Page 1 of 1

Websocket & SSL certs

Posted: Tue Sep 12, 2017 9:11 pm
by R4tt
That module sounds very nice!
One question related to the ssl cert thing. If I'm using a free ssl cert service like let's encrypt, I've to renew the cert all ⁓60 days. Is it necessary to restart the unrealircd or reload the module in this case?

Re: Websocket

Posted: Wed Sep 13, 2017 9:13 pm
by R4tt
Another question. Is it possible to use a separate ssl cert only for the websocket or I've to use one ssl cert for the whole unrealircd?
Sorry for double posting. :/

Re: Websocket

Posted: Fri Sep 15, 2017 8:58 am
by Syzop
If you set up a dedicated port for your websocket connections, so a listen { } block, then you can use listen::ssl-options to use a specific certificate. See the Listen block documentation (in particular the ssl-options section).

Re: Websocket

Posted: Fri Sep 15, 2017 9:13 am
by R4tt
Thanks for your reply. Is it possible to reload only a specific ssl cert with the "reload tls" command? If I would use a extra cert for the websocket (for example lets encrypt), it would be better if I could reload only that ssl cert instead of reload ALL ssl certs my irc is using.

Re: Websocket

Posted: Fri Sep 15, 2017 9:19 am
by Syzop
It's not possible to reload specific certificates. But there should be no need. Reloading a certificate should be harmless for both new and existing users.
(Well, unless you replaced the certificate with some incorrect certificate of course.. then new users won't be able to connect, but that's only logical :D)

Re: Websocket

Posted: Fri Sep 15, 2017 9:38 am
by R4tt
Thank you again. :) As far as I know, the existing users will be disconnected, if the ssl cert is changed (which will happen, if let's encrypt is used).
My plan is to use lets encrypt for one port (websocket) and a self signed cert for another port. If the "reload tls" command doesn't affect the self signed cert and users won't be disconnected it should be fine.
The websocket feature looks very good, but I wasn't sure about the ssl cert thing. Because my site uses ssl, I need a trusted ssl certificate or all browser will reject the websocket chat. :/

Re: Websocket

Posted: Fri Sep 15, 2017 9:51 am
by Syzop
As far as I know, the existing users will be disconnected
What is that based on? Speculation?

I mean, I know how I coded it. It will only refresh the SSL_CTX for new connections.
And I and many users have been using this feature for years now, without any such issues. I used it as recently as a week ago on 3 servers.

I would suggest to use the certificate on all ports. Then non-webirc IRC users can also benefit from a "proper" certificate :)

Re: Websocket & SSL certs

Posted: Fri Sep 22, 2017 1:58 am
by R4tt
I tried the websocket modul with a let's encrypt cert, but it looks like, unreal ignores the extra websocket cert. I'm running unrealircd version 4.0.14 with the following websocket config part for the ssl cert:

Code: Select all

listen {
   ip *;
   port 12345;
   options { ssl; };
   ssl-options {
       certificate "sslcert/server.cert.pem";
       key "sslcert/server.key.pem";
       options { no-client-certificate; };
   };
};
On the reloadtls command the cert is recognized, because there is a error message if the permissions are incorrect. Nevertheless it's not possible to connect to the websocket (port in firewall is open) and I don't know why.

Re: Websocket & SSL certs

Posted: Fri Sep 22, 2017 8:39 pm
by R4tt
Sorry, I posted the wrong config part.
This is the correct part:

Code: Select all

listen {
  ip *;
  port 12345;
  options { ssl; };
  ssl-options {
      certificate "/path/to/letsencrypt/fullchain.pem";
      key "/path/to/letsencrypt/privkey.pem";
      options { no-client-certificate; };
  };
};
A check via openssl s_client to the websocket port reveals that the websocket's specific cert options are ignored and the default cert is used instead.

Re: Websocket & SSL certs

Posted: Mon Sep 25, 2017 8:44 pm
by R4tt
Ok, it's working now. Don't know why, but looks like unreal reads the config now correctly. :D