mirror of
https://github.com/osmarks/ngircd.git
synced 2025-01-06 13:50:28 +00:00
817937b218
This patch provides code to validate the server certificate in server links, defeating nasty man-in-the-middle attacks on server links. Features: - Check whether the certificate is signed by a trusted certificate authority (CA). - Check the host name, including wildcard certificates and Subject Alternative Names. - Optionally check against a certificate revocation list (CRL). - Implementation for both OpenSSL and GnuTLS linkage. Left for another day: - Parameterize the TLS parameter of an outbound connection. Currently, it's hardcoded to disable all versions before TLSv1.1. - Using certificate as CA-certificate. They work for GnuTLS only but perhaps this should rather raise an error there, too. - Optional OCSP checking. - Checking client certificates. Code is there but this first needs some consideration about the use cases. This could replace all other authentication methods, for both client-server and server-server connections. This patch is based on a patch by Florian Westphal from 2009, which implemented this for OpenSSL only: From: Florian Westphal <fw@strlen.de> Date: Mon, 18 May 2009 00:29:02 +0200 Subject: SSL/TLS: Add initial certificate support to OpenSSL backend Commit message modified by Alex Barton. Closes #120, "Server links using TLS/SSL need certificate validation". Supersedes PR #8, "Options for verifying and requiring SSL client certificates", which had (incomplete?) code for OpenSSL, no GnuTLS.
425 lines
16 KiB
Cheetah
425 lines
16 KiB
Cheetah
#
|
|
# This is a sample configuration file for the ngIRCd IRC daemon, which must
|
|
# be customized to the local preferences and needs.
|
|
#
|
|
# Comments are started with "#" or ";".
|
|
#
|
|
# A lot of configuration options in this file start with a ";". You have
|
|
# to remove the ";" in front of each variable to actually set a value!
|
|
# The disabled variables are shown with example values for completeness only
|
|
# and the daemon is using compiled-in default settings.
|
|
#
|
|
# Use "ngircd --configtest" (see manual page ngircd(8)) to validate that the
|
|
# server interprets the configuration file as expected!
|
|
#
|
|
# Please see ngircd.conf(5) for a complete list of configuration options
|
|
# and their descriptions.
|
|
#
|
|
|
|
[Global]
|
|
# The [Global] section of this file is used to define the main
|
|
# configuration of the server, like the server name and the ports
|
|
# on which the server should be listening.
|
|
# These settings depend on your personal preferences, so you should
|
|
# make sure that they correspond to your installation and setup!
|
|
|
|
# Server name in the IRC network, must contain at least one dot
|
|
# (".") and be unique in the IRC network. When not set, ngIRCd tries
|
|
# to deduce a valid IRC server name from the local host name.
|
|
;Name = irc.example.net
|
|
|
|
# Information about the server and the administrator, used by the
|
|
# ADMIN command. Not required by server but by RFC!
|
|
;AdminInfo1 = Description
|
|
;AdminInfo2 = Location
|
|
;AdminEMail = admin@irc.server
|
|
|
|
# Text file which contains the ngIRCd help text. This file is required
|
|
# to display help texts when using the "HELP <cmd>" command. Default: a
|
|
# built-in standard path (check "ngircd --configtest").
|
|
;HelpFile = :DOCDIR:/Commands.txt
|
|
|
|
# Info text of the server. This will be shown by WHOIS and
|
|
# LINKS requests for example. Set to the server software name and
|
|
# version by default.
|
|
;Info = Server Info Text
|
|
|
|
# Comma separated list of IP addresses on which the server should
|
|
# listen. Default values are:
|
|
# "0.0.0.0" or (if compiled with IPv6 support) "::,0.0.0.0"
|
|
# so the server listens on all IP addresses of the system by default.
|
|
;Listen = 127.0.0.1,192.168.0.1
|
|
|
|
# Text file with the "message of the day" (MOTD). This message will
|
|
# be shown to all users connecting to the server: Default: a built-in
|
|
# standard path (check "ngircd --configtest").
|
|
;MotdFile = :ETCDIR:/ngircd.motd
|
|
|
|
# A simple Phrase (<127 chars) if you don't want to use a motd file.
|
|
;MotdPhrase = "Hello world!"
|
|
|
|
# The name of the IRC network to which this server belongs. This name
|
|
# is optional, should only contain ASCII characters, and can't contain
|
|
# spaces. It is only used to inform clients. The default is empty,
|
|
# so no network name is announced to clients.
|
|
;Network = aIRCnetwork
|
|
|
|
# Global password for all users needed to connect to the server.
|
|
# (Default: not set)
|
|
;Password = abc
|
|
|
|
# This tells ngIRCd to write its current process ID to a file.
|
|
# Note that the pidfile is written AFTER chroot and switching the
|
|
# user ID, e.g. the directory the pidfile resides in must be
|
|
# writable by the ngIRCd user and exist in the chroot directory.
|
|
;PidFile = /var/run/ngircd/ngircd.pid
|
|
|
|
# Ports on which the server should listen. There may be more than
|
|
# one port, separated with ",". (Default: 6667)
|
|
;Ports = 6667, 6668, 6669
|
|
|
|
# Group ID under which the ngIRCd should run; you can use the name
|
|
# of the group or the numerical ID. ATTENTION: For this to work the
|
|
# server must have been started with root privileges!
|
|
;ServerGID = 65534
|
|
|
|
# User ID under which the server should run; you can use the name
|
|
# of the user or the numerical ID. ATTENTION: For this to work the
|
|
# server must have been started with root privileges! In addition,
|
|
# the configuration and MOTD files must be readable by this user,
|
|
# otherwise RESTART and REHASH won't work!
|
|
;ServerUID = 65534
|
|
|
|
[Limits]
|
|
# Define some limits and timeouts for this ngIRCd instance. Default
|
|
# values should be safe, but it is wise to double-check :-)
|
|
|
|
# The server tries every <ConnectRetry> seconds to establish a link
|
|
# to not yet (or no longer) connected servers.
|
|
;ConnectRetry = 60
|
|
|
|
# Number of seconds after which the whole daemon should shutdown when
|
|
# no connections are left active after handling at least one client
|
|
# (0: never, which is the default).
|
|
# This can be useful for testing or when ngIRCd is started using
|
|
# "socket activation" with systemd(8), for example.
|
|
;IdleTimeout = 0
|
|
|
|
# Maximum number of simultaneous in- and outbound connections the
|
|
# server is allowed to accept (0: unlimited):
|
|
;MaxConnections = 0
|
|
|
|
# Maximum number of simultaneous connections from a single IP address
|
|
# the server will accept (0: unlimited):
|
|
;MaxConnectionsIP = 5
|
|
|
|
# Maximum number of channels a user can be member of (0: no limit):
|
|
;MaxJoins = 10
|
|
|
|
# Maximum length of an user nickname (Default: 9, as in RFC 2812).
|
|
# Please note that all servers in an IRC network MUST use the same
|
|
# maximum nickname length!
|
|
;MaxNickLength = 9
|
|
|
|
# Maximum penalty time increase in seconds, per penalty event. Set to -1
|
|
# for no limit (the default), 0 to disable penalties altogether. The
|
|
# daemon doesn't use penalty increases higher than 2 seconds during
|
|
# normal operation, so values greater than 1 rarely make sense.
|
|
;MaxPenaltyTime = -1
|
|
|
|
# Maximum number of channels returned in response to a /list
|
|
# command (0: unlimited):
|
|
;MaxListSize = 100
|
|
|
|
# After <PingTimeout> seconds of inactivity the server will send a
|
|
# PING to the peer to test whether it is alive or not.
|
|
;PingTimeout = 120
|
|
|
|
# If a client fails to answer a PING with a PONG within <PongTimeout>
|
|
# seconds, it will be disconnected by the server.
|
|
;PongTimeout = 20
|
|
|
|
[Options]
|
|
# Optional features and configuration options to further tweak the
|
|
# behavior of ngIRCd. If you want to get started quickly, you most
|
|
# probably don't have to make changes here -- they are all optional.
|
|
|
|
# List of allowed channel types (channel prefixes) for newly created
|
|
# channels on the local server. By default, all supported channel
|
|
# types are allowed. Set this variable to the empty string to disallow
|
|
# creation of new channels by local clients at all.
|
|
;AllowedChannelTypes = #&+
|
|
|
|
# Are remote IRC operators allowed to control this server, e.g.
|
|
# use commands like CONNECT, SQUIT, DIE, ...?
|
|
;AllowRemoteOper = no
|
|
|
|
# A directory to chroot in when everything is initialized. It
|
|
# doesn't need to be populated if ngIRCd is compiled as a static
|
|
# binary. By default ngIRCd won't use the chroot() feature.
|
|
# ATTENTION: For this to work the server must have been started
|
|
# with root privileges!
|
|
;ChrootDir = /var/empty
|
|
|
|
# Set this hostname for every client instead of the real one.
|
|
# Use %x to add the hashed value of the original hostname.
|
|
;CloakHost = cloaked.host
|
|
|
|
# Use this hostname for hostname cloaking on clients that have the
|
|
# user mode "+x" set, instead of the name of the server.
|
|
# Use %x to add the hashed value of the original hostname.
|
|
;CloakHostModeX = cloaked.user
|
|
|
|
# The Salt for cloaked hostname hashing. When undefined a random
|
|
# hash is generated after each server start.
|
|
;CloakHostSalt = abcdefghijklmnopqrstuvwxyz
|
|
|
|
# Set every clients' user name to their nickname
|
|
;CloakUserToNick = yes
|
|
|
|
# Try to connect to other IRC servers using IPv4 and IPv6, if possible.
|
|
;ConnectIPv6 = yes
|
|
;ConnectIPv4 = yes
|
|
|
|
# Default user mode(s) to set on new local clients. Please note that
|
|
# only modes can be set that the client could set using regular MODE
|
|
# commands, you can't set "a" (away) for example! Default: none.
|
|
;DefaultUserModes = i
|
|
|
|
# Do DNS lookups when a client connects to the server.
|
|
;DNS = yes
|
|
|
|
# Do IDENT lookups if ngIRCd has been compiled with support for it.
|
|
# Users identified using IDENT are registered without the "~" character
|
|
# prepended to their user name.
|
|
;Ident = yes
|
|
|
|
# Directory containing configuration snippets (*.conf), that should
|
|
# be read in after parsing this configuration file.
|
|
# Default: a built-in directory name when no configuration file was
|
|
# explicitly given on the command line (check "ngircd --configtest"),
|
|
# none (empty) otherwise.
|
|
;IncludeDir = :ETCDIR:/conf.d
|
|
|
|
# Enhance user privacy slightly (useful for IRC server on TOR or I2P)
|
|
# by censoring some information like idle time, logon time, etc.
|
|
;MorePrivacy = no
|
|
|
|
# Normally ngIRCd doesn't send any messages to a client until it is
|
|
# registered. Enable this option to let the daemon send "NOTICE *"
|
|
# messages to clients while connecting.
|
|
;NoticeBeforeRegistration = no
|
|
|
|
# Should IRC Operators be allowed to use the MODE command even if
|
|
# they are not(!) channel-operators?
|
|
;OperCanUseMode = no
|
|
|
|
# Should IRC Operators get AutoOp (+o) in persistent (+P) channels?
|
|
;OperChanPAutoOp = yes
|
|
|
|
# Mask IRC Operator mode requests as if they were coming from the
|
|
# server? (This is a compatibility hack for ircd-irc2 servers)
|
|
;OperServerMode = no
|
|
|
|
# Use PAM if ngIRCd has been compiled with support for it.
|
|
# Users identified using PAM are registered without the "~" character
|
|
# prepended to their user name.
|
|
;PAM = yes
|
|
|
|
# When PAM is enabled, all clients are required to be authenticated
|
|
# using PAM; connecting to the server without successful PAM
|
|
# authentication isn't possible.
|
|
# If this option is set, clients not sending a password are still
|
|
# allowed to connect: they won't become "identified" and keep the "~"
|
|
# character prepended to their supplied user name.
|
|
# Please note: To make some use of this behavior, it most probably
|
|
# isn't useful to enable "Ident", "PAM" and "PAMIsOptional" at the
|
|
# same time, because you wouldn't be able to distinguish between
|
|
# Ident'ified and PAM-authenticated users: both don't have a "~"
|
|
# character prepended to their respective user names!
|
|
;PAMIsOptional = no
|
|
|
|
# When PAM is enabled, this value determines the used PAM
|
|
# configuration.
|
|
# This setting allows to run multiple ngIRCd instances with
|
|
# different PAM configurations on each instance.
|
|
# If you set it to "ngircd-foo", PAM will use
|
|
# /etc/pam.d/ngircd-foo instead of the default
|
|
# /etc/pam.d/ngircd.
|
|
;PAMServiceName = ngircd
|
|
|
|
# Let ngIRCd send an "authentication PING" when a new client connects,
|
|
# and register this client only after receiving the corresponding
|
|
# "PONG" reply.
|
|
;RequireAuthPing = no
|
|
|
|
# Silently drop all incoming CTCP requests.
|
|
;ScrubCTCP = no
|
|
|
|
# Syslog "facility" to which ngIRCd should send log messages.
|
|
# Possible values are system dependent, but most probably auth, daemon,
|
|
# user and local1 through local7 are possible values; see syslog(3).
|
|
# Default is "local5" for historical reasons, you probably want to
|
|
# change this to "daemon", for example.
|
|
;SyslogFacility = local1
|
|
|
|
# Password required for using the WEBIRC command used by some
|
|
# Web-to-IRC gateways. If not set/empty, the WEBIRC command can't
|
|
# be used. (Default: not set)
|
|
;WebircPassword = xyz
|
|
|
|
;[SSL]
|
|
# SSL-related configuration options. Please note that this section
|
|
# is only available when ngIRCd is compiled with support for SSL!
|
|
# So don't forget to remove the ";" above if this is the case ...
|
|
|
|
# SSL Trusted CA Certificates File (for verifying peer certificates)
|
|
;CAFile = /etc/ssl/CA/cacert.pem
|
|
|
|
# Certificate Revocation File (for marking otherwise valid
|
|
# certficates as invalid)
|
|
;CRLFile = /etc/ssl/CA/crl.pem
|
|
|
|
# SSL Server Key Certificate
|
|
;CertFile = :ETCDIR:/ssl/server-cert.pem
|
|
|
|
# Select cipher suites allowed for SSL/TLS connections. This defaults
|
|
# to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).
|
|
# See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init'
|
|
# (GnuTLS) for details.
|
|
# For OpenSSL:
|
|
;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3
|
|
# For GnuTLS:
|
|
;CipherList = SECURE128:-VERS-SSL3.0
|
|
|
|
# Diffie-Hellman parameters
|
|
;DHFile = :ETCDIR:/ssl/dhparams.pem
|
|
|
|
# SSL Server Key
|
|
;KeyFile = :ETCDIR:/ssl/server-key.pem
|
|
|
|
# password to decrypt SSLKeyFile (OpenSSL only)
|
|
;KeyFilePassword = secret
|
|
|
|
# Additional Listen Ports that expect SSL/TLS encrypted connections
|
|
;Ports = 6697, 9999
|
|
|
|
[Operator]
|
|
# [Operator] sections are used to define IRC Operators. There may be
|
|
# more than one [Operator] block, one for each local operator.
|
|
|
|
# ID of the operator (may be different of the nickname)
|
|
;Name = TheOper
|
|
|
|
# Password of the IRC operator
|
|
;Password = ThePwd
|
|
|
|
# Optional Mask from which /OPER will be accepted
|
|
;Mask = *!ident@somewhere.example.com
|
|
|
|
[Operator]
|
|
# More [Operator] sections, if you like ...
|
|
|
|
[Server]
|
|
# Other servers are configured in [Server] sections. If you
|
|
# configure a port for the connection, then this ngircd tries to
|
|
# connect to the other server on the given port; if not it waits
|
|
# for the other server to connect.
|
|
# There may be more than one server block, one for each server.
|
|
#
|
|
# Server Groups:
|
|
# The ngIRCd allows "server groups": You can assign an "ID" to every
|
|
# server with which you want this ngIRCd to link. If a server of a
|
|
# group won't answer, the ngIRCd tries to connect to the next server
|
|
# in the given group. But the ngircd never tries to connect to two
|
|
# servers with the same group ID.
|
|
|
|
# IRC name of the remote server, must match the "Name" variable in
|
|
# the [Global] section of the other server (when using ngIRCd).
|
|
;Name = irc2.example.net
|
|
|
|
# Internet host name or IP address of the peer (only required when
|
|
# this server should establish the connection).
|
|
;Host = connect-to-host.example.net
|
|
|
|
# IP address to use as _source_ address for the connection. if
|
|
# unspecified, ngircd will let the operating system pick an address.
|
|
;Bind = 10.0.0.1
|
|
|
|
# Port of the server to which the ngIRCd should connect. If you
|
|
# assign no port the ngIRCd waits for incoming connections.
|
|
;Port = 6667
|
|
|
|
# Own password for the connection. This password has to be configured
|
|
# as "PeerPassword" on the other server.
|
|
;MyPassword = MySecret
|
|
|
|
# Foreign password for this connection. This password has to be
|
|
# configured as "MyPassword" on the other server.
|
|
;PeerPassword = PeerSecret
|
|
|
|
# Group of this server (optional)
|
|
;Group = 123
|
|
|
|
# Set the "Passive" option to "yes" if you don't want this ngIRCd to
|
|
# connect to the configured peer (same as leaving the "Port" variable
|
|
# empty). The advantage of this option is that you can actually
|
|
# configure a port an use the IRC command CONNECT more easily to
|
|
# manually connect this specific server later.
|
|
;Passive = no
|
|
|
|
# Connect to the remote server using TLS/SSL (Default: false)
|
|
;SSLConnect = yes
|
|
|
|
# Verify the TLS certificate presented by the remote server
|
|
# (Default: yes)
|
|
;SSLVerify = yes
|
|
|
|
# Define a (case insensitive) list of masks matching nicknames that
|
|
# should be treated as IRC services when introduced via this remote
|
|
# server, separated by commas (",").
|
|
# REGULAR SERVERS DON'T NEED this parameter, so leave it empty
|
|
# (which is the default).
|
|
# When you are connecting IRC services which mask as a IRC server
|
|
# and which use "virtual users" to communicate with, for example
|
|
# "NickServ" and "ChanServ", you should set this parameter to
|
|
# something like "*Serv" or "NickServ,ChanServ,XyzServ".
|
|
;ServiceMask = *Serv,Global
|
|
|
|
[Server]
|
|
# More [Server] sections, if you like ...
|
|
|
|
[Channel]
|
|
# Pre-defined channels can be configured in [Channel] sections.
|
|
# Such channels are created by the server when starting up and even
|
|
# persist when there are no more members left.
|
|
# Persistent channels are marked with the mode 'P', which can be set
|
|
# and unset by IRC operators like other modes on the fly.
|
|
# There may be more than one [Channel] block, one for each channel.
|
|
|
|
# Name of the channel
|
|
;Name = #TheName
|
|
|
|
# Topic for this channel
|
|
;Topic = a great topic
|
|
|
|
# Initial channel modes, as used in "MODE" commands. Modifying lists
|
|
# (ban list, invite list, exception list) is supported.
|
|
# This option can be specified multiple times, evaluated top to bottom.
|
|
;Modes = +tnk mykey +l 5
|
|
;Modes = +b nick!~user@bad.host.example.com
|
|
|
|
# Should ngIRCd automatically join ("autojoin") all users to this
|
|
# channel on connect? Note: The users must have permissions to access
|
|
# the channel, otherwise joining them will fail!
|
|
;Autojoin = yes
|
|
|
|
# Key file, syntax for each line: "<user>:<nick>:<key>".
|
|
# Default: none.
|
|
;KeyFile = :ETCDIR:/#chan.key
|
|
|
|
[Channel]
|
|
# More [Channel] sections, if you like ...
|
|
|
|
# -eof-
|