UnrealIRCd 6.2.0-beta3 available for testing
Status: Beta
Brought to you by:
wildchild
Menu
βΎ
β΄
UnrealIRCd 6.2.0-beta3 available for testing
|
From: Bram M. <sy...@un...> - 2025-08-01 10:19:44
|
UnrealIRCd 6.2.0-beta3 is now available for testing. I didn't announce beta1 and beta2 here to keep list traffic minimal, but now I think I can :). This version is not a stable release and does not contain all the features that are scheduled for 6.2.0 yet. This beta exists so people can test things, report bugs and give other feedback. Please use https://bugs.unrealircd.org/ for that. You can download UnrealIRCd from unrealircd.org <https://www.unrealircd.org/> and on *NIX you can upgrade to the beta version with ./unrealircd upgrade --beta Note that our PGP key expired in June 2025, so all our files are signed by the new PGP key. The new key was created and announced in Nov 2024 already in this post <https://forums.unrealircd.org/viewtopic.php?t=9397>. UnrealIRCd 6.1.9 and 6.1.10 have the new key in the doc/KEYS <https://github.com/unrealircd/unrealircd/commit/3aa26ef1f1bd60d8508d503076bad8887967410e> file (because they were published on/after Nov 2024). With UnrealIRCd 6.1.9 and 6.1.10 the ./unrealircd upgrade --beta command will work fine. On older versions of UnrealIRCd, however, you will get a scary warning. Enhancements: * Channel flood protection by default <https://www.unrealircd.org/docs/Channel_anti-flood_settings>: This is an important change that IRCOps and chanops should know about: o By default we now apply the anti-flood profile "normal", which should be fine for most channels. o If a chanop does not want this they can override this by setting |MODE +F| with another profile <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Channel_mode_F_profiles>. o For example, for a channel with hundreds of users and lots of activity |+F relaxed| may be more appropriate. Or, chanops can turn anti-flood off entirely by setting |+F off| o The reason for this change is that many admins and chanops in practice don't seem to use |+f| or |+F|. With this change they are now protected "by default" when no MODE |+f| or |+F| is set. o Advanced users can can grab the detailed effective settings with |MODE #test F| o The default protection can be lowered in the config file with: set { anti-flood { channel { default-profile relaxed; } } } Note that doing so would lower protection for everyone. You can also use |off| instead of |relaxed| to disable it entirely (which is not recommended but makes it how things were before 6.2.x). We recommend using |normal| (which is the default already) and doing per-channel exceptions via |+F| where needed. * AntiMixedUTF8 <https://www.unrealircd.org/docs/Set_block#set::antimixedutf8>: This is now aware of a lot more unicode blocks. This will cause a higher score for some regular messages, so be aware if you have the score set very low (eg 2 or 3). On the plus-side, spam should now get an even higher score. Try a score between 5 and 10 and see if that works. * Spamfilter <https://www.unrealircd.org/docs/Spamfilter> and text analysis: o spamfilter::rule now supports |unicode_count('utf8 block name')|, like: |rule "unicode_count('Emoticons')>2";| o spamfilter::input-conversion now supports |deconfused| which will "deconfuse" text like "Ε¦πΡπ πΕ αΊ‘ π‘ΓͺΕΘΆ" to "This is a test" so it can easily be matched on with simple matching or a regex. This will never be 100% perfect but can be helpful. o A new |SPAMINFO <text>| command which shows Text Analysis: scores for AntiMixedUTF8, how the text shows up "deconfused", which unicode blocks are used, etc. o The same Text Analysis is now in JSON logs for spamfilter hits and antimixedutf8 hits. * Best Practices <https://www.unrealircd.org/docs/Set_block#set::best-practices>: If any plaintext ports are found open, we will give an advice to move users to TLS. o The Use TLS <https://www.unrealircd.org/docs/Use_TLS> article explains why and shows how to do a gradual rollout, with warnings and automatic upgrades from plaintext to TLS for IRC clients that support it. o This message can be turned off by setting set::best-practices::listen-nontls-port <https://www.unrealircd.org/docs/Set_block#set::best-practices> to |no|. But please, read the Use TLS <https://www.unrealircd.org/docs/Use_TLS> article first. o You won't get this warning if set::plaintext-policy::user is |deny| or when the listen::ip is |127.0.0.1| or |::1|. * Best Practices <https://www.unrealircd.org/docs/Set_block#set::best-practices>: If no SSL/TLS cert is present that is issued by a trusted Certificate Authority, then we will give a suggestion to use Let's Encrypt. This can be turned off via set::best-practices::trusted-cert <https://www.unrealircd.org/docs/Set_block#set::best-practices>. For servers without any client listener blocks (or only on localhost) this message is not triggered (for e.g. hubs). * Post-quantum cryptography (PQC) enhancements: o set::tls <https://www.unrealircd.org/docs/TLS_Ciphers_and_protocols>: Rename |ecdh-curves| to |groups| (the old name will continue to work) o Add (and prefer) the |X25519MLKEM768| hybrid group, which is a mix of |X25519| that is commonly used today and quantum-safe |ML-KEM-768|. This to protect against "harvest now, decrypt later" <https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later>. o To benefit from this, OpenSSL 3.5.0 or later (released April 2025) is required on the server, and similarly a client that supports this. At the time of writing, almost all Linux distros don't have such an OpenSSL version yet (which is not a problem, this new feature will simply not be available). Notably Debian 13 (when released in August 2025) will have it. LibreSSL does not support it either yet, so our Windows build does not have this feature. o Also, change the TLS information on-connect and in WHOIS etc. from something like |TLSv1.3-TLS_CHACHA20_POLY1305_SHA256| to |TLSv1.3/X25519/TLS_CHACHA20_POLY1305_SHA256|. In other words: using slashes as separators and showing the group / key exchange in the middle. The group is only shown on newer OpenSSL versions. If someone would use the new PQC hybrid group mentioned above then their TLS info would start with |TLSv1.3/X25519MLKEM768/|. o TL;DR: better secrecy against future quantum attacks, even though not many clients or servers support it at the moment. * UnrealIRCd can now be used if your OpenSSL does not provide MD5 (there will be an error if you use |cloak_md5|, but everything will work fine if you use |cloak_sha256|). Changes: * When a netsplit happens and set::server-linking::autoconnect-strategy <https://www.unrealircd.org/docs/Set_block#set::server-linking> is |sequential| (which is the default) or |sequential-fallback| (which is a good value for leafs) then we now consistently wait for class::connfreq <https://www.unrealircd.org/docs/Class_block> seconds before trying to connect to the (same or next) server. By default this is 15 seconds in the example configuration file server class. The reason for this is to provide a consistent behavior. Previously we waited semi-randomly for 0 to class::connfreq seconds. The previous behavior caused the picking of 'next server to try' to be inconsistent, which especially caused issues for |sequential-fallback|. If you want quicker recovery times in case of a netsplit, simply lower the value of class::connfreq <https://www.unrealircd.org/docs/Class_block> in your configuration file, e.g. to 5 instead of 15 seconds. * Currently it is still possible to link servers without certificate verification. This would be rare, since our server linking guide <https://www.unrealircd.org/docs/Tutorial:_Linking_servers> and |./unrealircd genlinkblock| use certificate verification. Since 2017 you'll get a message on-link when this happens with concrete advice to fix it. The wording has now been changed to be a clear warning about MITM <https://en.wikipedia.org/wiki/Man-in-the-middle_attack> attacks. In 2026Q2 we will turn this into a hard error. * Make error message if SSL/TLS cert or key is missing more helpful. * Update offline doc/unrealircd_wiki.zim to current wiki * Update shipped libs: PCRE2 (10.45), c-ares (1.34.5) * Central Spamreport <https://www.unrealircd.org/docs/Central_spamreport> now receives the last 20 lines instead of 10 and Text Analysis is included (such as which unicode blocks used in the messages). * Currently it is still possible to link servers without certificate verification. This would be rare, since our linking guides and |./unrealircd genlinkblock| use certificat verification. Since 2017 you'll get a "suggestion" on-link when this happens with concrete advice to fix this. The wording has now been changed to be a clear warning about MITM <https://en.wikipedia.org/wiki/Man-in-the-middle_attack> attacks. In 2026Q2 we will turn this into a hard error. Fixes: * |OS JUPE| not working (still allowing the server in) * Reputation scores <https://www.unrealircd.org/docs/Reputation_score> now really expire after 90 days. * For |./unrealircd genlinkblock| skip IP-detection if it is localhost. * Crash on |REHASH -dns| (IRCOp-only) Developers and protocol: * Command handlers (and overrides) now have an extra argument |ClientContext *clictx|. At the moment this has |clictx->cmd| which points to the command handler and |clictx->textanalysis| which may hold TextAnalysis info. In the future this struct can easily be extended. In your modules you should normally use |CMD_FUNC(cmd_mycmd)| and |CMD_OVERRIDE_FUNC(myoverridefunc)| and |CALL_NEXT_COMMAND_OVERRIDE()| and then your module does not updating between 6.1.x and 6.2.x. * TextAnalysis can be enabled for the last parameter in a command by setting |CMD_TEXTANALYSIS| in |CommandAdd()|. This is done by |PRIVMSG| and |SPAMINFO| for example. * New hook |HOOKTYPE_BANNED_CLIENT| * New hook |HOOKTYPE_CAN_USE_NICK| |
