feat: client-side TLS for encrypted client connections

Accept TLS-encrypted connections from IRC clients. Auto-generates a self-signed EC P-256 listener certificate (bouncer.pem) when no custom cert is provided. Remove CTCP response items from roadmap (stealth by design -- router already suppresses all CTCP except ACTION). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 18:47:20 +01:00
parent bfcebad6dd
commit bf4a589fc5
12 changed files with 400 additions and 25 deletions
--- a/config/bouncer.example.toml
+++ b/config/bouncer.example.toml
@@ -3,6 +3,11 @@ bind = "127.0.0.1"
 port = 6667
 password = "changeme"

+# Client TLS -- encrypt client-to-bouncer connections
+# client_tls = false            # enable TLS for client listener
+# client_tls_cert = ""          # path to PEM cert (auto-generated if empty)
+# client_tls_key = ""           # path to PEM key (or same file as cert)
+
 # PING watchdog -- detect stale server connections
 # ping_interval = 120       # seconds of silence before sending PING
 # ping_timeout = 30         # seconds to wait for PONG after PING