Project

General

Profile

Client-Core SSL support » History » Version 15

Anonymous, 08/25/2020 10:41 PM

1 1 seezer
h1. Client-Core SSL support
2 1 seezer
3 2 seezer
If you wish to setup an SSL connection between the core and client, you must have compiled both with the "-DWITH_OPENSSL=ON" cmake option.
4 2 seezer
In case you use a binary version, verify that it was built with SSL support.
5 6 avih
* The *Windows* binary distribution supports SSL out of the box. See Windows notes at the bottom.
6 1 seezer
7 2 seezer
You don't know where to look for whether SSL support is available in your core?
8 2 seezer
9 5 javier
>Start your core once and look out for warnings in /var/log/quassel/quasselcore like:
10 2 seezer
<pre>Warning: SslServer: Certificate file /home/quassel/.config/quassel-irc.org/quasselCert.pem does not exist
11 2 seezer
Warning: SslServer: Unable to set certificate file
12 2 seezer
Quassel Core will still work, but cannot provide SSL for client connections.</pre>
13 2 seezer
14 2 seezer
Then you need to generate a certificate file to be used for the connections.
15 13 Avamander
16 14 Avamander
h2. LetsEncrypt
17 13 Avamander
18 13 Avamander
You can either update the existing certificate file Quassel uses by default:
19 13 Avamander
20 13 Avamander
<pre>cat /etc/letsencrypt/live/example.com/{privkey.pem,fullchain.pem} > /var/lib/quassel/quasselCert.pem</pre>
21 13 Avamander
22 13 Avamander
Or use command line arguments like <pre>--ssl-cert</pre> and <pre>--ssl-key</pre> and point them at the LetsEncrypt folder, you might have to give Quassel core's user access to the files. Running as root shouldn't be the solution.
23 13 Avamander
24 14 Avamander
h2. Self-signed certificate
25 13 Avamander
26 2 seezer
As the user that starts quassel-core, issue something like the following command on the server running the core:
27 2 seezer
28 4 johu
*>=Version 0.4*
29 11 Sputnick
<pre>openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout ~/.config/quassel-irc.org/quasselCert.pem -out ~/.config/quassel-irc.org/quasselCert.pem</pre>
30 1 seezer
>You might use a different configuration directory. Check if your core gets started with the --configdir command-line option.
31 1 seezer
32 1 seezer
Note that Kubuntu packages for Jaunty (9.04) and later do this step for you.
33 1 seezer
34 1 seezer
Start the core and select SSL in your Client as shown below:
35 3 seezer
36 3 seezer
!ssl_dialog_client.png!
37 6 avih
38 6 avih
h2. Creating a certificate on Windows:
39 6 avih
40 7 avih
# Download "Open SSL for Windows":http://slproweb.com/products/Win32OpenSSL.html . I used the *Win32 OpenSSL v1.0.1c Light* version, but other/later versions will work too as long as your system supports them. Don't forget to also download the relevant Visual C++ redist from that page and install it first. When installing OpenSSL, I chose to *install the OpenSSL DLLs to the OpenSSL directory* (not to windows directory), but it SHOULD work either way.
41 6 avih
# Open a command prompt, navigate to the openssl bin directory (typically @cd c:\openssl-win32\bin@), then issue the following command:
42 6 avih
<pre>
43 10 Sputnick
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout %APPDATA%/quassel-irc.org/quasselCert.pem -out %APPDATA%/quassel-irc.org/quasselCert.pem -config openssl.cfg 
44 8 avih
</pre>(Note that the only difference from the *nix command is the target directory for the cert (typically results in @C:\Users\<USERNAME>\AppData\Roaming\quassel-irc.org@) and the config file for OpenSSL which uses the sample config at the OpenSSL bin directory (openssl.cfg). If you installed the OpenSSL DLLs to the windows directory, your sample config file might be there.)
45 15 Anonymous
If the above command does not work, try removing <code>-config openssl.cfg</code> from the end of the command. This was required to generate a certificate on v1.1.1g Light of OpenSSL.
46 9 ChrisH
If you still get errors. Try removing <code>%APPDATA%/quassel-irc.org/</code> from the paths. After the file has generated (into @c:\openssl-win32\bin@), manually move it to the proper location in @%APPDATA%/quassel-irc.org/@.
47 8 avih
# Fill in the details for the certificate generation (pressing enter for all will also work), and now core should have its certificate ready for encrypted communication with the clients.
48 12 javex
49 12 javex
h2. Certificate chains
50 12 javex
51 12 javex
If you happen to have a certificate chain with intermediate certificate authorities (CAs) then you need a specific structure for _quasselCert.pem_. If you do not know what an intermediate CA is, check with your certificate issuer. If you followed the instructions above, you do _not_ have an intermediate CA and do not need these instructions.
52 12 javex
53 12 javex
Your CA should provide you with all intermediate CAs required to complete the chain from your certificate to the root CA. To make this chain work with quassel, make sure the file has the PEM encoded objects in the following order:
54 12 javex
55 12 javex
* Your certificate as issued by the CA
56 12 javex
* The intermediate CA that signed your certificate
57 12 javex
* The intermediate CA that signed the previous CA
58 12 javex
* ... and so on and until you have the intermediate CA that is signed by the root CA
59 12 javex
* Your private key 
60 12 javex
61 12 javex
Note that often you only have one intermediate CA so your file looks like this:
62 12 javex
63 12 javex
* Your certificate
64 12 javex
* Intermediate CA
65 12 javex
* Your private key