stunnel

On the premise "I need to do something utterly useless", today I enabled SSL on our IRC-server. Since the Dancer IRCd can't do SSL (at least, as far as I know), I used stunnel to get it to work. The steps to do this are fairly simple, though I did have to spend some time working on a correct config and SSL-certificate. I'll detail the steps below. For your information, we're running FreeBSD as our irc-server.

  • First, create a SSL-certificate. You can do so with the standard OpenSSL tools. I used the command:
    openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem

    I'm not exactly certain if this is the right command to create the document I need, since you need to manually combine those to files. Just do:

    cat key.pem > stunnel.pem; cat req.pem >> stunnel.pem

    Then edit the resulting file (stunnel.pem) en make an empty line between both the lines:

    -----END RSA PRIVATE KEY-----

    and

    -----BEGIN CERTIFICATE-----

    We're all set to go, now.

  • Now, create the stunnel.conf file. Mine looks like this, replace the values as you need them, though:
    cert = /usr/local/etc/stunnel/stunnel.pem chroot = /tmp/ pid = /stunnel.pid setuid=stunnel setgid=stunnel client=no [ircssl] accept = 7000 connect = irc.cidev.nl:6667

    If you're on a Linux-host, you probably want to add as the final line:

    transparent = yes

    It'll try to give people their proper host. Not that it's really that important. The documents tell me this only works on Linux, though.

  • Since I'm on FreeBSD and I want the tunnel to start on boot-up, I need to edit /etc/rc.conf. I add the lines:
    stunnel_enable="yes" stunnel_pidfile="/tmp/stunnel.pid"

    Don't forget to change the location of the pidfile!

  • Now, start stunnel with
    /usr/local/etc/rc.d/stunnel start
    and all should work well. You'll be asked the password you entered when you created the certificate. This means of course that the next time you start the machine, you'll need to manually enter this command again to start stunnel. It's possible though to put the password in a special file, but at the moment I'm too lazy to figure that out.

  • Connect to port 7000 with
    /sslserver irc.cidev.nl 7000
    from within your irc-client and all should be well. Of course, you'll get a SSL-error, since the certificate is self-signed, but we don't really care about that :)

  • Done and done.

Of course, you want to have stunnel working on the same box as the irc-server, since the connection from stunnel to the irc-server is unencrypted. But you knew that, right?

Comments

Comments powered by Disqus