Websocket & SSL certs

If your UnrealIRCd is up and running but you have a question about it, then use this forum.
(NOT for installation or connecting issues! Use the other forum instead.)

Moderator: Supporters

Locked
R4tt
Posts: 9
Joined: Tue Sep 12, 2017 9:07 pm

Websocket & SSL certs

Post by R4tt »

That module sounds very nice!
One question related to the ssl cert thing. If I'm using a free ssl cert service like let's encrypt, I've to renew the cert all ⁓60 days. Is it necessary to restart the unrealircd or reload the module in this case?
R4tt
Posts: 9
Joined: Tue Sep 12, 2017 9:07 pm

Re: Websocket

Post by R4tt »

Another question. Is it possible to use a separate ssl cert only for the websocket or I've to use one ssl cert for the whole unrealircd?
Sorry for double posting. :/
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: Websocket

Post by Syzop »

If you set up a dedicated port for your websocket connections, so a listen { } block, then you can use listen::ssl-options to use a specific certificate. See the Listen block documentation (in particular the ssl-options section).
R4tt
Posts: 9
Joined: Tue Sep 12, 2017 9:07 pm

Re: Websocket

Post by R4tt »

Thanks for your reply. Is it possible to reload only a specific ssl cert with the "reload tls" command? If I would use a extra cert for the websocket (for example lets encrypt), it would be better if I could reload only that ssl cert instead of reload ALL ssl certs my irc is using.
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: Websocket

Post by Syzop »

It's not possible to reload specific certificates. But there should be no need. Reloading a certificate should be harmless for both new and existing users.
(Well, unless you replaced the certificate with some incorrect certificate of course.. then new users won't be able to connect, but that's only logical :D)
R4tt
Posts: 9
Joined: Tue Sep 12, 2017 9:07 pm

Re: Websocket

Post by R4tt »

Thank you again. :) As far as I know, the existing users will be disconnected, if the ssl cert is changed (which will happen, if let's encrypt is used).
My plan is to use lets encrypt for one port (websocket) and a self signed cert for another port. If the "reload tls" command doesn't affect the self signed cert and users won't be disconnected it should be fine.
The websocket feature looks very good, but I wasn't sure about the ssl cert thing. Because my site uses ssl, I need a trusted ssl certificate or all browser will reject the websocket chat. :/
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: Websocket

Post by Syzop »

As far as I know, the existing users will be disconnected
What is that based on? Speculation?

I mean, I know how I coded it. It will only refresh the SSL_CTX for new connections.
And I and many users have been using this feature for years now, without any such issues. I used it as recently as a week ago on 3 servers.

I would suggest to use the certificate on all ports. Then non-webirc IRC users can also benefit from a "proper" certificate :)
R4tt
Posts: 9
Joined: Tue Sep 12, 2017 9:07 pm

Re: Websocket & SSL certs

Post by R4tt »

I tried the websocket modul with a let's encrypt cert, but it looks like, unreal ignores the extra websocket cert. I'm running unrealircd version 4.0.14 with the following websocket config part for the ssl cert:

Code: Select all

listen {
   ip *;
   port 12345;
   options { ssl; };
   ssl-options {
       certificate "sslcert/server.cert.pem";
       key "sslcert/server.key.pem";
       options { no-client-certificate; };
   };
};
On the reloadtls command the cert is recognized, because there is a error message if the permissions are incorrect. Nevertheless it's not possible to connect to the websocket (port in firewall is open) and I don't know why.
R4tt
Posts: 9
Joined: Tue Sep 12, 2017 9:07 pm

Re: Websocket & SSL certs

Post by R4tt »

Sorry, I posted the wrong config part.
This is the correct part:

Code: Select all

listen {
  ip *;
  port 12345;
  options { ssl; };
  ssl-options {
      certificate "/path/to/letsencrypt/fullchain.pem";
      key "/path/to/letsencrypt/privkey.pem";
      options { no-client-certificate; };
  };
};
A check via openssl s_client to the websocket port reveals that the websocket's specific cert options are ignored and the default cert is used instead.
R4tt
Posts: 9
Joined: Tue Sep 12, 2017 9:07 pm

Re: Websocket & SSL certs

Post by R4tt »

Ok, it's working now. Don't know why, but looks like unreal reads the config now correctly. :D
Locked