that use outdated SSL/TLS protocols (eg: TLSv1.0) and ciphers.
The default settings are to warn in all cases: users connecting,
opers /OPER'ing up and servers linking in. The user will see a message
telling them to upgrade their IRC client.
This should help with migrating such users since in the future, say one
or two years from now, we would want to change the default to only allow
TSLv1.2+ with ciphers that provide Forward Secrecy. Instead of rejecting
clients without any error message, this provides a way to warn them and
give them some time to upgrade their outdated IRC client.
https://www.unrealircd.org/docs/Set_block#set::outdated-tls-policy
We previously introduced the "require sasl" block which allows you to
force users from certain IP addresses to authenticate with their nickname
and password via SASL. We now offer a new experimental module called
'saslemulation' which will help non-SASL users by showing a notice and
asking them to authenticate to their account via /AUTH <user>:<pass>.
See https://www.unrealircd.org/docs/Set_block#set::sasl-emulation
Note that this is work in progress, although the functionality of
already works. Still need to do some cleaning and expand the scope.
And more testing...
Since OpenSSL decided not to use the regular ciphers but make this a
separate option, we now make this a separate option as well.
So there is ::ciphers for <=TLSv1.2 and ::ciphersuites for TLSv1.3
More documentation will follow.
Patch from 'i' in https://bugs.unrealircd.org/view.php?id=5149
any other bans that will cause the user to be disconnected.
For technical details see the banned_client() function.
It's likely I made some mistakes somewhere => testing required!!
This is meant to blacklist modules that are in modules.default.conf (or
elsewhere). The 'loadmodule' line for any such module is effective ignored.
https://bugs.unrealircd.org/view.php?id=5118
Note: I had to move the loadmodule code. Previously this was done as each
config file (include) was loaded into memory. Now it is done after *ALL*
config files have been read into memory. This shouldn't matter for module
devs, though..
This requires OpenSSL 1.0.2 or newer (released on 22 Jan 2015).
Also fix a bug with OpenSSL 1.1.0+ where - due to removal of an API
function - we accidentally forced curve P-256 rather than automatic
selection. That sucks because the automatic selection (since 1.0.2+)
allows supporting multiple curves and selecting the highest one.
Fix force-rejoin not working if doing SVSMODE -x/+x (Koragg, #5015).
Note to module coders:
Please use the following procedure in case of an user/host change:
* userhost_save_current(acptr);
* << change username or hostname here (or both) >>
* userhost_changed(acptr);
This function will take care of notifying other clients about
the userhost change, such as doing PART+JOIN+MODE if force-rejoin
is enabled, and sending :xx CHGHOST user host messages to
"CAP chghost" capable clients.
Also, small note to everyone:
If force-rejoin is enabled we will not send the PART+JOIN+MODE to
"CAP chghost" capable clients. Doing so is just a hack to notify
people of a userhost change. "CAP chghost" users can thus benefit
from the reduced noise in this respect.
Delete CAP CLEAR as it's use is discouraged (too much trouble).
Delete CAP ACK (from client2server) as this is only for CAP's with
ack modifiers. This is something we don't use, and which has been
deprecated in v3.2 of the spec.
to validate the certificate of the link, making sure that:
1) The certificate is issued by a trusted Certificate Authority (CA).
2) The name on the certificate matches the name of the link block.
Some things still need to be done: documentation, more testing, and
using the X509_check_host() function when available.
Docs: https://www.unrealircd.org/docs/Set_block#set::ssl::sts-policy::port
Example:
set {
ssl {
certificate "ssl/server.cert.pem";
key "ssl/server.key.pem";
sts-policy {
port 6697;
duration 180d;
};
};
};
IMPORTANT: Only use this if you know what STS is and what the
implications are. The most important things being A) set a correct
port and B) you need a 'real' SSL certificate and not a self-signed
certificate.
More documentation may follow at another place.
This so you can easily add allow/deny channel blocks for IP ranges.
Possibly not so useful for services-networks (ban/akick is very similar)
but has some use on serviceless networks.
This allows you to for example specify a specific certificate/key on an
serversonly port and in link block (a self-signed 10 year valid certificate)
and use a short-lived (XX day) Let's Encrypt certificate on the other ports.
And several other uses, of course.
Bram Matthys