SSL IRC

by Balhau

Today's post is all about chatting. Chat applications are one of the oldest and most used in the internet times. One of the first mechanism/protocol is the IRC message system. This is a lightweight protocol that uses an client server architecture to enable clients to communicate each other. In this setup people with a client application like mIRC, Irssi, HexChat or any other alike connect to a server that forwards information for each one of the client peers. With the advent of social platforms like twitter, facebook, and communications systems like skype and others the IRC protocol will become less and less used. One of the big criticism was the lack of encryption in the protocol. The messages you send to the network are plain text in the IRC specification. Many start to use the social platforms as a way of chat or big companies like skype that also include video and voice chat mechanisms. In a mixture of convenience that other tools give us and the lack of security IRC start being seen as an obsolete system much like the old days of telegraph. The true is that IRC protocol still is one of the best chat systems in existence.

Many will say that the IRC protocol don't scale. Yes it does not scale. And do you need it to scale? Most of the people don't need to chat with every person in the world so the need to scalability is not really relevant.

The most scalable systems are, usually, systems owned by big corporations that use massive distributed systems to process the massive number of messages produced by all the clients. In this case the server/client architecture becomes a complicated relationship between clients and clusters of clusters of machines. And with one big detail. Usually this corporation controls all the information in the system. I don't like it. Personally I don't like internet as a set of few big companies controlling all the traffic of internet. I don't like it because with all this power comes the big influence in the internet foundations. Big companies like google, facebook and alike use their enormous power to influence ISP governments and in the end are the gatekeepers of our liberty. I don't like this kind of gods. This is the reason why I usually don't like scalable chat systems because they usually are of this nature. I say usually because not of all protocols are of this kind. Tox is an example of message system that is p2p and that I really like. Nevertheless for little commmunities IRC will serve as a good alternative. It has a big set of clients and it just works.

In this post the idea is to show how I setup SSL in my IRC server. I use IRC2 as my irc server. The support for SSL is a little bit cumbersome and I've got tired to setup the server with the ssl native support so I changed to stunnel which is a proxy that listens in a TCP port and envelops that traffic in a SSL output connection. So in this setup we ended with a 

    TCP 6667: IRC server Port
    TCP 6697: Stunnel server Port
    |client| <--- |STUNNEL| <--- |IRC Server|

connection into 6697 which is the SSL connection exposed by STUNNEL that is proxied into 6667 the IRC server.

To install Stunnel you'll just to run

    sudo apt-get install stunnel

Then you'll need to setup the service to forward traffic of IRC server

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

; Some security enhancements for UNIX systems 
; - comment them out on Win32
chroot = /var/run/stunnel4/
setuid = stunnel4
setgid = stunnel4

; PID is created inside the chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib

; Authentication stuff
;verify = 1

; Some debugging stuff useful for troubleshooting
;debug = 7
output = /var/log/stunnel4/stunnel.log
; Use it for client mode
;client = yes


; Service-level configuration
[irc]
cert = /etc/stunnel/stunnel.pem
accept = 6697
connect = 6667

If you notice there is a stunnel.pem that don't exist. This is a self signed certifiate that you can generate by using openssl, like this

    openssl req -new -x509 -days 365 -nodes -config /etc/ssl/openssl.cnf -out stunnel.pem -keyout stunnel.pem

Then you just need to restart the service 

sudo service stunnel4 start

However this is is not the end of the story. With self signed certificates that is no way to a client trust in the certificate received. To solve this problem you can just extract the public data and distribute as a certificate and clients can use it to validate the certificate used by the server

sudo openssl x509 
-outform der 
-in stunnel.pem 
-out servercertificate.crt

It is a not so simple solution. Its not as convenient as facebook or skype. But it offers you the independence from this big companies and the certain that your friends conversations are not recorded in a big company that sells your data to governments and other big companies.

For you that are no tech guys I would advise, again, for the use of TOX which is the most big real advance in messaging systems.