A couple of months ago, I started searching for a well-maintained IRC
server that I could use as a basis for internal use at my organization. We
are fairly security-conscious and we needed a solid server that supported
SSL and PAM authentication. So, first - thanks for the great work you all
We had a couple of other requirements, especially if we were going to
expose the port on an externally-accessible address. The first was to
allow only authorized connections from clients who presented a valid SSL
certificate. This is the first half of the patch. If linked with GNUTLS,
the patch will allow the admin to limit connections to clients that present
a valid cert, signed by a valid CA in the server cert's chain of trust. It
also supports revocation lists.
Second is the addition of a new caching process called authcache. We wire
up authentication through PAM and on to an one-time password
infrastructure. We chose to do this since IRC clients don't bother trying
to keep that password protected... at all.. It is even written to the
client's history files in many cases. To shorten the window of opportunity
for exposed credentials, the user enters an OTP when authenticating.
Naturally, with the manner and frequency in which IRC clients disconnect
and reconnect, entering credentials repeatedly would be infuriating (and
impossible with most clients.) Authcache will create a token from the
hash of the original IRC name, source connection hostname/address, and if
SSL is enabled, the client certificate's hash, and store it in a table for
a user-configurable amount of time. This table is consulted when a new
connection is made and bypasses the internal authentication step if a
record is found. A user or admin directed logoff will clear the
1. Requires GNUTLS 3.x. I chose to use newer methods for CRL and
verification checks. I would like to figure out what version of GNUTLS is
installed and call the appropriate methods, but this leads me into the next
2. Lack of good Autoconf checks. As noted above, it requires GNUTLS 3.x.
I am sadly not familiar enough with autoconf to put together a robust means
of testing for that.
3. I have not yet written an equivalent CRL and Client cert check for
4. No changes to your unit tests. I hang my head in shame...
I know there are a few items in that list that are solvable after some
research and fiddling (autoconf, libssl). I haven't had a chance to fix
those items yet - I hope to at some point, but who knows when. As you can
tell by the dates in the patchfile, I've been sitting on the changes for a
bit, hoping for time to get autoconf sorted out. Its been months, so I
figured I'd put the patches out there in case they are useful in this
Again, thanks for an awesome server - I hope you find these patches as
useful as I have.