) * Connecting to 10.10.1.1 (6667)
(16:00:11) * [10053] Software caused connection abort
(16:00:11) * Disconnected
which is me attempting to connect to a ssl port from a non-ssl supported client.

Ok, it's working now!

The configuration was ok, maybe it was a client error.

-irc.DjBots.org- *** Listener on 69.90.159.99:6697, clients 1. is PERM clientsonly SSL

Thank you all

thekey · Post by **thekey** » Sat Mar 19, 2005 12:43 am

Erm, ok, I won't open another thread because my question is still about SSL.

The thing is, what is SSL exactly used for? I've read the help file and I know that a SSL connection encrypts data and protects against scans, etc. but I mean, should everyone be able to use a SSL connection? I think I don't get the point of this

jewles · Post by **jewles** » Sat Mar 19, 2005 2:02 am

SSL is a secure stock layer. It encrypts data between the server and the client... or server to server... It is always a good idea to allow clients the ability to use SSL and it should be a priority linking servers althou most people don't care to use SSL... but it's always good practice to use it...

w00t · Post by **w00t** » Sat Mar 26, 2005 12:13 am

stock? I thought it was secure sockets layer ;P

Post by **Syzop** » Sat Mar 26, 2005 1:57 am

Indeed, hmm.. I thought there was another comment here a la "why bother encrypting" but perhaps I'm confused with another thread. Anyway..

The Internet is a public network, this means that if I connect to your IRC server my traffic usually goes trough like 10-20 IP devices (and in fact, many more "hidden" ones), all of these devices might get hacked or for whatever reason a bad guy might control them, in which case (s)he can "sniff" your traffic (== look at everything that comes by) including all your personal conversations about/with your girlfriend and whatnot :p.

aquanight · Post by **aquanight** » Sat Mar 26, 2005 5:23 am

Yeah, why do you think *nix has chucked telnet in favor of SSH

.

Syzop wrote:your personal conversations about/with your girlfriend.

or lack thereof :/

Though I guess if you're the kind of person that tends not to have such personal discussions on IRC you might feel that SSL is unnecessary but then realize that you have your nickserv/ircop passwords to worry about, etc

.

thekey · Post by **thekey** » Sat Mar 26, 2005 12:56 pm

Ok, I understand the point of this, but still don't know why do I need some certificate (for example from CACert.org) for my IRCd. Is there any difference between connecting without some certificate and connecting with it? Is the encryption then different?

Dukat · Post by **Dukat** » Sat Mar 26, 2005 1:58 pm

Your server needs a certificate because that's how SSL works.

You should probably do some reading...

codemastr · Post by **codemastr** » Sat Mar 26, 2005 4:27 pm

thekey wrote:Ok, I understand the point of this, but still don't know why do I need some certificate (for example from CACert.org) for my IRCd. Is there any difference between connecting without some certificate and connecting with it? Is the encryption then different?

SSL is more than just encryption. SSL provides identity verification. Let me try to explain it this way. You go click on a link which takes you to somebank.com and it says it uses SSL. You immediately assume "it's encrypted, I'm safe." However, As it turns out, this link didn't really take you to somebank.com, it took you to hackersite.com/somebank which is setup to look very much like somebank.com. Now, given flaws in many browsers, this fact can be hidden from you. But, not with SSL. With SSL, the certificate will show that hackersite.com does not match somebank.com. Therefore, it will reject the certificate as forged.

The idea is, it proves you are who you say you are. So where does CACert (and other CAs) fit in? They do the verification. They are considered a "trusted" third party. It uses a "network of trust" type system. For example, I trust CACert, and you trust CACert. CACert says "He really is codemastr" and they also say "He really is thekey." Now since we both trust CACert, it means that you believe I really am codemastr, and I believe you really are thekey. Therefore, CACert has proven we are who we said, and therefore we can trust eachother.

Without a certificate, the identity verification is impossible. A certificate is basically your digital fingerprint, it proves your identity. If you don't have this fingerprint, then no one can know for sure who you are.