Page 1 of 2
Configuring SSL
Posted: Wed Mar 16, 2005 6:01 pm
by thekey
Hi,
I'm trying to configure SSL ports on my network, I do the following:
- I've added a listen block:
Code: Select all
listen 69.90.159.99:6697
{
options
{
clientsonly;
ssl;
};
};
- I recompiled the Unreal with SSL support.
Do I need anything else? Because by the moment it doesn't work (I'm afraid I need a lot of things else
)
Thanx!
Posted: Wed Mar 16, 2005 7:22 pm
by Dukat
What do you mean by "it doesn't work"? What's the exact error?
Posted: Wed Mar 16, 2005 7:41 pm
by thekey
Dukat wrote:What do you mean by "it doesn't work"? What's the exact error?
So when I do: /server myserver:+6697
I get: *** Unable to connect (Connection timed out)
I've heard about some SSL certificated, but I don't know if I need one or it's optional. What else do I need?
Posted: Wed Mar 16, 2005 8:29 pm
by Matridom
thekey wrote:Dukat wrote:What do you mean by "it doesn't work"? What's the exact error?
So when I do: /server myserver:+6697
I get: *** Unable to connect (Connection timed out)
I've heard about some SSL certificated, but I don't know if I need one or it's optional. What else do I need?
does your client support ssl properly? (i know mirc requires seperate DLL downloads to work with SSL)
Posted: Wed Mar 16, 2005 8:46 pm
by thekey
Matridom wrote:thekey wrote:Dukat wrote:What do you mean by "it doesn't work"? What's the exact error?
So when I do: /server myserver:+6697
I get: *** Unable to connect (Connection timed out)
I've heard about some SSL certificated, but I don't know if I need one or it's optional. What else do I need?
does your client support ssl properly? (i know mirc requires seperate DLL downloads to work with SSL)
Yes, I'm using mirc v 6.16 and I've downloaded the necessary dll files to make that work... but it still doesn't
Posted: Wed Mar 16, 2005 9:01 pm
by jewles
i suggest doing a stat P and seeing if your ssl port is open
(15:58:17) -elmo.yatesdev.com- *** Listener on 10.10.1.1:6667, clients 1. is PERM clientsonly SSL
if it is, good, then you did everything correctly. If not then please produce the error preventing you from connectioning...
(16:00:11) * Connecting to 10.10.1.1 (6667)
(16:00:11) * [10053] Software caused connection abort
(16:00:11) * Disconnected
which is me attempting to connect to a ssl port from a non-ssl supported client.
Posted: Wed Mar 16, 2005 9:51 pm
by thekey
jewles wrote:i suggest doing a stat P and seeing if your ssl port is open
(15:58:17) -elmo.yatesdev.com- *** Listener on 10.10.1.1:6667, clients 1. is PERM clientsonly SSL
if it is, good, then you did everything correctly. If not then please produce the error preventing you from connectioning...
(16:00:11) * Connecting to 10.10.1.1 (6667)
(16:00:11) * [10053] Software caused connection abort
(16:00:11) * Disconnected
which is me attempting to connect to a ssl port from a non-ssl supported client.
Ok, it's working now!
The configuration was ok, maybe it was a client error.
-irc.DjBots.org- *** Listener on 69.90.159.99:6697, clients 1. is PERM clientsonly SSL
Thank you all
Posted: Sat Mar 19, 2005 12:43 am
by thekey
Erm, ok, I won't open another thread because my question is still about SSL.
The thing is, what is SSL exactly used for? I've read the help file and I know that a SSL connection encrypts data and protects against scans, etc. but I mean, should everyone be able to use a SSL connection? I think I don't get the point of this
Posted: Sat Mar 19, 2005 2:02 am
by jewles
SSL is a secure stock layer. It encrypts data between the server and the client... or server to server... It is always a good idea to allow clients the ability to use SSL and it should be a priority linking servers althou most people don't care to use SSL... but it's always good practice to use it...
Posted: Sat Mar 26, 2005 12:13 am
by w00t
stock? I thought it was secure sockets layer ;P
Posted: Sat Mar 26, 2005 1:57 am
by Syzop
Indeed, hmm.. I thought there was another comment here a la "why bother encrypting" but perhaps I'm confused with another thread. Anyway..
The Internet is a public network, this means that if I connect to your IRC server my traffic usually goes trough like 10-20 IP devices (and in fact, many more "hidden" ones), all of these devices might get hacked or for whatever reason a bad guy might control them, in which case (s)he can "sniff" your traffic (== look at everything that comes by) including all your personal conversations about/with your girlfriend and whatnot :p.
Posted: Sat Mar 26, 2005 5:23 am
by aquanight
Yeah, why do you think *nix has chucked telnet in favor of SSH
.
Syzop wrote:your personal conversations about/with your girlfriend.
or lack thereof :/
Though I guess if you're the kind of person that tends not to have such personal discussions on IRC you might feel that SSL is unnecessary but then realize that you have your nickserv/ircop passwords to worry about, etc
.
Posted: Sat Mar 26, 2005 12:56 pm
by thekey
Ok, I understand the point of this, but still don't know why do I need some certificate (for example from CACert.org) for my IRCd. Is there any difference between connecting without some certificate and connecting with it? Is the encryption then different?
Posted: Sat Mar 26, 2005 1:58 pm
by Dukat
Your server needs a certificate because that's how SSL works.
You should probably do some reading...
Posted: Sat Mar 26, 2005 4:27 pm
by codemastr
thekey wrote:Ok, I understand the point of this, but still don't know why do I need some certificate (for example from CACert.org) for my IRCd. Is there any difference between connecting without some certificate and connecting with it? Is the encryption then different?
SSL is more than just encryption. SSL provides identity verification. Let me try to explain it this way. You go click on a link which takes you to somebank.com and it says it uses SSL. You immediately assume "it's encrypted, I'm safe." However, As it turns out, this link didn't really take you to somebank.com, it took you to hackersite.com/somebank which is setup to look very much like somebank.com. Now, given flaws in many browsers, this fact can be hidden from you. But, not with SSL. With SSL, the certificate will show that hackersite.com does not match somebank.com. Therefore, it will reject the certificate as forged.
The idea is, it proves you are who you say you are. So where does CACert (and other CAs) fit in? They do the verification. They are considered a "trusted" third party. It uses a "network of trust" type system. For example, I trust CACert, and you trust CACert. CACert says "He really is codemastr" and they also say "He really is thekey." Now since we both trust CACert, it means that you believe I really am codemastr, and I believe you really are thekey. Therefore, CACert has proven we are who we said, and therefore we can trust eachother.
Without a certificate, the identity verification is impossible. A certificate is basically your digital fingerprint, it proves your identity. If you don't have this fingerprint, then no one can know for sure who you are.