[ircd-ratbox] Request For Feature: IRCS (IRC-over-SSL)

Ralf S. Engelschall rse at engelschall.com
Tue May 17 08:06:43 EDT 2005

On Tue, May 17, 2005, Rachel Llorenna wrote:

> I've spoken to Aaron (AndroSyn) personally awhile ago, and he's
> looking into implementing IRC over SSL. One of the major things that
> needs to be considered is the amount of processing power that SSL
> requires. AndroSyn (and I would think anfl, too) want to make sure
> that anything they release is efficient; SSL is no different.
> If client-to-server SSL is implemented, they want to make sure that it
> doesn't eat up too much CPU time (particularly as ratbox is used
> widely on EFnet.) I'm sure SSL is somewhere on their To-Do list, but I
> don't know what priority it has at the moment.
> ircd-ratbox isn't really intended for smaller networks (although it
> works for them just fine) as much as it is designed for EFnet.
> However, I don't see a problem in implementing this using an
> --enable-ssl or similar flag, until it is fast enough to be used all
> over EFnet.

SSL support should be both a compile-time option (for adding the code)
and a run-time option (for activating the code). It is clear that SSL
support always requires more processing power. This price one has to
pay, of course. But as long as this is optional, I see no problem.

> Either way, IRC over SSL really only provides limited security; if
> your server is compromised (or any server on your network) then any
> data passing through it can be read in plaintext. If you're really
> looking for a secure solution, look into something like SILC. SILC,
> however, is nowhere as new as IRC as a protocol, and the client
> support is nearly nonexistant. There are plugins for issi and Gaim
> that I'm aware of, though.

Yes, for a whole IRC network IRCS support is certainly of limited use.
We're using IRCS mainly to prevent the UserServ passwords going in
plaintext over the network, etc. For this minimum IRCS support (just
encryption through server cert/key) is sufficient. But one could go a
lot further and use client-side cert/key for authenticating a user at
UserServ via the X.509 CN automatically on connect, etc. Btw, using SSL
without encryption (= null cipher) and just for authentication reasons
here can already provide great benefits without any major processing
power overhead.
                                       Ralf S. Engelschall
                                       rse at engelschall.com

More information about the ircd-ratbox mailing list