Hello ngIRCd Community!
More than three years have passed since the last release of ngIRCd (http://ngircd.barton.de) – a free, portable and lightweight Internet Relay Chat server for small or private networks – and more than 130 individual patches have accumulated in the Git “master branch” in the meantime. Some are cosmetic, some bring new functionality, others improve the documentation or fix bugs. All in all, it’s more than time for the next “big” release of ngIRCd!
And here it is, the 1st release candidate for the upcoming ngIRCd release 27!
The most prominent and possibly breaking(!) change is that ngIRCd now validates SSL/TLS certificates on server-server links. Until now, ngIRCd optionally used encrypted server-server links (when `SSLConnect = yes` is set in a `[Server]` block, which is not the default) but never checked and validated any certificates. Oh my! Most probably we never should have released it this way in ngIRCd 13 back in 2008 … I hope you all were aware of this, right? Because you never configured a CA to trust, for example …?
But finally we made it, and _ngIRCd now validates SSL/TLS certificates on outgoing server-server links by default_ and **drops**(!) connections when the remote certificate is invalid (for example self-signed, expired, not matching the host name, …). Therefore you have to make sure that all relevant _certificates are valid_ (or to disable certificate validation on this connection using the new `SSLVerify = false` setting in the affected `[Server]` block, where the remote certificate is not valid and you can not fix this issue).
The original patch for OpenSSL certificate validation on server-links dates back to 2009 and was written by Florian Westphal and extended for GnuTLS in 2014 by Christoph Biedl. But it took us another 10 years to bring it to life … oh my! Many thanks to both Florian and Christoph! (This closes issue #120)
But that’s not all. In addition to the above, the following noteworthy changes are listed in the `NEWS` file (https://github.com/ngircd/ngircd/blob/master/NEWS):
- Add support for the “sd_notify” protocol of `systemd(8)`: Periodically “ping” the service manager (every 3 seconds) and set a status message showing current connection statistics which then is included in `systemctl status ngircd.service` output. In addition, this enables using the `systemd(8)` watchdog functionality (`WatchdogSec`) for the `ngircd.service` unit and allows it to use the `notify` service type, which results in better status tracking by the service manager.
- Try to set file descriptor limit to its maximum and show info on startup: The number of possible parallel connections is limited by the file descriptor limit of the process (among other things). Therefore try to upgrade the current “soft” limit to its “hard” maximum (but limited to 100000 instead of “infinite”), and show an information or even warning when the limit is still less than the configured `MaxConnections` setting. Please note that ngIRCd and its linked libraries (like PAM) need file descriptors not only for incoming and outgoing IRC connections, but for reading files and inter-process communication, too! Therefore the actual connection limit is less(!) than the file descriptor limit!
- Add a _Docker file_ (contrib/Dockerfile) and corresponding documentation (doc/Container.md) to the project. The resulting container is based on the latest Debian “stable-slim” container and built using a “build container”.
- No longer use a default built-in value for the `IncludeDir` directive when a configuration file was explicitly specified on the command line using `--config`/`-f`: This way no default include directory is scanned when a possibly non-default configuration file is used which (intentionally) did not specify an `IncludeDir` directive. So now you can use `-f /dev/null` for checking all built-in defaults, regardless of any local configuration files in the default drop-in directory (which would have been read in until this change).
- The server `Name` in the `[Global]` section of the configuration file no longer needs to be set: When not set (or empty), ngIRCd now tries to deduce a valid IRC server name from the local host name (“node name”), possibly adding a `.host` extension when the host name does not contain a dot (`.`) which is required in an IRC server name (“ID”). This new behavior, with all configuration parameters now being optional, allows running ngIRCd without any configuration file at all.
- Autodetect support for IPv6 by default: Until now, IPv6 support was disabled by default, which seems a bit outdated in 2024. Note: You still can pass `--enable-ipv6`/`--disable-ipv6` to the `./configure` script to forcefully activate or deactivate IPv6 support.
- Do IDENT requests even when DNS lookups are disabled: Up to now disabling DNS in the configuration disabled IDENT lookups as well (for no good reason). Now you can activate/deactivate DNS lookups and IDENT requests completely separately. Thanks for reporting this, Miniontoby! Closes #291.
- Allow SSL client-only configurations without keys/certificates: You don’t need to configure certificates/keys as long as you don’t configure SSL-enabled listening ports. This can make sense when you want to only link your local daemon to an uplink server using SSL and only have clients on your local host or in your fully trusted network, where SSL is not required.
- Respect `SSLConnect` option for incoming connections and do not accept incoming plain-text (“non SSL”) server connections for servers configured with `SSLConnect` enabled. This change prevents an authenticated client-server being able to force the server-server to send its password on a plain-text connection when SSL/TLS was intended.
- Add a new option `Autojoin` to `[Channel]` blocks: When it is set, ngIRCd automatically joins all local users to this channel on connect. Note: The users must have permissions to access the channel, otherwise joining them will fail. Thanks Ivan Agarkov for the initial patch!
- Hide invisible (+i) users on `WHOIS <pattern>`: Let’s behave like most(?) other IRC daemons (at least ircd2.11) and hide all +i users when `WHOIS` is used with a pattern. Otherwise privacy of this users is not guaranteed and the +i mode a bit useless … Reported by Cahata on #ngircd, thanks!
- Make the debug log level (`--debug`/`-d` command line option) always available, not only when `./configure`’d with `--enable-debug`: the latter now only enables additional checks (like the tests done using `assert`(2)) and is signalled by adding `+DEBUG` to the version “feature string”. This change enables everyone to get even more detailed logging when required.
- Allow IRC operators to use the `WHO` command on any channel.
- Send the `NAMES` list and channel topic to users “forcefully” joined to a channel using `NJOIN`, like they joined on their own using `JOIN`, and streamline the order of `NAMES` list and channel topic messages. Closes #288.
- Added a new command line option `-y`/`--syslog`, with which logging to syslog can be activated/deactivated separately from running on the console (using `--nodaemon`) or in the background. Thanks Katherine Peeters for the patch and pull request! Closes #294.
- Update, enhance and extend our documentation in `README.md`, `INSTALL.md`, `doc/HowToRelease.txt` and the manual pages `ngircd`(8) and `ngircd.conf`(5), add a new `doc/QuickStart.md` document, and convert some more documentation files to Markdown (`AUTHORS.md`, `contrib/README.md`, `doc/FAQ.md`, `doc/SSL.md`).
And the `ChangeLog` (https://github.com/ngircd/ngircd/blob/master/ChangeLog) has even more details and lists all the fixes, minor enhancements and tweaks.
You can download ngIRCd 27~rc1 from the download section on our homepage at https://ngircd.barton.de (mirror: https://ngircd.sourceforge.io) and GitHub: https://github.com/ngircd/ngircd/releases/tag/rel-27-rc1. The primary download locations are:
- https://github.com/ngircd/ngircd/releases - https://ngircd.barton.de/pub/ngircd/ - https://ngircd.sourceforge.io/pub/ngircd/
It would be great if as many people as possible try to build this release candidate code on as many platforms as possible!
Please report any issues and glitches you find to the GitHub issue tracker (https://github.com/ngircd/ngircd/issues), the mailing list (ngircd@lists.barton.de), or to the #ngircd channel on IRC: irc://irc.barton.de/ngircd. Enhancements and additions to the documentation, manual pages and the homepage are welcome as well!
The easiest way to test ngIRCd is to run the `./contrib/platformtest.sh` script which is included in the distribution archives, for example like this:
$ curl -#LO "https://ngircd.barton.de/pub/ngircd/ngircd-27~rc1.tar.gz" $ tar xzf "ngircd-27~rc1.tar.gz" $ cd ngircd-27~rc1 $ ./contrib/platformtest.sh
This will take a few minutes (4-5) as our test suite takes some time because of the “penalties” that the test clients have to cope with (the compile run itself is quite fast), and should result in a nice summary like this:
the executable works ("runs") as expected --+ tests run successfully ("make check") --+ | ngIRCd compiles ("make") --+ | | ./configure works --+ | | | | | | | Platform Compiler ngIRCd Date Tester C M T R * --------------------------- ------------ ---------- -------- -------- - - - - - x86_64/pc/linux-gnu gcc 12.2.0 27~rc1 24-04-13 alex Y Y Y Y 1
If you like, and especially if you are on a bit more “special” system (non-amd64, non-arm64, non-Linux?), you can say “Hello!” in the irc://irc.barton.de/ngircd IRC channel and post this result line there: then we can include it in the `doc/Platforms.txt` (https://github.com/ngircd/ngircd/blob/master/doc/Platforms.txt) file.
Thanks a lot to all contributors & testers!
Happy testing and have fun! Alex
Hi All!
Looks like the one release candidate for ngIRCd 27 was sufficient, we found and fixed a few glitches, and here it is: ngIRCd Release 27!
Let me emphasis the most prominent and possibly breaking(!) change again: ngIRCd now validates SSL/TLS certificates on server-server links. Until now, ngIRCd optionally used encrypted server-server links (when SSLConnect = yes is set in a [Server] block, which is not the default) but never checked and validated any certificates. Oh my! Most probably we never should have released it this way in ngIRCd 13 back in 2008 … I hope you all were aware of this, right? Because you never configured a CA to trust, for example …?
Since RC1, the test suite can cope better with non-interactive environments, startup is no longer aborted when setgid()/setuid() fails with EINVAL and the RPL_NAMEREPLY numeric was fixed for secret channels. Everything else is mentioned below, in the announcement of ngIRCd 27~rc1, and the whole story can be found online here:
- NEWS: https://github.com/ngircd/ngircd/blob/master/NEWS - ChangeLog: https://github.com/ngircd/ngircd/blob/master/ChangeLog
You can download ngIRCd 27 from the download section on our homepage at https://ngircd.barton.de (mirror: https://ngircd.sourceforge.io) and GitHub: https://github.com/ngircd/ngircd/releases/tag/rel-27. The primary download locations are:
- https://github.com/ngircd/ngircd/releases - https://ngircd.barton.de/pub/ngircd/ - https://ngircd.sourceforge.io/pub/ngircd/
Please report any issues and glitches you find to the GitHub issue tracker (https://github.com/ngircd/ngircd/issues) and use the mailing list (ngircd@lists.barton.de) and the #ngircd channel on IRC (irc://irc.barton.de/ngircd) for questions and discussions. Enhancements and additions to the documentation, manual pages and the homepage are welcome as well!
And as always: Thanks a lot to all supporters, contributors & testers!
Happy IRC'ing! Alex
Am 13.04.2024 um 21:44 schrieb Alexander Barton alex@barton.de:
Hello ngIRCd Community!
More than three years have passed since the last release of ngIRCd (http://ngircd.barton.de) – a free, portable and lightweight Internet Relay Chat server for small or private networks – and more than 130 individual patches have accumulated in the Git “master branch” in the meantime. Some are cosmetic, some bring new functionality, others improve the documentation or fix bugs. All in all, it’s more than time for the next “big” release of ngIRCd!
And here it is, the 1st release candidate for the upcoming ngIRCd release 27!
The most prominent and possibly breaking(!) change is that ngIRCd now validates SSL/TLS certificates on server-server links. Until now, ngIRCd optionally used encrypted server-server links (when `SSLConnect = yes` is set in a `[Server]` block, which is not the default) but never checked and validated any certificates. Oh my! Most probably we never should have released it this way in ngIRCd 13 back in 2008 … I hope you all were aware of this, right? Because you never configured a CA to trust, for example …?
But finally we made it, and _ngIRCd now validates SSL/TLS certificates on outgoing server-server links by default_ and **drops**(!) connections when the remote certificate is invalid (for example self-signed, expired, not matching the host name, …). Therefore you have to make sure that all relevant _certificates are valid_ (or to disable certificate validation on this connection using the new `SSLVerify = false` setting in the affected `[Server]` block, where the remote certificate is not valid and you can not fix this issue).
The original patch for OpenSSL certificate validation on server-links dates back to 2009 and was written by Florian Westphal and extended for GnuTLS in 2014 by Christoph Biedl. But it took us another 10 years to bring it to life … oh my! Many thanks to both Florian and Christoph! (This closes issue #120)
But that’s not all. In addition to the above, the following noteworthy changes are listed in the `NEWS` file (https://github.com/ngircd/ngircd/blob/master/NEWS):
Add support for the “sd_notify” protocol of `systemd(8)`: Periodically “ping” the service manager (every 3 seconds) and set a status message showing current connection statistics which then is included in `systemctl status ngircd.service` output. In addition, this enables using the `systemd(8)` watchdog functionality (`WatchdogSec`) for the `ngircd.service` unit and allows it to use the `notify` service type, which results in better status tracking by the service manager.
Try to set file descriptor limit to its maximum and show info on startup: The number of possible parallel connections is limited by the file descriptor limit of the process (among other things). Therefore try to upgrade the current “soft” limit to its “hard” maximum (but limited to 100000 instead of “infinite”), and show an information or even warning when the limit is still less than the configured `MaxConnections` setting. Please note that ngIRCd and its linked libraries (like PAM) need file descriptors not only for incoming and outgoing IRC connections, but for reading files and inter-process communication, too! Therefore the actual connection limit is less(!) than the file descriptor limit!
Add a _Docker file_ (contrib/Dockerfile) and corresponding documentation (doc/Container.md) to the project. The resulting container is based on the latest Debian “stable-slim” container and built using a “build container”.
No longer use a default built-in value for the `IncludeDir` directive when a configuration file was explicitly specified on the command line using `--config`/`-f`: This way no default include directory is scanned when a possibly non-default configuration file is used which (intentionally) did not specify an `IncludeDir` directive. So now you can use `-f /dev/null` for checking all built-in defaults, regardless of any local configuration files in the default drop-in directory (which would have been read in until this change).
The server `Name` in the `[Global]` section of the configuration file no longer needs to be set: When not set (or empty), ngIRCd now tries to deduce a valid IRC server name from the local host name (“node name”), possibly adding a `.host` extension when the host name does not contain a dot (`.`) which is required in an IRC server name (“ID”). This new behavior, with all configuration parameters now being optional, allows running ngIRCd without any configuration file at all.
Autodetect support for IPv6 by default: Until now, IPv6 support was disabled by default, which seems a bit outdated in 2024. Note: You still can pass `--enable-ipv6`/`--disable-ipv6` to the `./configure` script to forcefully activate or deactivate IPv6 support.
Do IDENT requests even when DNS lookups are disabled: Up to now disabling DNS in the configuration disabled IDENT lookups as well (for no good reason). Now you can activate/deactivate DNS lookups and IDENT requests completely separately. Thanks for reporting this, Miniontoby! Closes #291.
Allow SSL client-only configurations without keys/certificates: You don’t need to configure certificates/keys as long as you don’t configure SSL-enabled listening ports. This can make sense when you want to only link your local daemon to an uplink server using SSL and only have clients on your local host or in your fully trusted network, where SSL is not required.
Respect `SSLConnect` option for incoming connections and do not accept incoming plain-text (“non SSL”) server connections for servers configured with `SSLConnect` enabled. This change prevents an authenticated client-server being able to force the server-server to send its password on a plain-text connection when SSL/TLS was intended.
Add a new option `Autojoin` to `[Channel]` blocks: When it is set, ngIRCd automatically joins all local users to this channel on connect. Note: The users must have permissions to access the channel, otherwise joining them will fail. Thanks Ivan Agarkov for the initial patch!
Hide invisible (+i) users on `WHOIS <pattern>`: Let’s behave like most(?) other IRC daemons (at least ircd2.11) and hide all +i users when `WHOIS` is used with a pattern. Otherwise privacy of this users is not guaranteed and the +i mode a bit useless … Reported by Cahata on #ngircd, thanks!
Make the debug log level (`--debug`/`-d` command line option) always available, not only when `./configure`’d with `--enable-debug`: the latter now only enables additional checks (like the tests done using `assert`(2)) and is signalled by adding `+DEBUG` to the version “feature string”. This change enables everyone to get even more detailed logging when required.
Allow IRC operators to use the `WHO` command on any channel.
Send the `NAMES` list and channel topic to users “forcefully” joined to a channel using `NJOIN`, like they joined on their own using `JOIN`, and streamline the order of `NAMES` list and channel topic messages. Closes #288.
Added a new command line option `-y`/`--syslog`, with which logging to syslog can be activated/deactivated separately from running on the console (using `--nodaemon`) or in the background. Thanks Katherine Peeters for the patch and pull request! Closes #294.
Update, enhance and extend our documentation in `README.md`, `INSTALL.md`, `doc/HowToRelease.txt` and the manual pages `ngircd`(8) and `ngircd.conf`(5), add a new `doc/QuickStart.md` document, and convert some more documentation files to Markdown (`AUTHORS.md`, `contrib/README.md`, `doc/FAQ.md`, `doc/SSL.md`).
And the `ChangeLog` (https://github.com/ngircd/ngircd/blob/master/ChangeLog) has even more details and lists all the fixes, minor enhancements and tweaks.
You can download ngIRCd 27~rc1 from the download section on our homepage at https://ngircd.barton.de (mirror: https://ngircd.sourceforge.io) and GitHub: https://github.com/ngircd/ngircd/releases/tag/rel-27-rc1. The primary download locations are:
- https://github.com/ngircd/ngircd/releases
- https://ngircd.barton.de/pub/ngircd/
- https://ngircd.sourceforge.io/pub/ngircd/
It would be great if as many people as possible try to build this release candidate code on as many platforms as possible!
Please report any issues and glitches you find to the GitHub issue tracker (https://github.com/ngircd/ngircd/issues), the mailing list (ngircd@lists.barton.de), or to the #ngircd channel on IRC: irc://irc.barton.de/ngircd. Enhancements and additions to the documentation, manual pages and the homepage are welcome as well!
The easiest way to test ngIRCd is to run the `./contrib/platformtest.sh` script which is included in the distribution archives, for example like this:
$ curl -#LO "https://ngircd.barton.de/pub/ngircd/ngircd-27~rc1.tar.gz" $ tar xzf "ngircd-27~rc1.tar.gz" $ cd ngircd-27~rc1 $ ./contrib/platformtest.sh
This will take a few minutes (4-5) as our test suite takes some time because of the “penalties” that the test clients have to cope with (the compile run itself is quite fast), and should result in a nice summary like this:
the executable works ("runs") as expected --+ tests run successfully ("make check") --+ | ngIRCd compiles ("make") --+ | | ./configure works --+ | | | | | | |
Platform Compiler ngIRCd Date Tester C M T R *
x86_64/pc/linux-gnu gcc 12.2.0 27~rc1 24-04-13 alex Y Y Y Y 1
If you like, and especially if you are on a bit more “special” system (non-amd64, non-arm64, non-Linux?), you can say “Hello!” in the irc://irc.barton.de/ngircd IRC channel and post this result line there: then we can include it in the `doc/Platforms.txt` (https://github.com/ngircd/ngircd/blob/master/doc/Platforms.txt) file.
Thanks a lot to all contributors & testers!
Happy testing and have fun! Alex