Difference between revisions of "SSL"

From MIXXnet Wiki

(Updated for server upgrades)
m (Added note about hash incompatibility between 1.0.0 and prior versions.)
 
(78 intermediate revisions by 38 users not shown)
Line 1: Line 1:
 
'''Secure Sockets Layer''' ('''SSL''') is a cryptographic protocol which provides secure communication on the Internet.
 
'''Secure Sockets Layer''' ('''SSL''') is a cryptographic protocol which provides secure communication on the Internet.
  
==Connection Information==
+
==General Information==
Users may connect to [[MIXXnet]] using any server that supports SSL. The default port is 6697 unless listed otherwise.
+
Users may connect to the [[MIXXnet|MIXXnet IRC network]] using any server on the network. '''The default port is 6697 unless listed otherwise'''.
  
You may download a copy of the CA certificate MIXXnet uses [http://www.mixxnet.net/ca-cert.pem here]. This file can be imported into some clients which allows for a "trusted" connection. It is not necessary for you to do this, but the option is available to you.
+
When you use SSL, you are establishing a secure connection between you and the server. As of February 11, 2006, MIXXnet operates with full SSL support including client-to-server connections and server-to-server links.
  
On December 23, 2005, MIXXnet introduced a new round-robin address for SSL connectivity. Users can now connect securely to a random MIXXnet server with SSL using the following address:
+
Users may download a copy of the CA certificate MIXXnet uses which can be imported into some clients to allow for a "trusted" connection. It is not necessary for you to do this, but the option is available to you. More information about installing MIXXnet's CA certificate can be found [[#CA_Certificate|here]].
  
'''irc.ssl.mixxnet.net''' (Port 6697)
+
==User & Channel Information==
 +
===Identification===
 +
To check to see if a user is using SSL, simply whois that user. A secured user's whois would look something like:
  
Please Note: This round-robin address for SSL enabled servers is provided as an easy means to connect to SSL servers. This pool of servers may '''NOT''' reflect the stability that our normal "irc.mixxnet.net" pool does. In other words, this is a beta service. Servers that are included in the "irc.ssl.mixxnet.net" pool are not load balanced or updated based on stability as the regular "irc.mixxnet.net" pool is.
+
  Chris is chris@staff.mixxnet.net * Chris
 +
Chris using [[anjuna.il.us.mixxnet.net]] Anjunabeats MIXXnet IRC Server
 +
'''Chris is using a Secure Connection'''
 +
Chirs End of /WHOIS list.
  
==Security Information==
+
This means that the user "Chris" is using SSL on anjuna.il.us.mixxnet.net.
When you use SSL, you are establishing a secure connection between '''you''' and '''the server'''. What some people do not realize is that when one '''server''' talks to another '''server''', they are talking on an unencrypted line. This means that if Alice (on an SSL server) sends a message to Bob (on a non-SSL server), the message is not secure. For it to be secure, Alice and Bob both need to have SSL connections on the same server. MIXXnet plans to have all connections between all servers SSL secured in the very near future.
+
  
==Servers==
+
===Channel Protection===
Currently, the following servers support SSL:
+
In a secure channel, all of the users must have SSL enabled for the channel to be secure. If one user isn't secure, then all the messages will go to that user unencrypted. '''SSL users and non-SSL users can co-exist on the same channel.''' If you wish to limit your channel to only people using SSL, you can set the channel mode +z (/mode #channel +z). The +z mode prevents non-SSL users from joining the channel. If a non-SSL user does try to join, (s)he will see this message:
*[[Anjuna]] (6697)
+
*[[Ausnix]] (6697)
+
*[[Blackdiamond]] (6697)
+
*[[Cerebrum]] (6697)
+
*[[Fluxed]] (6697)
+
*[[GNS]] (6697)
+
*[[Ninjutsu]] (6697)
+
*[[Rapier]] (6697)
+
  
==Links==
+
<nowiki>#channel unable to join channel (not using secure connection)</nowiki>
SSL needs to be enabled on all server-to-server links as explained in the section above. Below is a list of servers who have SSL enabled for server-to-server connections.
+
  
===Hub2.US===
+
==Client Setup==
*[[ausnix.qld.au.mixxnet.net]]
+
===XChat===
*[[anjuna.il.us.mixxnet.net]]
+
To use SSL in [[XChat]], click '''XChat->Network List'''. Next, click on MIXXnet and '''Edit'''. Then select the two check boxes that say '''Use SSL for all servers on this network''' and '''Accept invalid SSL certificate''' as shown below.
*[[blackdiamond.ny.us.mixxnet.net]]
+
[[Image:ssl_setup_xchat.png|thumb|250px|Screenshot of X-Chat with SSL enabled.]]
*[[fluxed.il.us.mixxnet.net]]
+
*[[ninjutsu.va.us.mixxnet.net]]
+
*[[raptor.lon.uk.mixxnet.net]]
+
  
===Hub2.EU===
 
*[[cerebrum.nl.eu.mixxnet.net]]
 
*[[gns.de.eu.mixxnet.net]]
 
*[[rapier.lon.uk.mixxnet.net]]
 
*[[secteam.no.eu.mixxnet.net]]
 
  
==User & Channel Information==
 
===Identification===
 
To check to see if a user is using SSL, you whois that user. A secured user's whois would look something like:
 
  
alex323 is alex@staff.mixxnet.net * Alex<br>
+
===mIRC===
alex323 using [[ninjutsu.ca.us.mixxnet.net]] MIXXnet California - Hosted by Linode.com<br>
+
[[mIRC]] requires that you have the Windows version of OpenSSL installed on your system. You can download OpenSSL for Windows at [http://www.shininglightpro.com/products/Win32OpenSSL.html this website]. More information on how to install OpenSSL for Windows is beyond the scope of this document. To check if you've installed OpenSSL correctly, look for the '''SSL''' button in the '''mIRC Options''' window as shown below.
'''alex323 is using a Secure Connection'''<br>
+
[[Image:ssl_setup_mirc.png|thumb|250px|Screenshot of mIRC with SSL enabled.]]
alex323 End of /WHOIS list.
+
If you have SSL enabled, choose a server from the '''Servers''' section above. Type: /server servername.xx.xx.mixnet.net +6697. The '+' sign is important because it tells mIRC to use SSL.
  
This means that the user "alex323" is using SSL on ninjutsu.ca.us.mixxnet.net.
+
When trying to connect to a SSL enabled server, you may be presented with a dialog that says the SSL certificate is invalid. As long as the certificate has not expired and the domain name matches, the certificate is OK. The reason you are seeing this dialog is because MIXXnet acts as its own certificate authority.
  
===Channel Protection===
+
===Irssi===
In a secure channel, all of the users must have SSL enabled for the channel to be secure. If one user isn't secure, then all the messages will go to that user unencrypted. '''SSL users and non-SSL users can co-exist on the same channel.''' If you wish to limit your channel to only people using SSL, you need to set the channel mode +z (/mode #channel +z). The +z mode prevents non-SSL users from joining the channel. If a non-SSL user does try to join, (s)he will see this message:
+
The use of SSL in Irssi is ''very'' simple. All you need to do is type the following commands into the status window:<br>
 +
/set use_ssl on<br>
 +
/set ssl_verify on<br>
 +
/save<br>
 +
After you have done these, you need to pass the -ssl flag to /connect when connecting to an SSL enabled server. For example:<br>
 +
/connect -ssl anjuna.il.us.mixxnet.net 6697
  
<nowiki>#channel unable to join channel (not using secure connection)</nowiki>
+
===Other Clients===
 +
Other clients that support SSL include [http://www.bitchx.org BitchX], [http://weechat.flashtux.org/ WeeChat], [http://www.kvirc.de/ KVirc], [http://pidgin.im Pidgin], [http://colloquy.info/ Colloquy], [http://www.opera.com Opera], [http://www.ircle.com/ Ircle], and [http://www.snak.com/ Snak] to name a few.
  
==Setup==
+
==CA Certificate==
===mIRC===
+
If you would like to install MIXXnet's CA certificate for use in your IRC client to establish a trusted connection and avoid having to accept an "invalid" SSL certificate, please follow the steps below.
mIRC requires that you have the Windows version of OpenSSL installed on your system. You can download OpenSSL for Windows at [http://www.shininglightpro.com/products/Win32OpenSSL.html this website]. More information on how to install OpenSSL for Windows is beyond the scope of this document. To check if you've installed OpenSSL correctly, look for the '''SSL''' button in the '''mIRC Options''' window as shown below.
+
[[Image:ssl_setup_mirc.png|thumb|250px|Screenshot of mIRC with SSL enabled.]]
+
If you have SSL enabled, choose a server from the '''Servers''' section above. Type: /server servername.xx.xx.mixnet.net +port. The '+' sign is important because it tells mIRC to use SSL.
+
  
When trying to connect to a SSL enabled server, you may be presented with a dialog that says the SSL certificate is invalid. As long as the certificate has not expired and the domian name matches, the certificate is OK. The reason you are seeing this dialog is because MIXXnet signs its own SSL certificates.
+
===Windows===
 +
For clients that use OpenSSL (XChat, mIRC), download MIXXnet's [http://mixxnet.net/mixxnet.crt CA Certificate] to your computer and move it to the following directory (creating the directory structure if it does not already exist): '''C:\usr\local\ssl\certs\'''
  
===XChat===
+
When mixxnet.crt is in that directory, rename it to the following (the ".0" at the end is required): '''8a4e52fb.0'''
To use SSL in [[XChat]], click '''X-Chat->Server List...'''. Next, click on MIXXnet and '''Edit..''' ('''Note:''' you may not have MIXXnet on your server list. If you don't, you can just click '''Close''' and type: /server servername.xx.xx.mixnet.net +port). Then select the two check boxes that say, '''Use SSL for all servers on this network''' and '''Accept invalid SSL certificate''' as shown below.
+
[[Image:ssl_setup_xchat.png|thumb|250px|Screenshot of X-Chat with SSL enabled.]]
+
  
===Other Clients===
+
'''NOTE:''' If you are using the SilvereX Windows build of XChat 2.8.6-1 or 2.8.6-2, the path is different due to a bug. The correct path is:  '''C:\some\openssl\dir\ssl\certs\8a4e52fb.0'''
Other clients that support SSL include irssi and BitchX.
+
  
==Secure channels==
+
===Mac OS X===
The official SSL channel of MIXXnet is #secure. You can come join us when you have SSL set up.
+
Download MIXXnet's [http://mixxnet.net/mixxnet.crt CA Certificate] and rename it from mixxnet.crt to '''8a4e52fb.0'''. Then move that file to '''/System/Library/OpenSSL/certs/'''
  
Other secure channels include:
+
===Linux/BSD===
* [[Secure (Channel)|#secure]]
+
Download and move MIXXnet's [http://mixxnet.net/mixxnet.crt CA Certificate] to the path where OpenSSL is configured to look for trusted certificates. This directory varies by Linux distribution or BSD version, however common paths include: /etc/ssl/certs/, /usr/local/openssl/certs/, /usr/share/ssl/certs/, and /usr/local/ssl/certs/.
 +
 
 +
Once the CA cert is moved to that directory, make a symlink with the cert's fingerprint and ".0" appended at the end so that OpenSSL can properly detect the certificate:
 +
 
 +
ln -s mixxnet.crt 8a4e52fb.0
 +
 
 +
Tip: The filename above was derived from the command: $ openssl x509 -in mixxnet.crt -noout -hash
 +
Note: The hashes used above were calculated with OpenSSL 1.0.0a. Prior versions use a different scheme to calculate the hash. If you use a version that is less than 1.0.0, try using the filename '''6730e552.0''' instead.
  
 
==External Links==
 
==External Links==
 +
*[http://en.wikipedia.org/wiki/Transport_Layer_Security SSL Wikipedia Page]
 
*[http://www.openssl.org/ OpenSSL Website]
 
*[http://www.openssl.org/ OpenSSL Website]
 
*[http://www.mirc.co.uk/ssl.html Using SSL with mIRC]
 
*[http://www.mirc.co.uk/ssl.html Using SSL with mIRC]
*[http://irssi.org irssi Website]
 
*[http://www.bitchx.org BitchX Website]
 
*[http://en.wikipedia.org/wiki/Transport_Layer_Security SSL Wikipedia Page]
 
  
 
[[Category:Services]]
 
[[Category:Services]]

Latest revision as of 17:13, 21 October 2010

Secure Sockets Layer (SSL) is a cryptographic protocol which provides secure communication on the Internet.

General Information

Users may connect to the MIXXnet IRC network using any server on the network. The default port is 6697 unless listed otherwise.

When you use SSL, you are establishing a secure connection between you and the server. As of February 11, 2006, MIXXnet operates with full SSL support including client-to-server connections and server-to-server links.

Users may download a copy of the CA certificate MIXXnet uses which can be imported into some clients to allow for a "trusted" connection. It is not necessary for you to do this, but the option is available to you. More information about installing MIXXnet's CA certificate can be found here.

User & Channel Information

Identification

To check to see if a user is using SSL, simply whois that user. A secured user's whois would look something like:

Chris is chris@staff.mixxnet.net * Chris
Chris using anjuna.il.us.mixxnet.net Anjunabeats MIXXnet IRC Server
Chris is using a Secure Connection
Chirs End of /WHOIS list.

This means that the user "Chris" is using SSL on anjuna.il.us.mixxnet.net.

Channel Protection

In a secure channel, all of the users must have SSL enabled for the channel to be secure. If one user isn't secure, then all the messages will go to that user unencrypted. SSL users and non-SSL users can co-exist on the same channel. If you wish to limit your channel to only people using SSL, you can set the channel mode +z (/mode #channel +z). The +z mode prevents non-SSL users from joining the channel. If a non-SSL user does try to join, (s)he will see this message:

#channel unable to join channel (not using secure connection)

Client Setup

XChat

To use SSL in XChat, click XChat->Network List. Next, click on MIXXnet and Edit. Then select the two check boxes that say Use SSL for all servers on this network and Accept invalid SSL certificate as shown below.

Screenshot of X-Chat with SSL enabled.


mIRC

mIRC requires that you have the Windows version of OpenSSL installed on your system. You can download OpenSSL for Windows at this website. More information on how to install OpenSSL for Windows is beyond the scope of this document. To check if you've installed OpenSSL correctly, look for the SSL button in the mIRC Options window as shown below.

Screenshot of mIRC with SSL enabled.

If you have SSL enabled, choose a server from the Servers section above. Type: /server servername.xx.xx.mixnet.net +6697. The '+' sign is important because it tells mIRC to use SSL.

When trying to connect to a SSL enabled server, you may be presented with a dialog that says the SSL certificate is invalid. As long as the certificate has not expired and the domain name matches, the certificate is OK. The reason you are seeing this dialog is because MIXXnet acts as its own certificate authority.

Irssi

The use of SSL in Irssi is very simple. All you need to do is type the following commands into the status window:
/set use_ssl on
/set ssl_verify on
/save
After you have done these, you need to pass the -ssl flag to /connect when connecting to an SSL enabled server. For example:
/connect -ssl anjuna.il.us.mixxnet.net 6697

Other Clients

Other clients that support SSL include BitchX, WeeChat, KVirc, Pidgin, Colloquy, Opera, Ircle, and Snak to name a few.

CA Certificate

If you would like to install MIXXnet's CA certificate for use in your IRC client to establish a trusted connection and avoid having to accept an "invalid" SSL certificate, please follow the steps below.

Windows

For clients that use OpenSSL (XChat, mIRC), download MIXXnet's CA Certificate to your computer and move it to the following directory (creating the directory structure if it does not already exist): C:\usr\local\ssl\certs\

When mixxnet.crt is in that directory, rename it to the following (the ".0" at the end is required): 8a4e52fb.0

NOTE: If you are using the SilvereX Windows build of XChat 2.8.6-1 or 2.8.6-2, the path is different due to a bug. The correct path is: C:\some\openssl\dir\ssl\certs\8a4e52fb.0

Mac OS X

Download MIXXnet's CA Certificate and rename it from mixxnet.crt to 8a4e52fb.0. Then move that file to /System/Library/OpenSSL/certs/

Linux/BSD

Download and move MIXXnet's CA Certificate to the path where OpenSSL is configured to look for trusted certificates. This directory varies by Linux distribution or BSD version, however common paths include: /etc/ssl/certs/, /usr/local/openssl/certs/, /usr/share/ssl/certs/, and /usr/local/ssl/certs/.

Once the CA cert is moved to that directory, make a symlink with the cert's fingerprint and ".0" appended at the end so that OpenSSL can properly detect the certificate:

ln -s mixxnet.crt 8a4e52fb.0

Tip: The filename above was derived from the command: $ openssl x509 -in mixxnet.crt -noout -hash Note: The hashes used above were calculated with OpenSSL 1.0.0a. Prior versions use a different scheme to calculate the hash. If you use a version that is less than 1.0.0, try using the filename 6730e552.0 instead.

External Links