">
<helpop key="sslinfo" title="/SSLINFO <nick>" value="
-Displays information on the SSL connection and certificate of the
+Displays information on the TLS (SSL) connection and certificate of the
target user.
">
(requires the services account module).
w Receives wallops messages.
x Gives a cloaked hostname (requires the cloaking module).
- z Only allow private messages from SSL users (requires the
- sslmodes module).
+ z Only allow private messages from TLS (SSL) users (requires
+ the sslmodes module).
B Marks as a bot (requires the botmode module).
D Privdeaf mode. User will not receive any private messages
or notices from users (requires the deaf module).
For example, +w o:R:Brain will op anyone identified
to the account 'Brain' on join.
(requires the autoop module)
- z Blocks non-SSL clients from joining the channel
+ z Blocks non-TLS (SSL) clients from joining the channel
(requires the sslmodes module).
A Allows anyone to invite users to the channel
gecosban module).
s:<server> Matches users on a matching server (requires the
serverban module).
- z:<certfp> Matches users having the given SSL certificate
+ z:<certfp> Matches users having the given TLS (SSL) certificate
fingerprint (requires the sslmodes module).
O:<opertype> Matches server operators of a matching type, mostly
useful as an invite exception (requires the
# to this bind section.
type="clients"
- # ssl: If you want the port(s) in this bind tag to use SSL, set this to
+ # ssl: If you want the port(s) in this bind tag to use TLS (SSL), set this to
# the name of a custom <sslprofile> tag that you have defined or one
# of "openssl", "gnutls", "mbedtls" if you have not defined any. See the
- # docs page for the SSL module you are using for more details.
+ # docs page for the TLS (SSL) module you are using for more details.
#
# You will need to load the ssl_openssl module for OpenSSL, ssl_gnutls
# for GnuTLS and ssl_mbedtls for mbedTLS.
# module).
#<bind address="" port="7002" type="clients" hook="websocket">
-# You can define a custom <sslprofile> tag which defines the SSL configuration
-# for this listener. See the docs page for the SSL module you are using for
+# You can define a custom <sslprofile> tag which defines the TLS (SSL) configuration
+# for this listener. See the docs page for the TLS (SSL) module you are using for
# more details.
#
-# Alternatively, you can use one of the default SSL profiles which are created
+# Alternatively, you can use one of the default TLS (SSL) profiles which are created
# when you have not defined any:
# "openssl" (requires the ssl_openssl module)
# "gnutls" (requires the ssl_gnutls module)
# Connect blocks are searched twice for each user - once when the TCP #
# connection is accepted, and once when the user completes their #
# registration. Most of the information (hostname, ident response, #
-# password, SSL when using STARTTLS, etc) is only available during #
-# the second search, so if you are trying to make a closed server, #
+# password, TLS (SSL) when using STARTTLS, etc) is only available #
+# during the second search. If you are trying to make a closed server #
# you will probably need a connect block just for user registration. #
# This can be done by using <connect registered="no"> #
# Requires the ident module to be loaded.
#requireident="yes"
- # requiressl: Require that users of this block use an SSL connection.
- # This can also be set to "trusted", as to only accept certificates
+ # requiressl: Require that users of this block use a TLS (SSL) connection.
+ # This can also be set to "trusted", as to only accept client certificates
# issued by a certificate authority that you can configure in the
- # settings of the SSL module that you're using.
+ # settings of the TLS (SSL) module that you're using.
# Requires the sslinfo module to be loaded.
#requiressl="yes"
# failover (see above).
timeout="5m"
- # ssl: If defined, this states the SSL profile that will be used when
+ # ssl: If defined, this states the TLS (SSL) profile that will be used when
# making an outbound connection to the server. Options are the name of an
# <sslprofile> tag that you have defined or one of "openssl", "gnutls",
- # "mbedtls" if you have not defined any. See the docs page for the SSL
+ # "mbedtls" if you have not defined any. See the docs page for the TLS (SSL)
# module you are using for more details.
#
# You will need to load the ssl_openssl module for OpenSSL, ssl_gnutls
ssl="gnutls"
# fingerprint: If defined, this option will force servers to be
- # authenticated using SSL certificate fingerprints. See
+ # authenticated using TLS (SSL) certificate fingerprints. See
# https://docs.inspircd.org/3/modules/spanningtree for more information.
- # This will require an SSL link for both inbound and outbound connections.
+ # This will require a TLS (SSL) link for both inbound and outbound connections.
#fingerprint=""
# bind: Local IP address to bind to.
# For example +w o:*!Attila@127.0.0.1 will op anyone matching that mask
# on join. This can be combined with extbans, for example +w o:R:Brain
# will op anyone identified to the account "Brain".
-# Another useful combination is with SSL client certificate
+# Another useful combination is with TLS (SSL) client certificate
# fingerprints: +w h:z:72db600734bb9546c1bdd02377bc21d2a9690d48 will
# give halfop to the user(s) having the given certificate.
#<module name="autoop">
# IRCv3 WebIRC specification at: https://ircv3.net/specs/extensions/webirc.html
#
# When using this method you must specify a wildcard mask or CIDR range
-# to allow gateway connections from and at least one of either a SSL
+# to allow gateway connections from and at least one of either a TLS (SSL)
# client certificate fingerprint for the gateway or a password to be
# sent in the WEBIRC command.
#
# You must define <sasl:target> to the name of your services server so
# that InspIRCd knows where to send SASL authentication messages and
# when it should enable the SASL capability.
-# You can also define <sasl:requiressl> to require users to use SSL in
-# order to be able to use SASL.
+# You can also define <sasl:requiressl> to require users to use TLS (SSL)
+# in order to be able to use SASL.
#<sasl target="services.mynetwork.com"
# requiressl="yes">
#<shun enabledcommands="ADMIN OPER PING PONG QUIT PART JOIN" notifyuser="yes" affectopers="no">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
-# SSL mode module: Adds support for SSL-only channels via the '+z'
-# channel mode, SSL-only private messages via the '+z' user mode and
-# the 'z:' extban which matches SSL client certificate fingerprints.
+# SSL mode module: Adds support for TLS (SSL)-only channels via the '+z'
+# channel mode, TLS (SSL)-only private messages via the '+z' user mode and
+# the 'z:' extban which matches TLS (SSL) client certificate fingerprints.
#
-# Does not do anything useful without a working SSL module and the
+# Does not do anything useful without a working TLS (SSL) module and the
# sslinfo module (see below).
#<module name="sslmodes">
#
#<sslmodes enableumode="yes">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
-# SSL rehash signal module: Allows the SSL modules to be rehashed by
+# SSL rehash signal module: Allows the TLS (SSL) modules to be rehashed by
# sending SIGUSR1 to a running InspIRCd process.
-# This modules is in extras. Re-run configure with:
+# This module is in extras. Re-run configure with:
# ./configure --enable-extras sslrehashsignal
# and run make install, then uncomment this module to enable it.
#<module name="sslrehashsignal">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
-# GnuTLS SSL module: Adds support for SSL/TLS connections using GnuTLS,
+# GnuTLS SSL module: Adds support for TLS (SSL) connections using GnuTLS,
# if enabled. You must answer 'yes' in ./configure when asked or
# manually symlink the source for this module from the directory
# src/modules/extra, if you want to enable this, or it will not load.
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# SSL info module: Allows users to retrieve information about other
-# users' peer SSL certificates and keys via the SSLINFO command.
+# users' peer TLS (SSL) certificates and keys via the SSLINFO command.
# This can be used by client scripts to validate users. For this to
# work, one of ssl_gnutls, ssl_mbedtls or ssl_openssl must be loaded.
# This module also adds the "<user> is using a secure connection"
-# and "<user> has client certificate fingerprint <fingerprint>"
-# WHOIS lines, the ability for opers to use SSL cert fingerprints to
-# verify their identity and the ability to force opers to use SSL
+# and "<user> has TLS (SSL) client certificate fingerprint <fingerprint>"
+# WHOIS lines, the ability for opers to use TLS (SSL) cert fingerprints to
+# verify their identity and the ability to force opers to use TLS (SSL)
# connections in order to oper up. It is highly recommended to load
-# this module if you use SSL on your network.
+# this module if you use TLS (SSL) on your network.
# For how to use the oper features, please see the first
# example <oper> tag in opers.conf.example.
#
#<module name="sslinfo">
#
-# If you want to prevent users from viewing SSL certificate information
+# If you want to prevent users from viewing TLS (SSL) certificate information
# and fingerprints of other users, set operonly to yes.
#<sslinfo operonly="no">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
-# mbedTLS SSL module: Adds support for SSL/TLS connections using mbedTLS.
+# mbedTLS TLS (SSL) module: Adds support for TLS (SSL) connections using mbedTLS.
#<module name="ssl_mbedtls">
#
#-#-#-#-#-#-#-#-#-#-#- MBEDTLS CONFIGURATION -#-#-#-#-#-#-#-#-#-#-#-#
# https://docs.inspircd.org/3/modules/ssl_mbedtls #
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
-# OpenSSL SSL module: Adds support for SSL/TLS connections using OpenSSL,
+# OpenSSL TLS (SSL) module: Adds support for TLS (SSL) connections using OpenSSL,
# if enabled. You must answer 'yes' in ./configure when asked or symlink
# the source for this module from the directory src/modules/extra, if
# you want to enable this, or it will not load.
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# StartTLS module: Implements STARTTLS, which allows clients #
-# connected to non SSL enabled ports to enable SSL, if a proper SSL #
-# module is loaded (either ssl_gnutls, ssl_mbedtls or ssl_openssl). #
+# connected to non TLS (SSL) enabled ports to enable TLS (SSL), if #
+# a proper TLS (SSL) module is loaded (either ssl_gnutls, #
+# ssl_mbedtls or ssl_openssl). #
#<module name="starttls">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# WebSocket module: Adds HTML5 WebSocket support.
# Specify hook="websocket" in a <bind> tag to make that port accept
-# WebSocket connections. Compatible with SSL/TLS.
+# WebSocket connections. Compatible with TLS (SSL).
# Requires SHA-1 hash support available in the sha1 module.
#<module name="websocket">
#
# a key fingerprint here. This can be obtained by using the /SSLINFO
# command while the module is loaded, and is also noticed on connect.
# This enhances security by verifying that the person opering up has
- # a matching SSL client certificate, which is very difficult to
+ # a matching TLS (SSL) client certificate, which is very difficult to
# forge (impossible unless preimage attacks on the hash exist).
# If the sslinfo module isn't loaded, this option will be ignored.
#fingerprint="67cb9dc013248a829bb2171ed11becd4"
- # autologin: If an SSL certificate fingerprint for this oper is specified,
+ # autologin: If a TLS (SSL) client certificate fingerprint for this oper is specified,
# you can have the oper block automatically log in. This moves all security
- # of the oper block to the protection of the client certificate, so be sure
+ # of the oper block to the protection of the TLS (SSL) client certificate, so be sure
# that the private key is well-protected! Requires the sslinfo module.
- #autologin="on"
+ #autologin="yes"
- # sslonly: If on, this oper can only oper up if they're using an SSL connection.
+ # sslonly: If enabled, this oper can only oper up if they're using a TLS (SSL) connection.
# Setting this option adds a decent bit of security. Highly recommended
# if the oper is on wifi, or specifically, unsecured wifi. Note that it
# is redundant to specify this option if you specify a fingerprint.
SERVICE_METADATA,
/** is a data processing provider (MD5, SQL) */
SERVICE_DATA,
- /** is an I/O hook provider (SSL) */
+ /** is an I/O hook provider */
SERVICE_IOHOOK,
/** Service managed by a module */
SERVICE_CUSTOM
/** Called on rehash.
* This method is called when a user initiates a module-specific rehash. This can be used to do
- * expensive operations (such as reloading SSL certificates) that are not executed on a normal
+ * expensive operations (such as reloading TLS (SSL) certificates) that are not executed on a normal
* rehash for efficiency. A rehash of this type does not reload the core configuration.
*
* @param user The user performing the rehash.
#include <string>
#include "iohook.h"
-/** ssl_cert is a class which abstracts SSL certificate
+/** ssl_cert is a class which abstracts TLS (SSL) certificate
* and key information.
*
* Because gnutls and openssl represent key information in
class SSLIOHook : public IOHook
{
protected:
- /** Peer SSL certificate, set by the SSL module
+ /** Peer TLS (SSL) certificate, set by the TLS (SSL) module
*/
reference<ssl_cert> certificate;
if ((sendq.size() <= 1) || (sendq.front().length() >= targetsize))
return;
- // Avoid multiple repeated SSL encryption invocations
+ // Avoid multiple repeated TLS (SSL) encryption invocations
// This adds a single copy of the queue, but avoids
// much more overhead in terms of system calls invoked
// by an IOHook.
/**
* Get the certificate sent by this peer
- * @return The SSL certificate sent by the peer, NULL if no cert was sent
+ * @return The TLS (SSL) certificate sent by the peer, NULL if no cert was sent
*/
virtual ssl_cert* GetCertificate() const
{
/**
* Get the fingerprint of the peer's certificate
- * @return The fingerprint of the SSL client certificate sent by the peer,
+ * @return The fingerprint of the TLS (SSL) client certificate sent by the peer,
* empty if no cert was sent
*/
virtual std::string GetFingerprint() const
virtual void GetCiphersuite(std::string& out) const = 0;
- /** Retrieves the name of the SSL connection which is sent via SNI.
+ /** Retrieves the name of the TLS (SSL) connection which is sent via SNI.
* @param out String that the server name will be appended to.
* returns True if the server name was retrieved; otherwise, false.
*/
virtual bool GetServerName(std::string& out) const = 0;
};
-/** Helper functions for obtaining SSL client certificates and key fingerprints
+/** Helper functions for obtaining TLS (SSL) client certificates and key fingerprints
* from StreamSockets
*/
class SSLClientCert
public:
/**
* Get the client certificate from a socket
- * @param sock The socket to get the certificate from, the socket does not have to use SSL
- * @return The SSL client certificate information, NULL if the peer is not using SSL
+ * @param sock The socket to get the certificate from, the socket does not have to use TLS (SSL)
+ * @return The TLS (SSL) client certificate information, NULL if the peer is not using TLS (SSL)
*/
static ssl_cert* GetCertificate(StreamSocket* sock)
{
/**
* Get the fingerprint of a client certificate from a socket
* @param sock The socket to get the certificate fingerprint from, the
- * socket does not have to use SSL
- * @return The key fingerprint from the SSL certificate sent by the peer,
- * empty if no cert was sent or the peer is not using SSL
+ * socket does not have to use TLS (SSL)
+ * @return The key fingerprint from the TLS (SSL) certificate sent by the peer,
+ * empty if no cert was sent or the peer is not using TLS (SSL)
*/
static std::string GetFingerprint(StreamSocket* sock)
{
{
}
- /** Get the SSL certificate of a user
+ /** Get the TLS (SSL) certificate of a user
* @param user The user whose certificate to get, user may be remote
- * @return The SSL certificate of the user or NULL if the user is not using SSL
+ * @return The TLS (SSL) certificate of the user or NULL if the user is not using TLS (SSL)
*/
virtual ssl_cert* GetCertificate(User* user) = 0;
- /** Set the SSL certificate of a user.
+ /** Set the TLS (SSL) certificate of a user.
* @param user The user whose certificate to set.
- * @param cert The SSL certificate to set for the user.
+ * @param cert The TLS (SSL) certificate to set for the user.
*/
virtual void SetCertificate(User* user, ssl_cert* cert) = 0;
/** Get the key fingerprint from a user's certificate
* @param user The user whose key fingerprint to get, user may be remote
- * @return The key fingerprint from the user's SSL certificate or an empty string
- * if the user is not using SSL or did not provide a client certificate
+ * @return The key fingerprint from the user's TLS (SSL) certificate or an empty string
+ * if the user is not using TLS (SSL) or did not provide a client certificate
*/
std::string GetFingerprint(User* user)
{
}
};
-/** API implemented by m_sslinfo that allows modules to retrive the SSL certificate
+/** API implemented by m_sslinfo that allows modules to retrive the TLS (SSL) certificate
* information of local and remote users. It can also be used to find out whether a
- * user is using SSL or not.
+ * user is using TLS (SSL) or not.
*/
class UserCertificateAPI : public dynamic_reference<UserCertificateAPIBase>
{
return rv % max;
}
-// This is overridden by a higher-quality algorithm when SSL support is loaded
+// This is overridden by a higher-quality algorithm when TLS (SSL) support is loaded
void InspIRCd::DefaultGenRandom(char* output, size_t max)
{
#if defined HAS_ARC4RANDOM_BUF
if (!provname.empty())
provname.insert(0, "ssl/");
- // SSL should be the last
+ // TLS (SSL) should be the last
iohookprovs.back().SetProvider(provname);
}
for (user_hash::const_iterator u = users.begin(); u != users.end(); )
{
User* user = u->second;
- // The module may quit the user (e.g. SSL mod unloading) and that will remove it from the container
+ // The module may quit the user (e.g. TLS (SSL) mod unloading) and that will remove it from the container
++u;
mod->OnCleanup(ExtensionItem::EXT_USER, user);
user->doUnhookExtensions(items);
}
CloseSession();
- sock->SetError("No SSL session");
+ sock->SetError("No TLS (SSL) session");
return -1;
}
{
// First, store all profiles in a new, temporary container. If no problems occur, swap the two
// containers; this way if something goes wrong we can go back and continue using the current profiles,
- // avoiding unpleasant situations where no new SSL connections are possible.
+ // avoiding unpleasant situations where no new TLS (SSL) connections are possible.
ProfileList newprofiles;
ConfigTagList tags = ServerInstance->Config->ConfTags("sslprofile");
}
catch (CoreException& ex)
{
- throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason());
+ throw ModuleException("Error while initializing the default TLS (SSL) profile - " + ex.GetReason());
}
}
}
catch (CoreException& ex)
{
- throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason());
+ throw ModuleException("Error while initializing TLS (SSL) profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason());
}
newprofiles.push_back(prov);
try
{
ReadProfiles();
- ServerInstance->SNO->WriteToSnoMask('a', "SSL module %s rehashed.", MODNAME);
+ ServerInstance->SNO->WriteToSnoMask('a', "TLS (SSL) module GnuTLS rehashed.");
}
catch (ModuleException& ex)
{
if ((user) && (user->eh.GetModHook(this)))
{
- // User is using SSL, they're a local user, and they're using one of *our* SSL ports.
- // Potentially there could be multiple SSL modules loaded at once on different ports.
- ServerInstance->Users->QuitUser(user, "SSL module unloading");
+ // User is using TLS (SSL), they're a local user, and they're using one of *our* TLS (SSL) ports.
+ // Potentially there could be multiple TLS (SSL) modules loaded at once on different ports.
+ ServerInstance->Users->QuitUser(user, "GnuTLS module unloading");
}
}
}
}
CloseSession();
- sock->SetError("No SSL session");
+ sock->SetError("No TLS (SSL) session");
return -1;
}
{
// First, store all profiles in a new, temporary container. If no problems occur, swap the two
// containers; this way if something goes wrong we can go back and continue using the current profiles,
- // avoiding unpleasant situations where no new SSL connections are possible.
+ // avoiding unpleasant situations where no new TLS (SSL) connections are possible.
ProfileList newprofiles;
ConfigTagList tags = ServerInstance->Config->ConfTags("sslprofile");
}
catch (CoreException& ex)
{
- throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason());
+ throw ModuleException("Error while initializing the default TLS (SSL) profile - " + ex.GetReason());
}
}
}
catch (CoreException& ex)
{
- throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason());
+ throw ModuleException("Error while initializing TLS (SSL) profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason());
}
newprofiles.push_back(prov);
try
{
ReadProfiles();
- ServerInstance->SNO->WriteToSnoMask('a', "SSL module %s rehashed.", MODNAME);
+ ServerInstance->SNO->WriteToSnoMask('a', "TLS (SSL) module mbedTLS rehashed.");
}
catch (ModuleException& ex)
{
LocalUser* user = IS_LOCAL(static_cast<User*>(item));
if ((user) && (user->eh.GetModHook(this)))
{
- // User is using SSL, they're a local user, and they're using our IOHook.
- // Potentially there could be multiple SSL modules loaded at once on different ports.
- ServerInstance->Users.QuitUser(user, "SSL module unloading");
+ // User is using TLS (SSL), they're a local user, and they're using our IOHook.
+ // Potentially there could be multiple TLS (SSL) modules loaded at once on different ports.
+ ServerInstance->Users.QuitUser(user, "mbedTLS module unloading");
}
}
X509_STORE* store = SSL_CTX_get_cert_store(ctx);
if (!store)
{
- throw ModuleException("Unable to get X509_STORE from SSL context; this should never happen");
+ throw ModuleException("Unable to get X509_STORE from TLS (SSL) context; this should never happen");
}
ERR_clear_error();
if (!X509_STORE_load_locations(store,
}
catch (OpenSSL::Exception& ex)
{
- throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason());
+ throw ModuleException("Error while initializing the default TLS (SSL) profile - " + ex.GetReason());
}
}
}
catch (CoreException& ex)
{
- throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason());
+ throw ModuleException("Error while initializing TLS (SSL) profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason());
}
newprofiles.push_back(prov);
try
{
ReadProfiles();
- ServerInstance->SNO->WriteToSnoMask('a', "SSL module %s rehashed.", MODNAME);
+ ServerInstance->SNO->WriteToSnoMask('a', "TLS (SSL) module OpenSSL rehashed.");
}
catch (ModuleException& ex)
{
if ((user) && (user->eh.GetModHook(this)))
{
- // User is using SSL, they're a local user, and they're using one of *our* SSL ports.
- // Potentially there could be multiple SSL modules loaded at once on different ports.
- ServerInstance->Users->QuitUser(user, "SSL module unloading");
+ // User is using TLS (SSL), they're a local user, and they're using one of *our* TLS (SSL) ports.
+ // Potentially there could be multiple TLS (SSL) modules loaded at once on different ports.
+ ServerInstance->Users->QuitUser(user, "OpenSSL module unloading");
}
}
}
if (!signaled)
return;
- const std::string feedbackmsg = "Got SIGUSR1, reloading SSL credentials";
+ const std::string feedbackmsg = "Got SIGUSR1, reloading TLS (SSL) credentials";
ServerInstance->SNO->WriteGlobalSno('a', feedbackmsg);
ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, feedbackmsg);
if (!sslapi)
return true;
- // If the client is not connecting via SSL the rest of this TLV is irrelevant.
+ // If the client is not connecting via TLS (SSL) the rest of this TLV is irrelevant.
std::string& recvq = GetRecvQ();
if ((recvq[start_index] & PP2_CLIENT_SSL) == 0)
return true;
// Create a fake ssl_cert for the user. Ideally we should use the user's
- // SSL client certificate here but as of 2018-10-16 this is not forwarded
+ // TLS (SSL) client certificate here but as of 2018-10-16 this is not forwarded
// by HAProxy.
ssl_cert* cert = new ssl_cert;
- cert->error = "HAProxy does not forward client SSL certificates";
+ cert->error = "HAProxy does not forward client TLS (SSL) certificates";
cert->invalid = true;
cert->revoked = true;
cert->trusted = false;
private:
STSCap cap;
- // The IRCv3 STS specification requires that the server is listening using SSL using a valid certificate.
+ // The IRCv3 STS specification requires that the server is listening using TLS (SSL) using a valid certificate.
bool HasValidSSLPort(unsigned int port)
{
for (std::vector<ListenSocket*>::const_iterator iter = ServerInstance->ports.begin(); iter != ServerInstance->ports.end(); ++iter)
if (saport != port)
continue;
- // Is this listener using SSL?
+ // Is this listener using TLS (SSL)?
if (ls->bind_tag->getString("ssl").empty())
continue;
void SetCertificate(User* user, ssl_cert* cert) CXX11_OVERRIDE
{
- ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Setting SSL certificate for %s: %s",
+ ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Setting TLS (SSL) client certificate for %s: %s",
user->GetFullHost().c_str(), cert->GetMetaLine().c_str());
sslext.set(user, cert);
}
user->WriteNumeric(Numerics::NoSuchNick(parameters[0]));
return CMD_FAILURE;
}
+
bool operonlyfp = ServerInstance->Config->ConfValue("sslinfo")->getBool("operonly");
if (operonlyfp && !user->IsOper() && target != user)
{
- user->WriteNotice("*** You cannot view SSL certificate information for other users");
+ user->WriteNotice("*** You cannot view TLS (SSL) client certificate information for other users");
return CMD_FAILURE;
}
+
ssl_cert* cert = sslapi.GetCertificate(target);
if (!cert)
{
- user->WriteNotice("*** No SSL certificate for this user");
+ user->WriteNotice("*** No TLS (SSL) client certificate for this user");
}
else if (cert->GetError().length())
{
- user->WriteNotice("*** No SSL certificate information for this user (" + cert->GetError() + ").");
+ user->WriteNotice("*** No TLS (SSL) client certificate information for this user (" + cert->GetError() + ").");
}
else
{
whois.SendLine(RPL_WHOISSECURE, "is using a secure connection");
bool operonlyfp = ServerInstance->Config->ConfValue("sslinfo")->getBool("operonly");
if ((!operonlyfp || whois.IsSelfWhois() || whois.GetSource()->IsOper()) && !cert->fingerprint.empty())
- whois.SendLine(RPL_WHOISCERTFP, InspIRCd::Format("has client certificate fingerprint %s", cert->fingerprint.c_str()));
+ whois.SendLine(RPL_WHOISCERTFP, InspIRCd::Format("has TLS (SSL) client certificate fingerprint %s", cert->fingerprint.c_str()));
}
}
if (stdalgo::string::equalsci(requiressl, "trusted"))
{
ok = (cert && cert->IsCAVerified());
- ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "Class requires a trusted SSL cert. Client %s one.", (ok ? "has" : "does not have"));
+ ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "Class requires a trusted TLS (SSL) client certificate. Client %s one.", (ok ? "has" : "does not have"));
}
else if (myclass->config->getBool("requiressl"))
{
ok = (cert != NULL);
- ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "Class requires SSL. Client %s using SSL.", (ok ? "is" : "is not"));
+ ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "Class requires a secure connection. Client %s on a secure connection.", (ok ? "is" : "is not"));
}
if (!ok)
{
if (!API)
{
- source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, "Unable to determine whether all members of the channel are connected via SSL");
+ source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, "Unable to determine whether all members of the channel are connected via TLS (SSL)");
return MODEACTION_DENY;
}
if (nonssl)
{
- source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, InspIRCd::Format("All members of the channel must be connected via SSL (%lu/%lu are non-SSL)",
+ source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, InspIRCd::Format("All members of the channel must be connected via TLS (SSL) (%lu/%lu are non-TLS (SSL))",
nonssl, static_cast<unsigned long>(userlist.size())));
return MODEACTION_DENY;
}
{
if (!api)
{
- user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; unable to determine if you are an SSL user (+z is set)");
+ user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; unable to determine if you are a TLS (SSL) user (+z is set)");
return MOD_RES_DENY;
}
if (!api->GetCertificate(user))
{
- user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; SSL users only (+z is set)");
+ user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; TLS (SSL) users only (+z is set)");
return MOD_RES_DENY;
}
}
Version GetVersion() CXX11_OVERRIDE
{
- return Version("Adds channel mode z (sslonly) which prevents users who are not connecting using TLS (SSL) from joining the channel and user mode z (sslqueries) to prevent messages from non-SSL users.", VF_VENDOR);
+ return Version("Adds channel mode z (sslonly) which prevents users who are not connecting using TLS (SSL) from joining the channel and user mode z (sslqueries) to prevent messages from non-TLS (SSL) users.", VF_VENDOR);
}
};
user->WriteNumeric(RPL_STARTTLS, "STARTTLS successful, go ahead with TLS handshake");
/* We need to flush the write buffer prior to adding the IOHook,
- * otherwise we'll be sending this line inside the SSL session - which
+ * otherwise we'll be sending this line inside the TLS (SSL) session - which
* won't start its handshake until the client gets this line. Currently,
* we assume the write will not block here; this is usually safe, as
* STARTTLS is sent very early on in the registration phase, where the
projects / user / henk / code / inspircd.git / commitdiff