|
|
| Author |
Message |
pstruh
none
Joined: 24 Feb 2005
Posts: 29
|
 Posted: Feb 24, 2005 2:48am Post subject: SSL - problem with localhost |
 |
|
Hi,
i have a little problem
I am connecting via SSL to IRCD, its working perfect.
but when i joined the channel my local host IP address is IP of IRCD server.
I like to view real IP from client who is connect to server, Its possible?
I use this command:
./stunnel -c -d 6668 -r irc.server.com:6697
This is output:
nick is nick@irc.server.com * pstruh
nick is connecting from *@irc.server.com IP.IP.IP.IP
nick on @#mtf
nick using irc.server
nick is a Secure Connection
nick has been idle 10secs, signed on Wed Feb 23 20:47:12
nick End of /WHOIS list.
I cant see real IP of nick, only IP irc.server.com.
I want to see,
nick is nick@real.IP.of.client * pstruh
nick is connecting from *@real.IP.of.client IP.IP.IP.IP
but I dont know how can I fix it.
Thanks. |
|
| Back to top |
|
 |
nenolod
Idler
Joined: 23 Jan 2004
Posts: 357
Location: A box!
|
| Posted: Feb 27, 2005 12:18pm Post subject: |
|
|
stunnel is an SSL proxy, not an actual tunnel. Therefore, syn requests are rewritten to come from stunnel itself, not the client IP.
I would suggest looking for an SSL patch for whatever IRCd platform you are running. |
|
| Back to top |
|
|
pstruh
none
Joined: 24 Feb 2005
Posts: 29
|
| Posted: Feb 27, 2005 2:36pm Post subject: |
|
|
| I have Unreal3.2.2b-SSL, openssl-0.9.7e, stunnel-4.07 and OS is Linux Red Hat 7.1, 2.4.2-2 kernel |
|
| Back to top |
|
|
theEd
Newbie
Joined: 15 Mar 2004
Posts: 74
Location: New Zealand
|
| Posted: Feb 27, 2005 5:27pm Post subject: |
|
|
| Why use stunnel to connect to an IRC server that supports SSL? |
|
| Back to top |
|
|
nenolod
Idler
Joined: 23 Jan 2004
Posts: 357
Location: A box!
|
| Posted: Feb 27, 2005 10:44pm Post subject: |
|
|
| pstruh wrote: | | I have Unreal3.2.2b-SSL, openssl-0.9.7e, stunnel-4.07 and OS is Linux Red Hat 7.1, 2.4.2-2 kernel |
Get rid of stunnel and create two listeners then. One to listen for non-SSL traffic and one to listen for SSL traffic. Most clients (irssi, BitchX, X-Chat) use port 9999 as default, so maybe more than two listeners.
Good luck! |
|
| Back to top |
|
|
pstruh
none
Joined: 24 Feb 2005
Posts: 29
|
| Posted: Feb 28, 2005 3:19pm Post subject: |
|
|
| nenolod wrote: | | pstruh wrote: | | I have Unreal3.2.2b-SSL, openssl-0.9.7e, stunnel-4.07 and OS is Linux Red Hat 7.1, 2.4.2-2 kernel |
Get rid of stunnel and create two listeners then. One to listen for non-SSL traffic and one to listen for SSL traffic. Most clients (irssi, BitchX, X-Chat) use port 9999 as default, so maybe more than two listeners.
Good luck! |
My listen block is:
listen *:6697
{
options
{
ssl;
clientsonly;
};
};
listen *:6668;
OK, I rid of stunnel. In my listen box I have non-SSL traffic on port 6668 and SSL trafic on port 6697.
I have started Unreal IRCD
Starting UnrealIRCd
_ _ _ ___________ _____ _
| | | | | |_ _| ___ \/ __ \ | |
| | | |_ __ _ __ ___ __ _| | | | | |_/ /| / \/ __| |
| | | | '_ \| '__/ _ \/ _` | | | | | / | | / _` |
| |_| | | | | | | __/ (_| | |_| |_| |\ \ | \__/\ (_| |
\___/|_| |_|_| \___|\__,_|_|\___/\_| \_| \____/\__,_|
v3.2.2b
using TRE 0.7.0
using OpenSSL 0.9.7e 25 Oct 2004
* Loading IRCd configuration ..
* Configuration loaded without any problems ..
* Loading tunefile..
* Initializing SSL.
* Dynamic configuration initialized .. booting IRCd.
---------------------------------------------------------------------
All ok,but how can I connect to ircd via SSL? If I try to connect to port 6697
then type me Software caused connection abort. |
|
| Back to top |
|
|
nenolod
Idler
Joined: 23 Jan 2004
Posts: 357
Location: A box!
|
| Posted: Feb 28, 2005 3:51pm Post subject: |
|
|
Is your certificate valid? Check ircd.log too, it may or may not contain useful information.
Are you using select() or poll()? If you are using rtsigio (which I do not remember unreal supporting yet), then try using select or poll. |
|
| Back to top |
|
|
pstruh
none
Joined: 24 Feb 2005
Posts: 29
|
| Posted: Mar 02, 2005 1:24pm Post subject: |
|
|
| nenolod wrote: | Is your certificate valid? Check ircd.log too, it may or may not contain useful information.
Are you using select() or poll()? If you are using rtsigio (which I do not remember unreal supporting yet), then try using select or poll. |
Sorry, but what do you mean ? I dont understand, sorry |
|
| Back to top |
|
|
theEd
Newbie
Joined: 15 Mar 2004
Posts: 74
Location: New Zealand
|
|
| Back to top |
|
|
pstruh
none
Joined: 24 Feb 2005
Posts: 29
|
| Posted: Mar 02, 2005 4:17pm Post subject: |
|
|
Yes, I have installed OpenSSL. I see I must conncet to port +6697, and then its working perfect. Thanks |
|
| Back to top |
|
|
theEd
Newbie
Joined: 15 Mar 2004
Posts: 74
Location: New Zealand
|
| Posted: Mar 02, 2005 11:25pm Post subject: |
|
|
You're very welcome  Have a nice day |
|
| Back to top |
|
|
pstruh
none
Joined: 24 Feb 2005
Posts: 29
|
| Posted: Mar 03, 2005 1:06pm Post subject: |
|
|
HI, I want to ask you one question.
Which linux irc clients support SSL ?
thanks |
|
| Back to top |
|
|
braindigitalis
Idler
Joined: 22 Sep 2003
Posts: 443
Location: IRC
|
| Posted: Mar 03, 2005 2:35pm Post subject: |
|
|
| pstruh wrote: | HI, I want to ask you one question.
Which linux irc clients support SSL ?
thanks |
off the top of my head, xchat and irssi.
also any others if you use stunnel. |
|
| Back to top |
|
|
pstruh
none
Joined: 24 Feb 2005
Posts: 29
|
| Posted: Mar 03, 2005 5:45pm Post subject: |
|
|
Thanks.
One more question...
Its possible to snifing comunication between two user who are connected to server via SSL ?
I have on my server SSL port 6697 and non-SSL port 6667 available.
Is this possible when user is connected via non-SSL port ?
For examle, on the #channel is 50 users connected via SSL port and 30 users connected via non-SSL port.
What they can sniffing ? |
|
| Back to top |
|
|
braindigitalis
Idler
Joined: 22 Sep 2003
Posts: 443
Location: IRC
|
| Posted: Mar 04, 2005 8:05am Post subject: |
|
|
| pstruh wrote: | Thanks.
One more question...
Its possible to snifing comunication between two user who are connected to server via SSL ?
I have on my server SSL port 6697 and non-SSL port 6667 available.
Is this possible when user is connected via non-SSL port ?
For examle, on the #channel is 50 users connected via SSL port and 30 users connected via non-SSL port.
What they can sniffing ? |
for security to work, the following must be true:
The first user must be connected to a server via ssl
The second user must be connected to a server via ssl
Both users must be on the same server, OR the link between the two servers the users are on must be ssl.
If the server to server link is not also ssl, this link is vulnerable to sniffing.
Also remember that if either user has bad security practicies (or you do as a network) there may be other forms of tracking in place such as trojans, keyloggers, modified ircd source etc. Consider SSL a small part of a much larger security puzzle.
Also, if the channel has 30 users in it that are NOT ssl, the whole channel cannot be considered secure at all, as there are 30 vectors for packet sniffing. To ensure a channel is totally secure set the "only secure users can join" channel mode. |
|
| Back to top |
|
|
|
Register
Log in
