Project

General

Profile

Client-Core SSL support » History » Version 11

Version 10 (Sputnick, 04/08/2014 10:56 PM) → Version 11/15 (Sputnick, 04/08/2014 10:56 PM)

h1. Client-Core SSL support

If you wish to setup an SSL connection between the core and client, you must have compiled both with the "-DWITH_OPENSSL=ON" cmake option.
In case you use a binary version, verify that it was built with SSL support.
* The *Windows* binary distribution supports SSL out of the box. See Windows notes at the bottom.

You don't know where to look for whether SSL support is available in your core?

>Start your core once and look out for warnings in /var/log/quassel/quasselcore like:
<pre>Warning: SslServer: Certificate file /home/quassel/.config/quassel-irc.org/quasselCert.pem does not exist
Warning: SslServer: Unable to set certificate file
Quassel Core will still work, but cannot provide SSL for client connections.</pre>

Then you need to generate a certificate file to be used for the connections.
As the user that starts quassel-core, issue something like the following command on the server running the core:

*>=Version 0.4*
<pre>openssl req -x509 -nodes -days 365 -newkey rsa:4096 rsa:1024 -keyout ~/.config/quassel-irc.org/quasselCert.pem -out ~/.config/quassel-irc.org/quasselCert.pem</pre>
>You might use a different configuration directory. Check if your core gets started with the --configdir command-line option.

Note that Kubuntu packages for Jaunty (9.04) and later do this step for you.

Start the core and select SSL in your Client as shown below:

!ssl_dialog_client.png!

h2. Creating a certificate on Windows:

# Download "Open SSL for Windows":http://slproweb.com/products/Win32OpenSSL.html . I used the *Win32 OpenSSL v1.0.1c Light* version, but other/later versions will work too as long as your system supports them. Don't forget to also download the relevant Visual C++ redist from that page and install it first. When installing OpenSSL, I chose to *install the OpenSSL DLLs to the OpenSSL directory* (not to windows directory), but it SHOULD work either way.
# Open a command prompt, navigate to the openssl bin directory (typically @cd c:\openssl-win32\bin@), then issue the following command:
<pre>
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout %APPDATA%/quassel-irc.org/quasselCert.pem -out %APPDATA%/quassel-irc.org/quasselCert.pem -config openssl.cfg
</pre>(Note that the only difference from the *nix command is the target directory for the cert (typically results in @C:\Users\<USERNAME>\AppData\Roaming\quassel-irc.org@) and the config file for OpenSSL which uses the sample config at the OpenSSL bin directory (openssl.cfg). If you installed the OpenSSL DLLs to the windows directory, your sample config file might be there.)
If you still get errors. Try removing <code>%APPDATA%/quassel-irc.org/</code> from the paths. After the file has generated (into @c:\openssl-win32\bin@), manually move it to the proper location in @%APPDATA%/quassel-irc.org/@.
# Fill in the details for the certificate generation (pressing enter for all will also work), and now core should have its certificate ready for encrypted communication with the clients.