Before the flames come, lets just say that I am 100% in favor of security by default and anti clear text protocols 20 years ago. In fact why are we even allowing the usage of clear text port 6667 and or starttls is pathetic and beyond me and in this day and age falls under major ridiculousness, but anyway...
Recently there was a change in regards to make sure people run webirc clients securely and that change was needed for sure but for people already doing it securely this change lacked the capacity to consider those same people or perhaps the webclient which has been mentioned in the unreal release notes as supported along with others.
Some reading:&Syzop[AWAY]> PeGaSuS: I knew it would annoy people but.. security :]
https://www.bountysource.com/issues/433 ... ing-webirc (which is all good)
https://www.unrealircd.org/docs/WebIRC_Support
https://www.unrealircd.org/docs/WebIRC_block
UnrealIRCd 4.0.16 released
viewtopic.php?f=1&t=8764
Question 1:You can now have multiple webirc { } blocks with the same mask. This permits multiple blocks like..
webirc {
mask *;
password "....." { sslclientcertfp; };
};
..should you need it. In other words: we don't stop matching upon an authentication failure.
Which of those 3 mentioned web irc clients is able to load and support { sslclientcertfp; }; for such conf block ? Has this option been tested or just theory ?
Which unrealircd configuration documentation mentions this feature ?
Nothing here at the moment:
https://www.unrealircd.org/docs/WebIRC_block
UnrealIRCd 4.0.17 released
Question 2:Other changes
• UnrealIRCd will no longer give user mode +z to users on WEBIRC gateways using SSL/TLS IRC, unless the WEBIRC gateway gives us some assurance that the client<->webirc gateway connection is also secure (eg: https).
This is the regular WEBIRC format:
WEBIRC password gateway hostname ip
This indicates a secure client connection (NEW):
WEBIRC password gateway hostname ip :secure
Naturally, WEBIRC gateways MUST NOT send the "secure" option if the client is using http or some other insecure protocol.
Has the head unrealircd developer considered if qwebirc sends the mentioned "secure" option before mentioning as one of the 3 supported clients?
In this case, the client being used: qwebirc which is mentioned by unrealircd along with other web clients as supported.
Why do some people prefer or like to use qwebirc ? And no it is not EOL
So lets see the issue:
https://qwebirc.org/features (among many)
Runs it's own webserver and is very light. Easy to serve with https:// and independent of other web servers and needs of reverse proxys and messy setups.SSL/TLS support for the browser and server.
Supports hot-reconfiguration of backend servers via hadns.
Embedded webserver (no messing around with your existing webserver).
How it runs: (qwebirc relevant config for the case)
Code: Select all
# OPTION: IRCSERVER
# Hostname (or IP address) of IRC server to connect to.
# OPTION: IRCPORT
# Port of IRC server to connect to.
IRCSERVER, IRCPORT = "127.0.0.1", 6697
# OPTION: SSLPORT
# SSL port of IRC server to connect to.
# If this option is uncommented it will override IRCPORT.
SSLPORT = 6697
# OPTION: BASE_URL
# URL that this qwebirc instance will be available at, add the
# port number if your instance runs on a port other than 80.
BASE_URL = "https://domain.net:9999"
WEBIRC_PASSWORD = "asdfkjas89wejc239”
# EXECUTION OPTIONS
# OPTION: ARGS (optional)
# These arguments will be used as if qwebirc was run directly
ARGS = "-p 9999 -C /path/to/sslcerts/qwebirc_cert.pem -k /path/to/sslcerts/qwebirc_privkey.pem -H /path/to/sslcerts/fullchain.cer -P pid -l logs/log"
Code: Select all
Usage: run.py [options]
Options:
-h, --help show this help message and exit
-n, --no-daemon Don't run in the background.
--help-reactors Display a list of reactor names.
-b, --debug Run in the Python Debugger.
-t, --tracebacks Display tracebacks in error pages (this reveals a LOT
of information, do NOT use in production!)
-r REACTOR, --reactor=REACTOR
Which reactor to use (see --help-reactors for a list).
-p PORT, --port=PORT Port to start the server on.
-i IP, --ip=IP IP address to listen on.
-l LOGFILE, --logfile=LOGFILE
Path to twisted log file.
-c CLOGFILE, --clf=CLOGFILE
Path to web CLF (Combined Log Format) log file.
-C SSLCERTIFICATE, --certificate=SSLCERTIFICATE
Path to SSL certificate.
-k SSLKEY, --key=SSLKEY
Path to SSL key.
-H SSLCHAIN, --certificate-chain=SSLCHAIN
Path to SSL certificate chain file.
-P PIDFILE, --pidfile=PIDFILE
Path to store PID file
-s, --syslog Log to syslog
--profile=PROFILE Run in profile mode, dumping results to this file
--profiler=PROFILER Name of profiler to use
--syslog-prefix=SYSLOG_PREFIX
Syslog prefix
Shell:
Code: Select all
netstat -nap | grep 9999
tcp 0 0 0.0.0.0:9999 0.0.0.0:* LISTEN 2448/python2.7
openssl s_client -connect domain.com:9999
Code: Select all
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=domain.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
..........
-----END CERTIFICATE-----
subject=/CN=domain.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3719 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
.....
qwebirc runs and serves itself securely from moment of execution. TLS being used with valid certificate.
Unrealircd webirc relevant configurations:
Code: Select all
webirc {
mask 127.0.0.1;
type webirc;
password asdfkjas89wejc239
};
Code: Select all
listen { ip *;
port 6697;
options { ssl;
clientsonly;
};
};
Code: Select all
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=domain.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
subject=/CN=domain.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
---
SSL handshake has read 2965 bytes and written 902 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Code: Select all
netstat -nap | grep 6697
tcp 0 0 0.0.0.0:6697 0.0.0.0:* LISTEN 1138/unrealircd
tcp 0 0 127.0.0.1:34181 127.0.0.1:6697 ESTABLISHED 2448/python2.7
The ircd only accepts ssl connections
qwebirc connects only to a secure unrealircd port
qwebirc is being served on https:// on port 9999
qwebirc client connects:
Oper monitor:== Usermode change: +isZp
== #channel Cannot join channel (SSL is required)
-NickServ- Your nickname is not registered. To register it, use: /msg NickServ REGISTER password
-OperServ- We will now scan your host for insecure proxies. If you do not consent to this scan please disconnect immediately.
== BE26B9D5.B06E1170.3A56126A.IP is now your displayed host
== Usermode change: +x
Client connects securely from a web client running on https://*** Client connecting: test ([email protected]) [192.........] {clients} [secure AES256-GCM-SHA384]
Whois test outputs:
Despite the fact that the client connects securely from a web client running on https:// the client is marked as insecure.[test] ([email protected]): domain.com
[test] is using modes +isxZp
[test] is connecting from *@lan.ip
[test] test.hub.lan (testing hub)
test] idle: 00 hours 04 minutes 42 seconds, signon at: ...date...
[test] End of /WHOIS list.
I really hate wasting time like this to have to read something that translates into implicitly call dumb to people on the other side when someone has failed to consider some detail in regards to a piece of software mentioned as supported in the documentation.&Syzop[AWAY]> PeGaSuS: I knew it would annoy people but.. security :]
In this case, qwebirc runs from the beginning to the end with ssl/tls. There are no clear text communications. It executes itself securely by loading the ssl/tls certificats, only allows secure client connections and connects securely to the ircd.
This definitely annoys some people that have been running these apps and protocols securely since many many years ago and now it is their fault that it does not work anymore ?
This implementation and in specific the way it was done is also flawed and can easily bypassed to still allow an insecure webclient to connect.
So much trouble and annoyance for basically nothing which actually breaks proper configuration already being done by people concerned about security.Naturally, WEBIRC gateways MUST NOT send the "secure" option if the client is using http or some other insecure protocol.
In terms of security, the only thing qwebirc needs to have done is to make sure it can never be executed without loading ssl/tlc certificates. All other web ircd clients that do not work this way are basically crap and can bypass this so called :secure pseudo feature.