View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006500 | unreal | ircd | public | 2025-02-26 20:14 | 2025-07-26 16:05 |
| Reporter | rafaelgrether | Assigned To | syzop | ||
| Priority | low | Severity | feature | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 6.1.10 | ||||
| Fixed in Version | 6.2.0-beta3 | ||||
| Summary | 0006500: Improve set::best-practices adding only-tls-port directive. | ||||
| Description | Hey guys, Today, nearly all IRC clients support TLS. Almost all types of communication nowadays run over a TLS tunnel, and using an insecure plaintext port doesn't seem to make much sense from a security standpoint. So I suggest add the directive only-tls-port (or another suggestive name) inside the set::best-practices block, to warn when a listen {} block doesn't have options { tls; } defined. I think that nowadays, the use of TLS should be a standard to be adopted. Thinking about that, I also suggest leaving the listen{} on port 6667 commented out in the example.conf. Thanks! Sugestive examples: /* Standard IRC port 6667 * Insecure plaintext - Not Recommended */ //listen { // ip *; // port 6667; //} set { best-practices { /* Warn when an oper::password is plaintext in the config (not hashed). * At a later time it may also warn about plaintext passwords elsewhere. */ hashed-passwords yes; /* Warn when a listen {} block doesn't have options { tls; } * due to insecure plaintext. */ only-tls-port yes; } } | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
Will be in UnrealIRCd 6.2.0-beta3: https://github.com/unrealircd/unrealircd/commit/d468473876a8163b2f3cb24bf5c44b58b3373248 commit d468473876a8163b2f3cb24bf5c44b58b3373248 Author: Bram Matthys <[email protected]> Date: Sat Jul 26 14:43:41 2025 +0200 Add a comment about port 6667 in example.conf /* Standard IRC port 6667: * Insecure plaintext (NOT for production servers) * This listen block is here only for quick testing. * Delete or comment out this listen block on production servers * and use TLS on port 6697 instead. */ Also throw it in translated example*conf's (in English), the translators can translate it. And https://github.com/unrealircd/unrealircd/commit/990fe22e64d24ba7d6290dfa06019e7f3a23d6ab commit 990fe22e64d24ba7d6290dfa06019e7f3a23d6ab (HEAD -> unreal60_dev, origin/unreal60_dev, origin/HEAD) Author: Bram Matthys <[email protected]> Date: Sat Jul 26 15:57:49 2025 +0200 Print a best practices message if any plaintext port is open (eg 6667). Ports that listen on 127.0.0.1 or ::1 are ignored (useful for e.g. services) Looks like this: [info] You have at least one IRC plaintext port open (such as 5668). Nowadays, everyone should be using SSL/TLS (on port 6697). See https://www.unrealircd.org/docs/Use_TLS. See that https://www.unrealircd.org/docs/Use_TLS for more info (feedback welcome) All this is in addition to somewhat related 29ce0ce29ad7adf246650510490d8ed3290d3b48: [info] Your SSL/TLS certificate is not issued by a trusted Certificate Authority. [info] It is highly recommended to use a 'real certificate'. To get a free one, see: https://www.unrealircd.org/docs/Using_Let's_Encrypt_with_UnrealIRCd If applicable, that message is printed first, the 6667 one comes after ;) Suggested in https://bugs.unrealircd.org/view.php?id=6500 and numerous times / discussions on IRC over the past years It's finally time.. no.. it's overdue.. (sorry i now see i posted the bug item link in the commit but not your name, ah well) |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-02-26 20:14 | rafaelgrether | New Issue | |
| 2025-07-13 09:51 | syzop | Relationship added | related to 0006278 |
| 2025-07-26 16:05 | syzop | Assigned To | => syzop |
| 2025-07-26 16:05 | syzop | Status | new => resolved |
| 2025-07-26 16:05 | syzop | Resolution | open => fixed |
| 2025-07-26 16:05 | syzop | Note Added: 0023457 | |
| 2025-07-26 16:05 | syzop | Fixed in Version | => 6.2.0-beta3 |
| 2025-07-26 16:05 | syzop | Note Edited: 0023457 |
