The InspIRCd Project
Home | Developers | Wiki | Forums | Bug Tracker | SVN | Download | Blog | Stats
Personal tools

Modules/ssl openssl

From the makers of InspIRCd.

(Redirected from OpenSSL SSL Module)
Jump to: navigation, search


Description
Allows you to specify ports to accept clients using SSLv3.
Configuration Tags
Add <ssl="openssl" to a <bind> tag to enable SSL on that port, eg: 
<bind address="" port="6666" type="clients" ssl="openssl">

You may use SSL on a port with a type of "clients" or of type "servers", however if you use ssl on a server port, you must define a 'transport' value: 

<bind address="" port="6666" type="servers" transport="openssl">

Currently you cannot have SSL on port X on address 1.2.3.4 and plaintext on the same port on another address.

There is also a <openssl> tag with several options:

  • <openssl:cafile> - The CA file to use, defaults to "ca.pem"
  • <openssl:certfile> - The certificate file, defaults to "cert.pem"
  • <openssl:keyfile> - The private key file, defaults to "key.pem"
  • <openssl:dhfile> - The file containing the DH (Diffie Hellman) parameters used, defaults to "dhparams.pem"

All relative paths in the <openssl> tag are treated as relative to the inspircd config directory, absolute ones are treated as...absolute.

Example: 

<openssl cafile="ca.pem" certfile="cert.pem" keyfile="key.pem" dhfile="dhparams.pem">
Additional Modes
See m_sslmodes.so
Additional Commands
Issuing: 
/rehash ssl

Will cause all the certificates and Diffie Hellman parameters to be reloaded, <bind> tags are also re-read.

Special Notes
Important: The OpenSSL module can be unloaded with the /unloadmodule command, *however* this will result in *all* users connecting via the module to be killed off the network with the reason "SSL module unloading", eg: 
(23-14:53:46)  -ยป (Om)(~om@NetAdmin.easnet.net) has quit (SSL module unloading)

Beware of unloading this module!


OpenSSL vs. GnuTLS
GnuTLS has been benchmarked against OpenSSL and GnuTLS is significantly faster, InspIRCd has both GnuTLS and OpenSSL support but we recommend the GnuTLS version over this one! It should outperform it and due to GnuTLS's nicer API the module itself is smaller and neater than the OpenSSL module.

GnuTLS Recommended!


Installation
This module requires libssl to work, currently it has been tested with the 0.9 versions of libssl. You must have this and the appropriate header files in order to build the module.
Extra ModuleThis module is an 'extra' module. This means that by default it is not compiled when you type make to build your IRCd. To enable this module follow these steps.


Once the module is compiled you need to generate a private key, DH parameters and a ssl certificate, OpenSSL supplies a tool called 'openssl' which makes this process fairly easy. Just this command and move the output .pem files to wherever you configured. 

openssl req -x509 -nodes -newkey rsa:1024 -keyout key.pem -out cert.pem
openssl dhparam -out dhparams.pem 1024

Of course you may want to vary this to use a private key you already have, or to get the certificate signed by someone else. In which case: 

man openssl
man req

Also it will aid in the key generation if you cause device activity during the generation, this helps supply random data.

Retrieved from "http://www.inspircd.org/wiki/Modules/ssl_openssl"
head
Advertisement
head
head