I may have it some issues with these features or something is not working well in my setup.
In these examples I use different ssl certs for linking servers, other to link servers and other certs to allow connections and right now some of this is not working.
Unrealircd 4.0.13
The listen block:
Code: Select all
# https://unrealircd.org/docs/Listen_block
# ip
# Simply set ip to * (an asterisk) to bind to all available IP's on the machine,
# OR specify an IP to only bind to that IP address (this latter is usually required at shell providers).port
# This is the port you want to listen on, like 6667. You can also specify a port range, like 6667-6669.
# options block (optional)
# You can specify options for the port. Valid options are:
# ssl: TLS/SSL encrypted port
# clientsonly: port is only for clients
# serversonly: port is only for servers
# listen {
# ip <ip>;
# port <port>;
# options {
# <option>;
# <option>;
# ...
# };
# };
# Servers links only
listen { ip *;
port <some port>;
options { ssl;
serversonly;
};
ssl-options { certificate "ssl/links_listen.crt";
key "ssl/links_listen.key";
};
};
To generate certs (either manually or by cron job I use a script:)
Code: Select all
echo "This will generate self signed ssl certificates for this listen server block to accept links hubs/leafs";
echo "";
rm -r links_listen.key links_listen.crt
openssl req -x509 -nodes -days 1096 -utf8 -newkey rsa:4096-sha512 -keyout links_listen.key -out links_listen.crt -subj /CN=local_net_name
chmod 400 links_listen.key links_listen.crt
echo
echo "Add this fingerprint to password field sslclientcertfp of the remote server link block described at https://unrealircd.org/docs/Link_block for higher control";
echo "Example: password "08:02:D0:D8:AB:30..." { sslclientcertfp; }; and set verify-certificate no;"
echo
openssl x509 -in links_listen.crt -sha256 -noout -fingerprint
The link block:
Code: Select all
# https://unrealircd.org/docs/Link_block
# https://unrealircd.org/docs/Tutorial:_Linking_servers
# https://unrealircd.org/docs/Authentication_types
# https://www.unrealircd.org/docs/Troubleshooting:_linking_servers
# https://www.unrealircd.org/docs/Link_security
# If you are linking servers we recommend you to follow our Tutorial: Linking servers instead.
# The link block is, however, shown below for reference.
# link <server-name> {
# /* Below, often you will have both an incoming { } and outcoming { } sub-block.
# * However you may also choose to have only 1 of them if you always link in the same direction.
# */
# incoming {
# mask 1.2.3.*;
# };
# outgoing {
# bind-ip <ip-to-bind-to>; /* optional now */
# hostname irc1.some.net; /* may also be an IP */
# port 6697; /* or move the hostname & ip into one item ? irc1.some.net:6697 */
# options { ssl; autoconnect; }; /* optional, but recommended */
# };
# password "some-password"; /* either a plaintext password that's the same for both sides or an SSL fingerprint (or certificate) */
# password "E7:4D:46:F1:9F:F4:68:F5:E8:E3:49:CC:28:5D:F9:65:85:BA:4F:16:B6:49:02:E3:34:E6:E7:6A:FE:76:A7:98" { sslclientcertfp; };
# verify-certificate [yes|no]; /* optional, default is 'no' but is less secure */
# hub <hub-mask>; /* optional */
# leaf <leaf-mask>; /* optional */
# leaf-depth <depth>; /* optional */
# class <class-name>;
# ciphers <ssl-ciphers>; /* optional */
# options {
# quarantine; /* is a generic option. optional. */
# };
# };
link remote.server.name {
# password "18:AC:75:AA:2B:48:35:23:CF:A2:68:4F:2D:9D:E6:33:06:C4:3F:32:AF:37:B5:49:7A:4D:C5:02:5F:B1:EE:09" { sslclientcertfp; };
# Resuls in: Link denied (Authentication failed [Bad password?])
#
# password "18:AC:75:AA:2B:48:35:23:CF:A2:68:4F:2D:9D:E6:33:06:C4:3F:32:AF:37:B5:49:7A:4D:C5:02:5F:B1:EE:09";
# SHA256 Resuls in: Link denied (Authentication failed [Bad password?])
# SHA1 Resuls in:
#password "36:EA:DC:1C:C5:44:5C:57:74:60:B4:0F:40:DB:64:7D:55:7A:E7:3B";
#passwords length may not exceed 48
#password "36:EA:DC:1C:C5:44:5C:57:74:60:B4:0F:40:DB:64:7D:55:7A:E7:3B" { sslclientcertfp; };
# loads with no problems but Link denied (Authentication failed [Bad password?])
password "1234567890"; # works
#verify-certificate no; # unreal *.14 and up
class servers;
#hub *;
leaf *;
incoming { mask *; };
outgoing { bind-ip *;
hostname some.remote.address;
port some-port;
options { ssl;
#autoconnect;
};
ssl-options { ciphers ECDHE-RSA-AES256-GCM-SHA384;
protocols TLSv1.2;
};
};
};
Problem:
As described in the link block conf, the usage of certificate fingerprints is not working. I am only able to link if using a text password set equal on both servers. I am also not able to link if i set a password equal on both servers that look like a hexadecimal fingerprint just to test.
Note that the remote link exchanges certificate fingerprints as required.
I have tested this between two servers while one only reloaded and rehash and the test server restarted on every change.
Constructive criticism leads to evolution and progress. Negative criticism leads to obsolescence. We are not in the 90's IRC world anymore.
CertFP: d985d21f89fe2977b593c4d381a1a86802e62990d9328d893db76d59f9935244