Tip of the day: UnrealIRCd 6 uses GeoIP by default. It is shown in WHOIS but also available as country in mask items,for example it can be used in the TLD Block to serve a Spanish MOTD to people in Spanish speaking countries. |
Link verification
When two IRC servers link it is important not only that their passwords match but also that they verify the SSL/TLS certificate of eachother. Not doing so permits a Man-in-the-middle attack.
Since 2017 we print a message on-link about this and it will become a hard error in UnrealIRCd 6.2.5 in 2026.
Verify by TLS key
Most users have a self-signed certificate. Then UnrealIRCd will show something like:
*** You may want to consider verifying this server link.
*** More information about this can be found on https://www.unrealircd.org/Link_verification
*** In short: in the configuration file, change the 'link testlink.test.net {' block to use this as a password:
*** password "AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0=" { spkifp; };
*** And follow the instructions on the other side of the link as well (which will be similar, but will use a different hash)
First of all, before you change anything, make sure you captured the message from above from BOTH sides of the link and have access to the configuration file on both sides of the link (or have a fellow administrator do it).
Let's first deal with the side of the link which outputted the above message.
Say you have a link block like this:
link testlink.test.net {
incoming {
mask *;
};
password "test";
class servers;
};
Then change the password as instructed by the server to look like:
link testlink.test.net {
incoming {
mask *;
};
password "AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0=" { spkifp; }; // <--- MODIFIED
class servers;
};
Be sure to use the exact password and syntax as instructed to you on IRC by the on-link message.
If you wonder what the AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0= is. It is a hash of the SSL public key from the other side of the link. By using it as a password it helps you verify the link. It's more secure than using a simple password.
Repeat the procedure from above on the other side of the link. Again following the instructions as outputted on THAT side. Note that the password will be different. This is normal.
Once all is done, /REHASH both servers, /SQUIT the server and see if you can link it in again with /CONNECT.
Turning it off
The warning/error can be turned off via link::options::no-certificate-check, eg:
link irc1.example.net {
...
options { no-certificate-verification; }
}
Note that this is in link::options and not in link::outgoing::options.
Turning it off is generally A BAD IDEA. Note that TLS linking over localhost does not trigger this warning/error, so no need for turning it off in such a case.