Difference between revisions of "SSL"
m (→Importing the CA certificate) |
m (→Importing the CA certificate: Updated the certificate internal link) |
||
Line 52: | Line 52: | ||
# We can change/renew the certificate for as long as the CA hasn't expired. | # We can change/renew the certificate for as long as the CA hasn't expired. | ||
# Clients that support a strict SSL verification will now also automatically accept our certificates. This way you'll be informed if suddenly something changes about the certificate. | # Clients that support a strict SSL verification will now also automatically accept our certificates. This way you'll be informed if suddenly something changes about the certificate. | ||
− | You can [[#CA_download|Download the certificate]] which will link to a HTTPS link within our chat4all.org domain. | + | You can [[SSL_CA_import_instructions#CA_download|Download the certificate]] which will link to a HTTPS link within our chat4all.org domain. |
For details on how to import the CA into your IRC client, please read our separate [[SSL_CA_import_instructions|SSL CA Import instructions article]]. | For details on how to import the CA into your IRC client, please read our separate [[SSL_CA_import_instructions|SSL CA Import instructions article]]. |
Revision as of 23:57, 15 February 2012
Contents
SSL
SSL stands for Secure Socket Layer. Short explanation: it's a more secure way of establishing a connection to a server.
It is based on encrypting all data-traffic with an encryption key.
SSL only works if all involved parties support SSL connections, because else one of the involved parties would not understand what was 'said' by the other. Since the Chat4All chatserver supports SSL connections as of 2004, you can now also connect to us with an SSL capable client on ports +6697 and +7001.
Benefits
In general, chatters would not really need SSL most of the time, unless they have the need for some extra privacy, or suspect that someone on their 'subnet' is eavesdropping, especially if it concerns exchanging passwords (for instance when logging into nickserv or chanserv).
With normal connections, anyone who has 'hacked' your computer, or is on the same subnet, can 'listen' to all packages that are sent over your line in your network with utilities such as Ethercap and Ethereal and read them just as the plain text that is sent over it; thus having the possibility to hijack your passwords and accounts.
Example result using Ethereal on a non-encrypted connection:
(click to enlarge)
However, when someone is eavesdropping on your line while you use SSL, they will only be able to see the encrypted data, which will just look like mumblejumble to them, since they have no easy way to decrypt it.
Example result using Ethereal on an encrypted-SSL-connection:
(click to enlarge)
mIRC description
Let's quote mIRC.com for some more detailed description:
«Why the need for secure connections? mIRC is used by many organizations that need to communicate over secure connections, everything from corporate to governmental. Various educational organizations that provide online teaching also require communications to be secure for privacy purposes. Apart from that, many individuals around the world also depend on secure communications, whether for political, business, or other reasons. At the end of the day, it really depends on your own personal needs. If it’s not something that you think you need, then you probably don’t!»
Howto
In this section we will describe how you can install OpenSSL support on your pc and set it up in your client, and how to connect to our SSL capable port on our server.
Installation for Windows
How to use SSL depends on the client you use, as some IRC-Clients might not have SSL support at all, while others depend on SSL libaries (such as OpenSSL) available in your operating system, or in the program folder, or have built-in SSL support. Since most people on our network seem to use mIRC, I'll explain what is needed to get mIRC working with SSL.
First download the latest release of mIRC, which at time of writing is 7.19, even though SSL was already added back in 6.14.
After that you need the OpenSSL libraries. The best is to install the latest version of OpenSSL. The SSL page on mIRC.com for instance usually offers quite recent installer of OpenSSL, however recommended is to go to OpenSSL.org's binaries page which offers links to site(s) that have semi-official installers.
On every Windows machine the Win32 OpenSSL Light Installer (v1.0.0.5) is a good recent option (at time of writing). The Windows 64-bit version on that same site however does not seem compatible with mIRC.
If you don't feel like installing, you can also just download a zip-file with version 1.0.0.3 of libeay32.dll and ssleay32.dll from FiXato's page.
The easiest is to put the SSL libraries in the Windows System directory (C:\Windows\System32 on most systems), since other (supporting) applications will also be able to use the OpenSSL libraries then. The Windows installer already offers the option to have the libraries copied there automatically. If you only intend to use OpenSSL with mIRC, then you can also just place the libeay32.dll and ssleay32.dll files in the mIRC program directory.
Pro-Tip: If you use mIRC as a portable app (taking it with you on a USB memory stick for instance), it is also recommended to put a copy of the dll files in the mIRC program directory, since it will allow you to use mIRC with SSL on computers where OpenSSL isn't installed.
When you start mIRC after this, an extra tab or button marked 'SSL' will be available in the mIRC options under the Connect category in the Options' subcategory.
Importing the CA certificate
This step is optional, but is quite recommended.
We have generated our own Certificate Authority (CA) Certificate which which we sign our SSL certificates. This will provide the following:
- You can be certain that the Chat4All staff has generated and signed the certificate being presented.
- IRC clients should fully accept the certificate since it no longer is a simple self-signed certificate.
- The certificate will no longer be rejected because it is signed by an unknown/untrusted Certificate Authority.
- The certificate will automatically be trusted because you trust the CA.
- We can change/renew the certificate for as long as the CA hasn't expired.
- Clients that support a strict SSL verification will now also automatically accept our certificates. This way you'll be informed if suddenly something changes about the certificate.
You can Download the certificate which will link to a HTTPS link within our chat4all.org domain.
For details on how to import the CA into your IRC client, please read our separate SSL CA Import instructions article. This includes instructions on how to include it into mIRC, weechat and possibly other clients.
Connect
To now connect to our server using a SSL connection, is now possible through one of these two ways.
The first is by the direct command:
/server irc.chat4all.net +7001
Which will connect to our server at port 7001 (don't forget the +sign though, since that indicates it is a SSL port.)
The second way is to edit the server information.
From the File-menu, you should select the Select Server (alt-e) option, which will open the mIRC Options at the Select Server tab.
There, select the Chat4All server from the server list (or add it yourself with the ADD button), and hit the Edit button.
It will probably read something like on the screenshot at http://chat4all.fixato.net/resources/wiki/mIRC-Chat4All-SSL_Server_Settings.jpg although the exact names and ports listed might be a little different.
Now you can edit the port-range to either also include the +7001 port, or just replace all of the ports listed there with +7001 (again, don't forget the plus-sign).
Another way is to instead of Editting, Adding a new serverlisting which you can name something like Chat4All_ServerSSL and which will have just the +7001 port and the same group-name as your regular Chat4all connection.
When finished adding or editting, hit the Connect button to connect to the server :)
Extras
When you are connected using a SSL connection, you can now join channels that have the channelmode +z
If a channel has the channelmode +z, it means that only people using a SSL connection, can join that channel.
A channelowner can set his room to +z with
/mode #replaceWithYourChannelname +z
This currently can only be set while there are no non-SSL users left in the channel. This is something that will change in an upcoming server-update though, with the addition of the channelmode +Z.
A new mode is now available to SSL users: usermode +Z.
This will block all queries (private messages) from non-SSL users.
This mode can be enabled using
/mode replaceWithYourNickname +Z
You will also receive the usermode +z, which means you are on a SSL connection.