The InspIRCd Project
Home | Developers | Wiki | Forums | Bug Tracker | SVN | Download | Blog | Stats
Personal tools

Modules/ssl gnutls

From the makers of InspIRCd.

(Redirected from GnuTLS SSL Module)
Jump to: navigation, search


Description
Allows you to specify ports to accept clients using SSLv3.
Configuration Tags
Add ssl="gnutls" to a <bind> tag to enable SSL on that port, eg: 
<bind address="" port="6667" type="clients" ssl="gnutls">

You may use SSL on a port with a type of "clients" or of type "servers", however if you use ssl on a server port, you must define a 'transport' value: 

<bind address="" port="6666" type="servers" transport="gnutls">

Currently you cannot have SSL on port X on address 1.2.3.4 and plaintext on the same port on another address.

There is also a <gnutls> tag with several options:

  • <gnutls:cafile> - The CA file to use, defaults to "ca.pem"
  • <gnutls:crlfile> - The CRL file to use, defaults to "crl.pem"
  • <gnutls:certfile> - The certificate file, defaults to "cert.pem"
  • <gnutls:keyfile> - The private key file, defaults to "key.pem"
  • <gnutls:dh_bits> - The number of bits to use for DH (Diffie Hellman) parameter generation, defaults to 1024. May be 768, 1024, 2048, 3072 or 4096.

All relative paths in the <gnutls> tag are treated as relative to the inspircd config directory, absolute ones are treated as...absolute.

Example: 

<gnutls cafile="ca.pem" crlfile="crl.pem" certfile="cert.pem" keyfile="key.pem" dh_bits="1024">
Additional Modes
See m_sslmodes.so
Additional Commands
REHASH SSL

This command will cause all the certificates to be reloaded and Diffie Hellman parameters regenerated, <bind> tags are also re-read. 

STARTTLS

In 1.2 of InspIRCd, clients may send STARTTLS before client registration to switch a plaintext socket to GNUTLS mode. After this point, the server expects the TLS handshake. No further plaintext should be sent and there is no way to revert back to plaintext after this point.

To detect STARTTLS capability, the client should implement the CAP extension and check CAP LS for the 'tls' capability. If this is available, then STARTTLS can be used. If it is not available the client must remain plaintext or fall back on a dedicated SSL port.

For more information on STARTTLS see the STARTTLS Documentation page.

Special Notes
Important: The GnuTLS module can be unloaded with the /unloadmodule command, *however* this will result in *all* users connecting via the module to be killed off the network with the reason "SSL module unloading", eg: 
(23-14:53:46)  -ยป (Om)(~om@NetAdmin.easnet.net) has quit (SSL module unloading)

Beware of unloading this module!


OpenSSL vs. GnuTLS
GnuTLS has been benchmarked against OpenSSL and GnuTLS is significantly faster, InspIRCd has both GnuTLS and OpenSSL support but we recommend this GnuTLS version over the OpenSSL one! It should outperform it and due to GnuTLS's nicer API the module itself is smaller and neater than the OpenSSL module.

This is the recommended SSL module!


Installation
This module requires libgnutls to work, currently it has been tested with the 1.2 and 1.3 series of libgnutls. You must have this and the appropriate header files in order to build the module.
Extra ModuleThis module is an 'extra' module. This means that by default it is not compiled when you type make to build your IRCd. To enable this module follow these steps.


Once the module is compiled you need to generate a private key and an ssl certificate, GnuTLS supplies a tool called 'certtool' which makes this process fairly easy. Just run these two commands and move the output .pem files to wherever you configured. 

certtool --generate-privkey --outfile key.pem
certtool --generate-self-signed --load-privkey key.pem --outfile cert.pem

Of course you may want to vary this to use a private key you already have, or to get the certificate signed by someone else. In which case: 

man certtool

Also, some users have had issues with certtool, gnutls provide an excellent library but not such a great certificate tool. If your key takes a long time to generate and you also have OpenSSL installed you can generate a key and certificate with the following command: 

openssl req -x509 -nodes -newkey rsa:1024 -keyout key.pem -out cert.pem

Also it will aid in the key generation if you cause device activity during the generation, this helps supply random data.

Installation of GnuTLS to your home directory

In the instance where you do not have root access to the place where you will be running InspIRCd, and you still want to use GnuTLS, you must install it to your home directory.

InspIRCd is designed in such a way that if you do this, it will work, so long as the GnuTLS binaries are in the PATH. Usually, most Linux and BSD distributions insert /home/username/bin or ~/bin into the path, so by copying certtool and libgnutls-config to this directory, you can make GnuTLS function as expected with InspIRCd. So long as it can execute these binaries, it can successfully compile, and detect the libraries it needs.

Package Systems

Some distro's have decided to package GNUTLS in a unique manner. You may need to check to make sure you install all the required packages as it may be more than one. For example:

Debian 4 

 apt-get install libgnutls13 libgnutls-dev gnutls-bin

Fedora 7 

 yum install gnutls gnutls-devel gnutls-utils

Please check with your Distro's documentation and insure all components are loaded before reporting a fault.


Retrieved from "http://www.inspircd.org/wiki/Modules/ssl_gnutls"
head
Advertisement
head
head