From 4316ae10b1f631b7434807a2a3998e9f8558b51e Mon Sep 17 00:00:00 2001 From: Sadie Powell Date: Tue, 16 Jun 2020 10:06:31 +0100 Subject: [PATCH] Implement a tool for testing SSL connectivity. --- make/template/inspircd-testssl.1 | 46 ++++++++ make/template/main.mk | 2 + tools/testssl | 173 +++++++++++++++++++++++++++++++ 3 files changed, 221 insertions(+) create mode 100644 make/template/inspircd-testssl.1 create mode 100755 tools/testssl diff --git a/make/template/inspircd-testssl.1 b/make/template/inspircd-testssl.1 new file mode 100644 index 000000000..4138c0e74 --- /dev/null +++ b/make/template/inspircd-testssl.1 @@ -0,0 +1,46 @@ +.\" +.\" InspIRCd -- Internet Relay Chat Daemon +.\" +.\" Copyright (C) 2020 Sadie Powell +.\" +.\" This file is part of InspIRCd. InspIRCd is free software: you can +.\" redistribute it and/or modify it under the terms of the GNU General Public +.\" License as published by the Free Software Foundation, version 2. +.\" +.\" This program is distributed in the hope that it will be useful, but WITHOUT +.\" ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +.\" FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +.\" details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see . +.\" + + +.TH "InspIRCd" "1" "June 2020" "InspIRCd @VERSION_FULL@" "InspIRCd Manual" + +.SH "NAME" +\t\fBInspIRCd\fR - \fIthe\fR stable, high-performance and modular Internet Relay Chat Daemon +.BR + +.SH "SYNOPSIS" +\t\fBinspircd-testssl\fR [selfsigned] + +.SH "OPTIONS" +.TP +.B "hostip" +.br +The hostname or IP address to connect to. +.TP +.B "port" +.br +The TCP port to connect to. +.TP +.br +.B "selfsigned" +Disables checking whether the server certificate is signed by a Certificate Authority. + +.SH "SUPPORT" +IRC support for InspIRCd can be found at ircs://irc.inspircd.org/inspircd. + +Bug reports and feature requests can be filed at https://github.com/inspircd/inspircd/issues. diff --git a/make/template/main.mk b/make/template/main.mk index 380d57f27..a00f5557d 100644 --- a/make/template/main.mk +++ b/make/template/main.mk @@ -240,7 +240,9 @@ ifeq ($(SYSTEM), linux) endif -$(INSTALL) -g @GID@ -o @UID@ -m $(INSTMODE_TXT) @CONFIGURE_DIRECTORY@/inspircd.1 $(MANPATH) 2>/dev/null -$(INSTALL) -g @GID@ -o @UID@ -m $(INSTMODE_TXT) @CONFIGURE_DIRECTORY@/inspircd-genssl.1 $(MANPATH) 2>/dev/null + -$(INSTALL) -g @GID@ -o @UID@ -m $(INSTMODE_TXT) @CONFIGURE_DIRECTORY@/inspircd-testssl.1 $(MANPATH) 2>/dev/null -$(INSTALL) -g @GID@ -o @UID@ -m $(INSTMODE_BIN) tools/genssl $(BINPATH)/inspircd-genssl 2>/dev/null + -$(INSTALL) -g @GID@ -o @UID@ -m $(INSTMODE_BIN) tools/testssl $(BINPATH)/inspircd-testssl 2>/dev/null -$(INSTALL) -g @GID@ -o @UID@ -m $(INSTMODE_TXT) docs/conf/*.example $(EXAPATH) -$(INSTALL) -g @GID@ -o @UID@ -m $(INSTMODE_TXT) docs/conf/codepages/*.example $(EXAPATH)/codepages -$(INSTALL) -g @GID@ -o @UID@ -m $(INSTMODE_TXT) docs/conf/providers/*.example $(EXAPATH)/providers diff --git a/tools/testssl b/tools/testssl new file mode 100755 index 000000000..ece15984f --- /dev/null +++ b/tools/testssl @@ -0,0 +1,173 @@ +#!/usr/bin/env perl +# +# InspIRCd -- Internet Relay Chat Daemon +# +# Copyright (C) 2020 Sadie Powell +# +# This file is part of InspIRCd. InspIRCd is free software: you can +# redistribute it and/or modify it under the terms of the GNU General Public +# License as published by the Free Software Foundation, version 2. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +# details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + + +BEGIN { + require 5.10.0; +} + +use feature ':5.10'; +use strict; +use warnings FATAL => qw(all); + +use IO::Socket(); +use IO::Socket::SSL(); + +use constant { + CC_BOLD => -t STDOUT ? "\e[1m" : '', + CC_RESET => -t STDOUT ? "\e[0m" : '', + CC_GREEN => -t STDOUT ? "\e[1;32m" : '', + CC_RED => -t STDOUT ? "\e[1;31m" : '', +}; + +if (scalar @ARGV < 2) { + say STDERR "Usage: $0 [selfsigned]"; + exit 1; +} + +# By default STDOUT is only flushed at the end of each line. This sucks for our +# needs so we disable it. +STDOUT->autoflush(1); + +my $hostip = shift @ARGV; +if ($hostip =~ /[^A-Za-z0-9.:]/) { + say STDERR "Error: invalid hostname or IP address: $hostip"; + exit 1; +} + +my $port = shift @ARGV; +if ($port =~ /\D/ || $port < 1 || $port > 65535) { + say STDERR "Error: invalid TCP port: $port"; + exit 1; +} + +my $self_signed = shift // '' eq 'selfsigned'; + +print "Checking whether ${\CC_BOLD}$hostip/$port${\CC_RESET} is reachable ... "; +my $sock = IO::Socket::INET->new( + PeerAddr => $hostip, + PeerPort => $port, +); + +unless ($sock) { + say <<"EOM"; +${\CC_RED}no${\CC_RESET} + +It seems like the server endpoint you specified is not reachable! Make sure that: + + * You have specified a tag in your config for this endpoint. + * You have rehashed or restarted the server since adding the tag. + * If you are using a firewall incoming connections on TCP port $port are allowed. + * The endpoint your server is listening on is not local or private. + +See https://docs.inspircd.org/3/configuration/#ltbindgt for more information. +EOM + exit 1; +} + +say "${\CC_GREEN}yes${\CC_RESET}"; +print "Checking whether ${\CC_BOLD}$hostip/$port${\CC_RESET} is using plaintext ... "; +my $error = $sock->recv(my $data, 1); + +if ($error) { + say <<"EOM"; +${\CC_RED}error${\CC_RESET} + +It seems like the server dropped the connection before sending anything! Make sure that: + + * The endpoint you specified is actually your IRC server. + * If you are using a firewall incoming data on TCP port $port are allowed. + +See https://docs.inspircd.org/3/configuration/#ltbindgt for more information. +EOM + exit 1; +} elsif ($data =~ /[A-Z:@]/) { + say <<"EOM"; +${\CC_RED}yes${\CC_RESET} + +It appears that the server endpoint is using plaintext! Make sure that: + + * You have one or more of the following modules loaded: + - ssl_gnutls + - ssl_openssl + - ssl_mbedtls + + * If you have specified one or more tags then the value of + is the same as an field. Otherwise, it should + be set to "gnutls" for the ssl_gnutls module, "openssl" for the ssl_openssl + module, or "mbedtls" for the ssl_mbedtls module. + + * If you have specified the name of an in then the + value of is set to "gnutls" if using the ssl_gnutls + module, "openssl" if using the ssl_openssl module, or "mbedtls" if using + the ssl_mbedtls module. + + * If you have your SSL configuration in a file other than inspircd.conf then + that file is included by inspircd.conf. + +See the following links for more information: + + https://docs.inspircd.org/3/modules/ssl_gnutls/#configuration + https://docs.inspircd.org/3/modules/ssl_mbedtls/#configuration + https://docs.inspircd.org/3/modules/ssl_openssl/#configuration +EOM + exit 1; +} + +$sock->close(); +say "${\CC_GREEN}no${\CC_RESET}"; +print "Checking whether ${\CC_BOLD}$hostip/$port${\CC_RESET} can have an SSL session negotiated ... "; +$sock = IO::Socket::SSL->new( + PeerAddr => $hostip, + PeerPort => $port, + SSL_hostname => $hostip, + SSL_verify_mode => $self_signed ? IO::Socket::SSL::SSL_VERIFY_NONE : IO::Socket::SSL::SSL_VERIFY_PEER, +); + +unless ($sock) { + say <<"EOM"; +${\CC_RED}no${\CC_RESET} + +It appears that something is wrong with your server. Make sure that: + + - You are not using an old version of GnuTLS, mbedTLS, or OpenSSL which only + supports deprecated algorithms like SSLv3. + +The error provided by the SSL library was: + + $IO::Socket::SSL::SSL_ERROR +EOM + exit 1; +} + + +say <<"EOM"; +${\CC_GREEN}yes${\CC_RESET} + +It seems like SSL is working fine on your server. If you are having trouble +connecting try using a different client or connecting from a different host. + +You may also find running some of the following commands to be helpful: + + gnutls-cli-debug --port $port $hostip + openssl s_client -connect $hostip:$port -debug -security_debug + +If you need any help working out what is wrong then visit our support channel +at irc.inspircd.org #inspircd. +EOM -- 2.39.2