TLS

You can choose the security mode using the following parameter:

irc {
        # Connection security mode
        # none/tls/starttls/starttls-mandatory
        security = tls
}

Only 'tls' is implemented yet, which is implicit secured connection on a dedicated port (so you must choose between no or total security). The two other modes are for explicit security, where an unsecured channel can be upgraded to a secured one during the dialog between the client and server (more on this on Wikipedia), which will be developped in minbif later (currently very few IRC clients can handle this, so it is not very urgent).

Then you must create a proper certificate for your server and declare it:

aaa {
  tls {
    cert_file = /etc/minbif/server.crt
    key_file = /etc/minbif/server.key
    priority = PERFORMANCE
  }
}

The priority parameter, which is optional, is used to give ciphers priorities (see expected values and the list of available ciphers).

Client Authentication using Certificates

It is possible to validate the user certificate (if provided by the client), and map the commonName of the certificate to the username if all checks have succeeded. You just need to provide the CA certificate (or list of CAs aggregated in the same file) and enable connection authentication:

aaa {
  use_connection = true

  tls {
    trust_file = /etc/minbif/ca.crt
  }
}

If you want to invalidate a list of client certificates, you can provide a CRL file:

aaa {
  tls {
    crl_file = /etc/minbif/ca.crl
  }
}

Also available in: HTML TXT