Home
Blog
Tech How To
Jobs

HowTo Setup A Secure IRCD

For me setting up a IRC server over SSL was pretty easy. I have to say that using Debian makes the whole process a lot easier. With other OSes you may have to re-compile your clients for SSL support. In addition, debian setups up your config files and your startup scripts.

I installed IRCD as my irc-server, you could try unreal as well 

apt-get install ircd-irc2

Follow these instructions for setting up your ircd.conf http://www.irc.org/tech_docs/ircnet/INSTALL-4.html At the very least you will need one lines for each the following: 

    * M - Machines
    * Y - Connection Class
    * I - Clients
    * P - Ports

Next I grabbed stunnel to provide SSL support apt-get install stunnel4

Certificates

Next I created my certificates, following these instructions http://www.pseudonym.org/ssl/ssl_cook.html
To create a self-signed certificate, use the OpenSSL "req" command with the "-x509" switch. The certificate is placed in the file CAcert.pem, and the private key in CAkey.pem. The commonName for the self-signed certificate should be a meaningful string for people to read, and not be the domain name of the server (since the server domain name is needed for server certificates used by Netscape).

The "req" command prompts for the password (e.g. caKEY) for the private key, and is used as follows: Creating a Self-Signed CA Certificate To create a self-signed certificate, use the OpenSSL "req" command with the "-x509" switch. The certificate is placed in the file CAcert.pem, and the private key in CAkey.pem. The commonName for the self-signed certificate should be a meaningful string for people to read, and not be the domain name of the server (since the server domain name is needed for server certificates used by Netscape).

The "req" command prompts for the password (e.g. caKEY) for the private key, and is used as follows: Creating a Self-Signed CA Certificate 

  $SSLDIR/bin/openssl req -new -x509 -keyout ${SSLDIR}/private/CAkey.pem \
  -out ${SSLDIR}/private/CAcert.pem -config /usr/local/ssl/openssl.cnf

  Generating a 512 bit private key
  writing new private key to '../private/CAkey.pem'
  Enter PEM pass phrase:
  Verifying password - Enter PEM pass phrase:
  -----
  You are about to be asked to enter information that will be incorperated into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [US]:
  State or Province Name (full name) [MA]:
  Locality Name (eg, city) [Cambridge]:
  Organization Name (eg, company) [The Open Group]:
  Organizational Unit Name (eg, section) [Research Institute]:
  Common Name (eg, YOUR name) [example.opengroup.org]:Example CA
  Email Address []:ssl_admin@opengroup.org
  
  openssl req -new -keyout newkey.pem -out newreq.pem -days 360\
  -config /opt/www/lib/ssleay.cnf
  cat newreq.pem newkey.pem > new.pem
  ./openssl ca -policy policy_anything -out newcert.pem \
  -config /usr/local/ssl/openssl.cnf -infiles new.pem
  cp newcert.pem $CERTDIR/sitecert.pem
  cp newkey.pem $CERTDIR/sitekey.pem
  cd $CERTDIR
  ln -s sitecert.pem `$SSLDIR/bin/openssl x509 -noout -hash < sitecert.pem`.0

You can test your certs with openssl. These commands will set up a test server and a client. 

  openssl s_server -accept 8003 -cert path/cert.pem -key path/key.pem \
      -state -bugs -CAfile path/CAcert.pem
  openssl s_client -connect localhost:8003 -state -showcerts -key path/sitekey.pem \
      -CAfile path/CAcert.pem

At any time you may remove the passphrase from the key. Deamons don't like to enter keys 

openssl rsa -in imapd.newkey.pem -out imapd.newkey.pem

Finally, I setup my stunnel.conf file, watch out for that client config it screwed me up for a while. I'm runnign stunnel as a deamon. It listens for SSL connections on port 8001, decrypts them and sends them over to my 

  IRC port, 6667.
  pid = /var/run/stunnel4/stunnel.pid
  setuid = stunnel4
  setgid = stunnel4
  CApath = path
  CAfile = path/CAcert.pem
  cert = path/cert.pem
  key = path/key.pem
  debug = 7
  output = /var/log/stunnel4/stunnel.log
  client = no
  [irc]
  accept = 8001
  connect = 6667

Lastly I had to edit /etc/default/stunnel4 and enable stunnel

Clients

Finally, time to grab a client. I have used XChat, EPIC4, and ChatZilla apt-get install xchat

I went to the server list Ctrl-S and added my own server (localhost/8001). You will see options for SSL. I checked all of the following. This is also a place to add a password. You will want to connect to the stunnel port 8001. 

   * Use a proxy server
   * Use SSL for all servers on this network
   * Accept Invalid Certificates

For ChatZilla the following command will work 

  /sslserver localhost 8001 password