Re: SSL patch for 2.11 ircd

["Grega" <grega@xxxxxxxxxx>]

> So this mean you need an other port to be able to use SSL?

A port can be configured for clients with SSL and without SSL
by not specifiying any ('N' or 'O') flag.
That means each time a client connects a SSL handshake will be
tried and if that fails it will "fall back" to non-ssl connection.

> Why don't you use something as STARTTLS to initiate an ssl
> connection?  I really have no idea what other clients/servers do.

Yeah, TLS is nice because you can start a secure connection later
(vs. SSL where that happens immediately if I correctly understand
the terminology)
I also thought about STARTTLS and STOPTLS commands already, but that
was just an idea for a later version of a TLS patch, first
SSL has to work fine.

I doubt IRC clients support TLS actually however,
and that you have to do /quote STARTTLS is the smallest
problem I guess.

> It doesn't mention anything about servers or C/N lines.  Can you
> let server authenticate using a certificate instead of a
> password?

That C/N stuff is left from old +sd patch.
It basicly checks X509 certificates when connecting -
I just changed that strcmp() to match() so it will also
work with hostmasking. CN should be the servername as used on
IRC. Additionally to that passwords can be used.

> Can I connect on a normal connection and still authenticate to
> become oper?  Like use a STARTTLS after I'm already connected.
> And maybe even stop the ssl some point later, and then no
> longer be an oper?

No, not yet.
But you can use SSL all the time and reconnect when you don't wish
to use it :)

Greetings,
Grega "fiction" Pogacnik