Difference between revisions of "SSL"
(Adding CA import info for mIRC) |
(→Importing the CA certificate (optional, but quite recommended)) |
||
| Line 38: | Line 38: | ||
Firstly, download the CA certificate from our website: [http://www.chat4all.net/]<br /> | Firstly, download the CA certificate from our website: [http://www.chat4all.net/]<br /> | ||
Place the file somewhere; it doesn't necessarily matter where. 'My Documents' or the mIRC directory are good options<br /> | Place the file somewhere; it doesn't necessarily matter where. 'My Documents' or the mIRC directory are good options<br /> | ||
| + | |||
| + | '''NOTE''': If you have CAs from other networks (like Freenode), you can append it to the existing file (and skip the remainder of these instructions, unless you need a refresher on where this file is located; the trusted authorities button has the path in it) by opening that file in Notepad and copy/pasting the contents of our CA file (on a new line) into that file, then saving. Again, a reload of mIRC should '''not''' be necessary. | ||
| + | |||
Within mIRC, go to: ''Tools'' > ''Options'', then in the left list navigate to ''Connect'' > ''Options''.<br /> | Within mIRC, go to: ''Tools'' > ''Options'', then in the left list navigate to ''Connect'' > ''Options''.<br /> | ||
Provided you have installed SSL as described above, there should be an SSL button here. Click that, then click on the empty button under 'Trusted authorities file'. Select the file you downloaded, and you are done. A reload of mIRC is not required; you should be able to connect as described below. | Provided you have installed SSL as described above, there should be an SSL button here. Click that, then click on the empty button under 'Trusted authorities file'. Select the file you downloaded, and you are done. A reload of mIRC is not required; you should be able to connect as described below. | ||
Revision as of 16:18, 27 September 2010
Contents
SSL
SSL stands for Secure Socket Layer. Short explanation: it's a more secure way of establishing a connection to a server.
It is based on encrypting all data-traffic with an encryption key.
SSL only works if all involved parties support SSL connections, because else one of the involved parties would not understand what was 'said' by the other. Since the Chat4All chatserver supports SSL connections as of 2004, you can now also connect to us with an SSL capable client on port +7001.
Benefits
In general, chatters would not really need SSL most of the time, unless they have the need for some extra privacy, or suspect that someone on their 'subnet' is eavesdropping, especially if it concerns exchanging passwords (for instance when logging into nickserv or chanserv).
With normal connections, anyone who has 'hacked' your computer, or is on the same subnet, can 'listen' to all packages that are sent over your line in your network with utilities such as Ethercap and Ethereal and read them just as the plain text that is sent over it; thus having the possibility to hijack your passwords and accounts.
Example result using Ethereal on a non-encrypted connection:
(click to enlarge)
However, when someone is eavesdropping on your line while you use SSL, they will only be able to see the encrypted data, which will just look like mumblejumble to them, since they have no easy way to decrypt it.
Example result using Ethereal on an encrypted-SSL-connection:
(click to enlarge)
mIRC description
Let's quote mIRC.com for some more detailed description:
«Why the need for secure connections? mIRC is used by many organizations that need to communicate over secure connections, everything from corporate to governmental. Various educational organizations that provide online teaching also require communications to be secure for privacy purposes. Apart from that, many individuals around the world also depend on secure communications, whether for political, business, or other reasons. At the end of the day, it really depends on your own personal needs. If it’s not something that you think you need, then you probably don’t!»
Howto
In this section we will describe how you can install OpenSSL support on your pc and set it up in your client, and how to connect to our SSL capable port on our server.
Install
How to use SSL depends on the client you use.
Since most people on our network seem to use mIRC, I'll explain what is needed to get mIRC working with SSL.
First download the latest release of mIRC, which at time of writing is 6.16.
You now also need the OpenSSL libraries libeay32.dll and ssleay32.dll
You can either get them by installing OpenSLL from http://www.shininglightpro.com/products/Win32OpenSSL.html or by getting the two needed loose DLL files from: [My Chat4All Page]
Then you should place the two DLL-files that are in the archive, inside your Windows\System32 directory if you want to have them globally available to all SSL supporting applications, or in your mIRC directory (probably c:\program files\mIRC\) if you want them available just to mIRC.
When you now (re)start mIRC, an extra TAB with SSL information should've appeared under connect > options
Importing the CA certificate (optional, but quite recommended)
We have generated our own CA certificate for the SSL certificates. This will provide 2 things:
- You can be certain that the Chat4all staff ourselves has generated and signed the certificate being presented
- mIRC (and other clients) will fully accept the certificate, so you will receive no prompts about it and can leave a strict check on for certificates (which will alert you if anything were to happen, such as the certificate expiring)
For the same reason as above, we will describe how to import this CA into mIRC here.
Firstly, download the CA certificate from our website: [1]
Place the file somewhere; it doesn't necessarily matter where. 'My Documents' or the mIRC directory are good options
NOTE: If you have CAs from other networks (like Freenode), you can append it to the existing file (and skip the remainder of these instructions, unless you need a refresher on where this file is located; the trusted authorities button has the path in it) by opening that file in Notepad and copy/pasting the contents of our CA file (on a new line) into that file, then saving. Again, a reload of mIRC should not be necessary.
Within mIRC, go to: Tools > Options, then in the left list navigate to Connect > Options.
Provided you have installed SSL as described above, there should be an SSL button here. Click that, then click on the empty button under 'Trusted authorities file'. Select the file you downloaded, and you are done. A reload of mIRC is not required; you should be able to connect as described below.
Connect
To now connect to our server using a SSL connection, is now possible through one of these two ways.
The first is by the direct command:
/server irc.chat4all.net +7001
Which will connect to our server at port 7001 (don't forget the +sign though, since that indicates it is a SSL port.)
The second way is to edit the server information.
From the File-menu, you should select the Select Server (alt-e) option, which will open the mIRC Options at the Select Server tab.
There, select the Chat4All server from the server list (or add it yourself with the ADD button), and hit the Edit button.
It will probably read something like:
http://www.fixato.co.uk/projects/tutorials/images/performB2.png
although the exact names and ports listed might be a little different.
Now you can edit the port-range to either also include the +7001 port, or just replace all of the ports listed there with +7001 (again, don't forget the plus-sign).
Another way is to instead of Editting, Adding a new serverlisting which you can name something like Chat4All_ServerSSL and which will have just the +7001 port and the same group-name as your regular Chat4all connection.
When finished adding or editting, hit the Connect button to connect to the server :)
Extras
When you are connected using a SSL connection, you can now join channels that have the channelmode +z
If a channel has the channelmode +z, it means that only people using a SSL connection, can join that channel.
A channelowner can set his room to +z (when no non-SSL-connected users are in the channel) with
/mode #channel +z
A new mode is now available to SSL users: usermode +Z.
This will block all queries (private messages) from non-SSL users.
This mode can be enabled using
/mode yourusername +Z
You will also receive the usermode +z, which means you are on a SSL connection.
Changelog
- 16:12, 25 January 2006 (CET) by FiXato (Initial write based on Rafe`s article on his blog.)
- 17:23, 25 January 2006 (CET) by FiXato
- 12:38, 11 November 2009 (UTC) by Unknown_Entity (Added Extra's about channelmode +z and usermode +Z)
- Last modified: 12:47, 11 November 2009 (UTC) by FiXato (Added proper screenshots and Changelog block)
