Feature #1866: Implicit TLS (with SNI) connection mode - Quassel IRC - Quassel IRC Issue Tracker

Feature #1866

Implicit TLS (with SNI) connection mode

Added by Avamander about 2 years ago. Updated 18 days ago.

Status:

New

Priority:

Normal

Assignee:

Category:

Target version:

Start date:

07/30/2023

Due date:

% Done:

Estimated time:

OS:

Any

Description

It would be very useful if Quassel had a client-core connection mode that use pure implicit TLS (with SNI).

This would provide multiple benefits:

Adds the ability to use any TLS load balancer or terminator (traefik/nginx/etc. with more nuanced configuration)
Implicit TLS like implemented by other software is likely less failure-prone thus more secure than any ad-hoc TLS support
Resists protocol fingerprinting
Adds the potential to leverage things like mTLS (using a YubiKey/smartcard for auth), ECH or QUIC in the future

In theory it shouldn't also be that difficult to implement using already available libraries.

History

#1 Updated by Jamie309Perez 18 days ago

Adding pure implicit TLS with SNI to Quassel's client-core connection would significantly improve security and flexibility. This standard method of encryption is more robust and less prone to failure than ad-hoc solutions, and it would allow Quassel to work seamlessly with modern TLS load balancers and https://www.peryourhealth.io terminators like Traefik or Nginx.Beyond these immediate benefits, it would also future-proof the application by enabling advanced security features like mTLS with hardware tokens (e.g., YubiKeys) and support for new protocols like ECH or QUIC.

Also available in: Atom PDF

Project

General

Profile

Quassel IRC

Issues

Feature #1866

Implicit TLS (with SNI) connection mode

History

#1 Updated by Jamie309Perez 18 days ago