UnrealIRCd 4.0.14 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

UnrealIRCd 4.0.14 (stable) is now available for download. This release 
consists of several SSL/TLS related improvements.
A new tutorial was added, Using Let's Encrypt with UnrealIRCd 
<https://www.unrealircd.org/docs/Using_Let%27s_Encrypt_with_UnrealIRCd>, 
which should help people get a "proper" SSL certificate.

You may also be interested in my blog post Improving IRC Security Step 
By Step <https://www.vulnscan.org/improving-irc-security-step-by-step/> 
which tells the journey that IRC has taken so far with regards to 
SSL/TLS deployment. It includes UnrealIRCd's perspective and recent 
improvements like draft/sts (4.0.13) and plaintext-policy (4.0.14).

*Changes between version 4.0.13 and 4.0.14
*Improvements

  * New *set::plaintext-policy* configuration settings. This defines
    what happens to users/ircops/servers that are not using SSL/TLS.
    The default settings are:
    set {
       plaintext-policy {
         user allow; /* allow any user to connect */
         oper warn; /* warn on /OPER if not using SSL/TLS */
         server deny; /* deny servers without SSL/TLS, except localhost */
       };
    };
    You can change each of the three classes to /allow/, /warn/ or /deny/.
    More information:
    https://www.unrealircd.org/docs/Set_block#set::plaintext-policy
    If your services do not run on localhost /and/ link without SSL/TLS
    then you may get an error during linking. In such a case check out
    this FAQ item
    <https://www.unrealircd.org/docs/FAQ#ERROR:_Servers_need_to_use_SSL.2FTLS>.
  * You can now ask UnrealIRCd to *verify certificates**of server links*
    by:
    link irc1.test.net {
         [..]
         verify-certificate yes;
    };
    This will verify the certificate of the link, making sure the
    certificate is valid, issued for the specified name
    (/irc1.test.net/) and given out by a trusted Certificate Authority
    (like Let's Encrypt).
    Obviously, if you use self-signed certificates then you can't use this.
  * Introduce a concept called *link security level*. This will rate the
    security of your network from 0 to 2.
    Whenever security is degraded due to a new server link UnrealIRCd
    will print a warning about it.
    See https://www.unrealircd.org/docs/Link_security for more information.
    This also adds a new command /LINKSECURITY (IRCop-only).
  * The plaintext-policy and link-security is shown in "CAP LS".

Major issues fixed

  * None

Minor issues fixed

  * If you had a link block named /irc1.example.net/ and did an outgoing
    connect to that server, then the server could introduce himself
    under a different name, such as /irc1.other.net/. Not a security
    issue, since all authentication has to be passed, but this could
    cause confusing autoconnect attempts.
  * password::sslclientcert did not accept relative paths
  * Compile problem with LibreSSL (regarding SSL_CTX_get0_param)
  * set::modes-on-connect: was refusing certain (old) modes like +N

*Other changes
*

  * The ssl options 'verify-certificate' and 'no-self-signed' have been
    removed. Use link::verify-certificate instead. It makes no sense to
    verify certificates or prevent self signed certificates elsewhere
    such as in vhost or oper, since there is no hostname to match against.
  * Weak cipher suites such as 3DES and RC4 are disabled by default but
    previously you could still enable them through set::ssl::ciphers.
    Now you can no longer, since there is no legitimate reason to do so.
  * Update cipher suite to work with TLS 1.3. This ensures you can use
    TLS 1.3 in UnrealIRCd 4.0.14+ when OpenSSL supports it (in the future).
  * Bump MODDATA_MAX_CLIENT from 8 to 12: needed if you have a lot of
    3rd party modules loaded. Also moved MODDATA_MAX_* to include/config.h

*For module coders*

  * You can now attach ModData to server objects as well (including &me).
  * Please do not use UmodeDel, CmdoverrideDel and any other *Del()
    functions from MOD_UNLOAD. These undocumented functions are
    unnecessary since 2008 or so. UnrealIRCd takes care of unloading all
    module objects. It can cause a crash if someone unloads the module
    in UnrealIRCd 4 (more specifically: double free if unloading modules
    which use ModData). Attempts to use these functions in future
    UnrealIRCd versions may result in a compile error.

*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (key id 0xA7A21B0A108FF4A9)

*Bug reports and feature enhancements
*Please report all bugs and feature suggestions at 
https://bugs.unrealircd.org/
Our GitHub repository is available on 
https://github.com/unrealircd/unrealircd/

-- 
Bram Matthys
Security res...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6