pegasus/unrealircd
1
0
Fork 0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-01 01:06:38 +02:00
Code Activity
Files
1f856745e500620a55065a77d2bd39e876246708
unrealircd/doc/RELEASE-NOTES
T
Bram Matthys 1f856745e5 4.0.14-rc1
2017-09-08 08:16:21 +02:00

70 lines
3.2 KiB
Plaintext
Raw Blame History

UnrealIRCd 4.0.14-rc1 Release Notes
====================================
These release notes are work-in-progress.
==[ CHANGES BETWEEN 4.0.13 AND 4.0.14 ]==
Enhancements:
* New set::plaintext-policy configuration settings. This defines what
happens to users/ircops/servers that are not using SSL/TLS.
The default settings are:
set {
plaintext-policy {
user allow; /* allow any user to connect */
oper warn; /* warn on /OPER if not using SSL/TLS */
server deny; /* deny servers without SSL/TLS, except localhost */
};
};
You can change each of the three classes to 'allow', 'warn' or 'deny'.
See: https://www.unrealircd.org/docs/Set_block#set::plaintext-policy
If your services do not run on localhost and link without SSL/TLS
then you may get an error during linking. In such a case check out:
https://www.unrealircd.org/docs/FAQ#ERROR:_Servers_need_to_use_SSL.2FTLS
* You can now ask UnrealIRCd to verify certificates of server links by:
link irc1.test.net {
[..]
verify-certificate yes;
};
This will verify the certificate of the link, making sure it is valid,
issued for the specified name (irc1.test.net) and given out by a
trusted Certificate Authority (like Let's Encrypt).
Obviously, if you use self-signed certificates then you can't use this.
* Introduce a concept called "link security level". This will rate the
security of your network from 0 to 2. Whenever security is degraded
due to a new server link UnrealIRCd will print a warning about it.
See https://www.unrealircd.org/docs/Link_security
This also adds a new command /LINKSECURITY (IRCop-only).
* The plaintext-policy and link-security is shown in "CAP LS".
Major issues fixed:
* None
Minor issues fixed:
* If you had a link block named irc1.example.net and did an outgoing
connect to that server, then the server could introduce himself under
a different name, such as irc1.other.net. Not a security issue but
this could cause confusing autoconnect attempts.
* password::sslclientcert did not accept relative paths
* Compile problem with LibreSSL (regarding SSL_CTX_get0_param)
* set::modes-on-connect: was refusing certain (old) modes like +N
Other changes:
* The ssl options 'verify-certificate' and 'no-self-signed' have been
removed. Use link::verify-certificate instead. It makes no sense to
verify certificates or prevent self signed certificates elsewhere
such as in vhost or oper, since there is no hostname to match against.
* Weak cipher suites such as 3DES and RC4 are disabled by default but
previously you could still enable them through set::ssl::ciphers.
Now you can no longer, since there is no legitimate reason to do so.
* Update cipher suite to work with TLS 1.3. This ensures you can use
TLS 1.3 in UnrealIRCd 4.0.14+ when OpenSSL supports it (in the future).
* Bump MODDATA_MAX_CLIENT from 8 to 12: needed if you have a lot of
3rd party modules loaded. Also moved MODDATA_MAX_* to include/config.h
Module coders:
* You can now attach ModData to server objects as well (including &me).
==[ CHANGES IN OLDER RELEASES ]==
For changes in previous UnrealIRCd releases see doc/RELEASE-NOTES.old or
https://raw.githubusercontent.com/unrealircd/unrealircd/unreal40/doc/RELEASE-NOTES.old
View Git Blame Copy Permalink