Hello ngIRCd Community!
More than three years have passed since the last release of ngIRCd (<http://ngircd.barton.de>) – a free, portable and lightweight Internet Relay Chat server for small or private networks – and more than 130 individual patches have accumulated in the Git “master branch” in the meantime. Some are cosmetic, some bring new functionality, others improve the documentation or fix bugs. All in all, it’s more than time for the next “big” release of ngIRCd!
And here it is, the 1st release candidate for the upcoming ngIRCd release 27!
The most prominent and possibly breaking(!) change is that ngIRCd now validates SSL/TLS certificates on server-server links. Until now, ngIRCd optionally used encrypted server-server links (when `SSLConnect = yes` is set in a `[Server]` block, which is not the default) but never checked and validated any certificates. Oh my! Most probably we never should have released it this way in ngIRCd 13 back in 2008 … I hope you all were aware of this, right? Because you never configured a CA to trust, for example …?
But finally we made it, and _ngIRCd now validates SSL/TLS certificates on outgoing server-server links by default_ and **drops**(!) connections when the remote certificate is invalid (for example self-signed, expired, not matching the host name, …). Therefore you have to make sure that all relevant _certificates are valid_ (or to disable certificate validation on this connection using the new `SSLVerify = false` setting in the affected `[Server]` block, where the remote certificate is not valid and you can not fix this issue).
The original patch for OpenSSL certificate validation on server-links dates back to 2009 and was written by Florian Westphal and extended for GnuTLS in 2014 by Christoph Biedl. But it took us another 10 years to bring it to life … oh my! Many thanks to both Florian and Christoph! (This closes issue #120)
But that’s not all. In addition to the above, the following noteworthy changes are listed in the `NEWS` file
(<https://github.com/ngircd/ngircd/blob/master/NEWS>):
- Add support for the “sd_notify” protocol of `systemd(8)`:
Periodically “ping” the service manager (every 3 seconds) and set a
status message showing current connection statistics which then is
included in `systemctl status ngircd.service` output. In addition,
this enables using the `systemd(8)` watchdog functionality
(`WatchdogSec`) for the `ngircd.service` unit and allows it to use
the `notify` service type, which results in better status tracking
by the service manager.
- Try to set file descriptor limit to its maximum and show info on
startup: The number of possible parallel connections is limited by
the file descriptor limit of the process (among other things).
Therefore try to upgrade the current “soft” limit to its “hard”
maximum (but limited to 100000 instead of “infinite”), and show an
information or even warning when the limit is still less than the
configured `MaxConnections` setting. Please note that ngIRCd and its
linked libraries (like PAM) need file descriptors not only for
incoming and outgoing IRC connections, but for reading files and
inter-process communication, too! Therefore the actual connection
limit is less(!) than the file descriptor limit!
- Add a _Docker file_ (contrib/Dockerfile) and corresponding
documentation (doc/Container.md) to the project. The resulting
container is based on the latest Debian “stable-slim” container and
built using a “build container”.
- No longer use a default built-in value for the `IncludeDir`
directive when a configuration file was explicitly specified on the
command line using `--config`/`-f`: This way no default include
directory is scanned when a possibly non-default configuration file
is used which (intentionally) did not specify an `IncludeDir`
directive. So now you can use `-f /dev/null` for checking all
built-in defaults, regardless of any local configuration files in
the default drop-in directory (which would have been read in until
this change).
- The server `Name` in the `[Global]` section of the configuration
file no longer needs to be set: When not set (or empty), ngIRCd now
tries to deduce a valid IRC server name from the local host name
(“node name”), possibly adding a `.host` extension when the host
name does not contain a dot (`.`) which is required in an IRC server
name (“ID”). This new behavior, with all configuration parameters
now being optional, allows running ngIRCd without any configuration
file at all.
- Autodetect support for IPv6 by default: Until now, IPv6 support was
disabled by default, which seems a bit outdated in 2024. Note: You
still can pass `--enable-ipv6`/`--disable-ipv6` to the `./configure`
script to forcefully activate or deactivate IPv6 support.
- Do IDENT requests even when DNS lookups are disabled: Up to now
disabling DNS in the configuration disabled IDENT lookups as well
(for no good reason). Now you can activate/deactivate DNS lookups
and IDENT requests completely separately. Thanks for reporting this,
Miniontoby! Closes #291.
- Allow SSL client-only configurations without keys/certificates: You
don’t need to configure certificates/keys as long as you don’t
configure SSL-enabled listening ports. This can make sense when you
want to only link your local daemon to an uplink server using SSL
and only have clients on your local host or in your fully trusted
network, where SSL is not required.
- Respect `SSLConnect` option for incoming connections and do not
accept incoming plain-text (“non SSL”) server connections for
servers configured with `SSLConnect` enabled. This change prevents
an authenticated client-server being able to force the server-server
to send its password on a plain-text connection when SSL/TLS was
intended.
- Add a new option `Autojoin` to `[Channel]` blocks: When it is set,
ngIRCd automatically joins all local users to this channel on
connect. Note: The users must have permissions to access the
channel, otherwise joining them will fail. Thanks Ivan Agarkov for
the initial patch!
- Hide invisible (+i) users on `WHOIS <pattern>`: Let’s behave like
most(?) other IRC daemons (at least ircd2.11) and hide all +i users
when `WHOIS` is used with a pattern. Otherwise privacy of this users
is not guaranteed and the +i mode a bit useless … Reported by Cahata
on #ngircd, thanks!
- Make the debug log level (`--debug`/`-d` command line option) always
available, not only when `./configure`’d with `--enable-debug`: the
latter now only enables additional checks (like the tests done using
`assert`(2)) and is signalled by adding `+DEBUG` to the version
“feature string”. This change enables everyone to get even more
detailed logging when required.
- Allow IRC operators to use the `WHO` command on any channel.
- Send the `NAMES` list and channel topic to users “forcefully” joined
to a channel using `NJOIN`, like they joined on their own using
`JOIN`, and streamline the order of `NAMES` list and channel topic
messages. Closes #288.
- Added a new command line option `-y`/`--syslog`, with which logging
to syslog can be activated/deactivated separately from running on
the console (using `--nodaemon`) or in the background. Thanks
Katherine Peeters for the patch and pull request! Closes #294.
- Update, enhance and extend our documentation in `README.md`,
`INSTALL.md`, `doc/HowToRelease.txt` and the manual pages
`ngircd`(8) and `ngircd.conf`(5), add a new `doc/QuickStart.md`
document, and convert some more documentation files to Markdown
(`AUTHORS.md`, `contrib/README.md`, `doc/FAQ.md`, `doc/SSL.md`).
And the `ChangeLog` (<https://github.com/ngircd/ngircd/blob/master/ChangeLog>) has even more details and lists all the fixes, minor enhancements and tweaks.
You can download ngIRCd 27~rc1 from the download section on our homepage at <https://ngircd.barton.de> (mirror: <https://ngircd.sourceforge.io>) and GitHub: <https://github.com/ngircd/ngircd/releases/tag/rel-27-rc1>. The primary download locations are:
- <https://github.com/ngircd/ngircd/releases>
- <https://ngircd.barton.de/pub/ngircd/>
- <https://ngircd.sourceforge.io/pub/ngircd/>
It would be great if as many people as possible try to build this release candidate code on as many platforms as possible!
Please report any issues and glitches you find to the GitHub issue tracker (<https://github.com/ngircd/ngircd/issues>), the mailing list (ngircd(a)lists.barton.de), or to the #ngircd channel on IRC: <irc://irc.barton.de/ngircd>. Enhancements and additions to the documentation, manual pages and the homepage are welcome as well!
The easiest way to test ngIRCd is to run the `./contrib/platformtest.sh` script which is included in the distribution archives, for example like this:
$ curl -#LO "https://ngircd.barton.de/pub/ngircd/ngircd-27~rc1.tar.gz"
$ tar xzf "ngircd-27~rc1.tar.gz"
$ cd ngircd-27~rc1
$ ./contrib/platformtest.sh
This will take a few minutes (4-5) as our test suite takes some time because of the “penalties” that the test clients have to cope with (the compile run itself is quite fast), and should result in a nice summary like this:
the executable works ("runs") as expected --+
tests run successfully ("make check") --+ |
ngIRCd compiles ("make") --+ | |
./configure works --+ | | |
| | | |
Platform Compiler ngIRCd Date Tester C M T R *
--------------------------- ------------ ---------- -------- -------- - - - - -
x86_64/pc/linux-gnu gcc 12.2.0 27~rc1 24-04-13 alex Y Y Y Y 1
If you like, and especially if you are on a bit more “special” system (non-amd64, non-arm64, non-Linux?), you can say “Hello!” in the <irc://irc.barton.de/ngircd> IRC channel and post this result line there: then we can include it in the `doc/Platforms.txt` (<https://github.com/ngircd/ngircd/blob/master/doc/Platforms.txt>) file.
Thanks a lot to all contributors & testers!
Happy testing and have fun!
Alex
