feat: client-side TLS for encrypted client connections
Accept TLS-encrypted connections from IRC clients. Auto-generates a self-signed EC P-256 listener certificate (bouncer.pem) when no custom cert is provided. Remove CTCP response items from roadmap (stealth by design -- router already suppresses all CTCP except ACTION). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
user
@@ -111,6 +111,59 @@ automatically attaches to **all** configured networks.
|
||||
|
||||
Set server password to `mypassword` in the network settings.
|
||||
|
||||
## Client TLS
|
||||
|
||||
The bouncer can accept TLS-encrypted connections from IRC clients. This
|
||||
encrypts the password and all traffic between your client and the bouncer.
|
||||
|
||||
### Setup
|
||||
|
||||
```toml
|
||||
[bouncer]
|
||||
client_tls = true
|
||||
```
|
||||
|
||||
On first start with `client_tls = true`, the bouncer auto-generates a
|
||||
self-signed EC P-256 certificate at `{data_dir}/bouncer.pem` (10-year validity).
|
||||
The certificate fingerprint is logged at startup.
|
||||
|
||||
### Custom Certificate
|
||||
|
||||
To use your own certificate (e.g. from Let's Encrypt):
|
||||
|
||||
```toml
|
||||
[bouncer]
|
||||
client_tls = true
|
||||
client_tls_cert = "/path/to/fullchain.pem"
|
||||
client_tls_key = "/path/to/privkey.pem"
|
||||
```
|
||||
|
||||
If the cert and key are in the same PEM file, set only `client_tls_cert`.
|
||||
|
||||
### Client Examples
|
||||
|
||||
**irssi:**
|
||||
```
|
||||
/connect -tls -tls_verify no -password mypassword 127.0.0.1 6667
|
||||
```
|
||||
|
||||
**weechat:**
|
||||
```
|
||||
/server add bouncer 127.0.0.1/6667 -password=mypassword -ssl -ssl_verify=0
|
||||
/connect bouncer
|
||||
```
|
||||
|
||||
**hexchat:**
|
||||
|
||||
Enable "Use SSL for all the servers on this network" and accept the
|
||||
self-signed certificate.
|
||||
|
||||
### Verify with openssl
|
||||
|
||||
```bash
|
||||
openssl s_client -connect 127.0.0.1:6667
|
||||
```
|
||||
|
||||
## Multi-Network Namespacing
|
||||
|
||||
All configured networks are multiplexed onto a single client connection. Channels
|
||||
@@ -256,6 +309,11 @@ bind = "127.0.0.1" # listen address
|
||||
port = 6667 # listen port
|
||||
password = "changeme" # client authentication password
|
||||
|
||||
# Client TLS
|
||||
client_tls = false # enable TLS for client listener
|
||||
client_tls_cert = "" # path to PEM cert (auto-generated if empty)
|
||||
client_tls_key = "" # path to PEM key (or same file as cert)
|
||||
|
||||
# Captcha solving (NoCaptchaAI)
|
||||
captcha_api_key = "" # API key (optional, for auto-verification)
|
||||
captcha_poll_interval = 3 # seconds between solve polls
|
||||
|
||||
Reference in New Issue
Block a user