The One and the Many

Valid TLS certificates for my IRC network

I've run an IRC network for years now. While my servers have supported TLS connections for a long time (and for almost as long have been TLS only) until recently I used self signed TLS certificates on them.

Using a self signed certificate is terrible but until Let's Encrypt came along it was reasonably normal for hobby projects.

As well, IRC is an odd beast where it is normal for servers to use self signed certificates. EFnet, the oldest and one of the larger networks, has several servers that support TLS but they are all using self signed certificates (or at least many of them are). In writing this I checked one and as well as being self signed the certificate expired almost 2 years ago!

It's also almost universal that IRC networks support plaintext connections. Many servers don't offer TLS ports. One of my regular networks has zero servers that support TLS.

All this goes to show that my use of self signed certificates is not abnormal for IRC. Most clients won't check certificates by default because of this.

However I was making some changes to my IRC server and decided to try switching to valid certificates. With Let's Encrypt now supporting wildcard certificates I figured that would be an easy way to do it.

I used lego to get a certificate for *.summercat.com. I copied it to all my servers and began using it. Easy! I updated my server software to require valid certificates when connecting outbound to other servers.

I kept thinking about the wildcard certificate though. I wasn't happy about it. I wondered how other networks handled the problem. It wasn't clear to me the best way to create certificates for an IRC network.

Clients typically connect to an IRC network via a round-robin hostname. For example, a network might direct clients to irc.example.com. Upon connecting, clients end up on a particular server with its own hostname, such as server1.example.com. That means server1.example.com needs a certificate valid both for irc.example.com and server1.example.com. Clients validate the certificate is valid for irc.example.com when connecting to that hostname, but it's also nice to be able to connect to a particular server directly (and necessary when servers connect to it to link).

I looked at what freenode does using this command:

openssl s_client -connect irc.freenode.net:7000 | openssl x509 -noout -text

Their servers have certificates with Subject Alternative Names including irc.freenode.net as well as the particular server's name. And they use Let's Encrypt too! This method seemed much better than using a wildcard, so I created separate certificates for each of my servers and switched them over.

In the end it was simple to setup and I'm kicking myself for not doing it earlier. It does add some maintenance burden as now I have to rotate certificates but I've mostly automated that part. A little hassle for the added security is worth it. Now I just have to convince everyone to configure their clients to check certificates!

Comments