Client-Core SSL support » History » Version 14
Avamander, 05/23/2020 10:22 PM
Fixed formatting
1 | 1 | seezer | h1. Client-Core SSL support |
---|---|---|---|
2 | 1 | seezer | |
3 | 2 | seezer | If you wish to setup an SSL connection between the core and client, you must have compiled both with the "-DWITH_OPENSSL=ON" cmake option. |
4 | 2 | seezer | In case you use a binary version, verify that it was built with SSL support. |
5 | 6 | avih | * The *Windows* binary distribution supports SSL out of the box. See Windows notes at the bottom. |
6 | 1 | seezer | |
7 | 2 | seezer | You don't know where to look for whether SSL support is available in your core? |
8 | 2 | seezer | |
9 | 5 | javier | >Start your core once and look out for warnings in /var/log/quassel/quasselcore like: |
10 | 2 | seezer | <pre>Warning: SslServer: Certificate file /home/quassel/.config/quassel-irc.org/quasselCert.pem does not exist |
11 | 2 | seezer | Warning: SslServer: Unable to set certificate file |
12 | 2 | seezer | Quassel Core will still work, but cannot provide SSL for client connections.</pre> |
13 | 2 | seezer | |
14 | 2 | seezer | Then you need to generate a certificate file to be used for the connections. |
15 | 13 | Avamander | |
16 | 14 | Avamander | h2. LetsEncrypt |
17 | 13 | Avamander | |
18 | 13 | Avamander | You can either update the existing certificate file Quassel uses by default: |
19 | 13 | Avamander | |
20 | 13 | Avamander | <pre>cat /etc/letsencrypt/live/example.com/{privkey.pem,fullchain.pem} > /var/lib/quassel/quasselCert.pem</pre> |
21 | 13 | Avamander | |
22 | 13 | Avamander | Or use command line arguments like <pre>--ssl-cert</pre> and <pre>--ssl-key</pre> and point them at the LetsEncrypt folder, you might have to give Quassel core's user access to the files. Running as root shouldn't be the solution. |
23 | 13 | Avamander | |
24 | 14 | Avamander | h2. Self-signed certificate |
25 | 13 | Avamander | |
26 | 2 | seezer | As the user that starts quassel-core, issue something like the following command on the server running the core: |
27 | 2 | seezer | |
28 | 4 | johu | *>=Version 0.4* |
29 | 11 | Sputnick | <pre>openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout ~/.config/quassel-irc.org/quasselCert.pem -out ~/.config/quassel-irc.org/quasselCert.pem</pre> |
30 | 1 | seezer | >You might use a different configuration directory. Check if your core gets started with the --configdir command-line option. |
31 | 1 | seezer | |
32 | 1 | seezer | Note that Kubuntu packages for Jaunty (9.04) and later do this step for you. |
33 | 1 | seezer | |
34 | 1 | seezer | Start the core and select SSL in your Client as shown below: |
35 | 3 | seezer | |
36 | 3 | seezer | !ssl_dialog_client.png! |
37 | 6 | avih | |
38 | 6 | avih | h2. Creating a certificate on Windows: |
39 | 6 | avih | |
40 | 7 | avih | # Download "Open SSL for Windows":http://slproweb.com/products/Win32OpenSSL.html . I used the *Win32 OpenSSL v1.0.1c Light* version, but other/later versions will work too as long as your system supports them. Don't forget to also download the relevant Visual C++ redist from that page and install it first. When installing OpenSSL, I chose to *install the OpenSSL DLLs to the OpenSSL directory* (not to windows directory), but it SHOULD work either way. |
41 | 6 | avih | # Open a command prompt, navigate to the openssl bin directory (typically @cd c:\openssl-win32\bin@), then issue the following command: |
42 | 6 | avih | <pre> |
43 | 10 | Sputnick | openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout %APPDATA%/quassel-irc.org/quasselCert.pem -out %APPDATA%/quassel-irc.org/quasselCert.pem -config openssl.cfg |
44 | 8 | avih | </pre>(Note that the only difference from the *nix command is the target directory for the cert (typically results in @C:\Users\<USERNAME>\AppData\Roaming\quassel-irc.org@) and the config file for OpenSSL which uses the sample config at the OpenSSL bin directory (openssl.cfg). If you installed the OpenSSL DLLs to the windows directory, your sample config file might be there.) |
45 | 9 | ChrisH | If you still get errors. Try removing <code>%APPDATA%/quassel-irc.org/</code> from the paths. After the file has generated (into @c:\openssl-win32\bin@), manually move it to the proper location in @%APPDATA%/quassel-irc.org/@. |
46 | 8 | avih | # Fill in the details for the certificate generation (pressing enter for all will also work), and now core should have its certificate ready for encrypted communication with the clients. |
47 | 12 | javex | |
48 | 12 | javex | h2. Certificate chains |
49 | 12 | javex | |
50 | 12 | javex | If you happen to have a certificate chain with intermediate certificate authorities (CAs) then you need a specific structure for _quasselCert.pem_. If you do not know what an intermediate CA is, check with your certificate issuer. If you followed the instructions above, you do _not_ have an intermediate CA and do not need these instructions. |
51 | 12 | javex | |
52 | 12 | javex | Your CA should provide you with all intermediate CAs required to complete the chain from your certificate to the root CA. To make this chain work with quassel, make sure the file has the PEM encoded objects in the following order: |
53 | 12 | javex | |
54 | 12 | javex | * Your certificate as issued by the CA |
55 | 12 | javex | * The intermediate CA that signed your certificate |
56 | 12 | javex | * The intermediate CA that signed the previous CA |
57 | 12 | javex | * ... and so on and until you have the intermediate CA that is signed by the root CA |
58 | 12 | javex | * Your private key |
59 | 12 | javex | |
60 | 12 | javex | Note that often you only have one intermediate CA so your file looks like this: |
61 | 12 | javex | |
62 | 12 | javex | * Your certificate |
63 | 12 | javex | * Intermediate CA |
64 | 12 | javex | * Your private key |