TLS: Difference between revisions

From Xertion Wiki
Jump to navigation Jump to search
Updated TLS page - alternate SANs will be removed from TLS cert Nov 21 2024
Line 1: Line 1:
=Notice of upcoming changes to SSL/TLS connectivity policy - 3-Feb-2021=
=Notice of upcoming changes to Xertion's IRCd TLS certificate - effective 21-Nov-2024<br />=
Effective '''Thursday, April 1st, 2021''', in keeping with the official industry standard, we will officially deprecate use of + stop supporting TLS 1.0 and TLS 1.1 on all Xertion IRC servers. Users whose IRC clients continue to use this protocol after this date '''''WILL''''' encounter connection errors. We '''''STRONGLY''''' recommend you upgrade your IRC client to the latest available versions in order to support '''''AT LEAST TLS 1.2''''' or better. You need at least '''mIRC version 7.61 or better''', or '''HexChat version 2.14.2, 2.14.3 or better'''. If using Linux please be sure your IRC client uses an OpenSSL library of at LEAST the 1.1.x series, as we are unable to guarantee that older versions of this library will work with our servers after the deprecation date.<br />
Effective '''Thursday, November 21, 2024''', we will ''<u>'''NO LONGER SUPPORT'''</u>'' any SANs (Subject Alternative Names) other than Xertion's main hostnames as a valid TLS hostname for connecting to the Xertion IRC Network. A "SAN", or "Subject Alternative Name" is a way for TLS certificate admins to protect multiple hostnames under the same TLS certificate thus that any hostname listed in this field would be considered "valid" for the certificate. From that day forward, the only accepted and valid names for connecting to the Xertion IRC network over TLS will be one of irc.xertion.org, irc6.xertion.org, irc.us.xertion.org, irc.eu.xertion.org, or irc.ap.xertion.org. All other SANs will be <u>'''REMOVED'''</u> from Xertion's TLS certificate, making them invalid for use. This unfortunately also includes the former Immortal-Anime irc.* hostnames.<br />
==Why is Xertion making this change?==
==Why is Xertion making this change?==
Xertion aims to achieve as much compatibility as possible while still providing a reasonable level of security. However, with the full rollout of TLS 1.3 support on Xertion, and the significant number of vulnerabilities and bugs that are known to exist in TLS 1.0, we feel now is the time to bring our security standards in line with the rest of the industry. Support for TLS 1.0 has long since been deprecated by other vendors in their products (including operating systems), and the PCI Council has already strongly suggested migration to higher protocols.<br />In keeping with the industry standard, Xertion will officially stop supporting TLS 1.0 and TLS 1.1 as of '''Thursday, April 1st, 2021'''. If you use old versions of IRC clients and you wish to connect securely, you will be required to update your client to its latest available version to continue doing so. Otherwise, TLS connections to Xertion will begin failing after that date. The recommended versions are listed above. '''If you connect to Xertion on one of its TLS ports (6697, 9998, or 9999), you are 'HIGHLY ENCOURAGED' to upgrade your IRC client to its latest available version as soon as possible in order to avoid disruption.'''<br /><br /><span style="color: rgb(255, 0, 0);" data-mce-style="color: #ff0000;">'''If you connect to Xertion on port 6697, 9998, or 9999 (our TLS ports), PLEASE be sure your IRC client is upgraded and supports TLS 1.2 or TLS 1.3 prior to April 1st, 2021! Any IRC client that uses any version of OpenSSL 1.1.1 for TLS support is sufficient, we recommend mIRC 7.61 or better, or HexChat 2.14.2 or better. If you need help ensuring you have the latest possible version of your chosen IRC client please reach out to Xertion support - you can either reach out to us on the network in #help, or if no staff is around, email [mailto:admin@xertion.org admin@xertion.org] and we'll return a response to you as soon as we can.'''</span>
This decision was not one made lightly, as we have historically supported the use of hostnames outside of Xertion's own, on our IRCd's TLS certificate. This would include the Immortal-Anime irc.* hostnames, which we merged into our own certificate over 2 years ago to better support their transition into our network. To be able to support the use of all these external hostnames, we had to significantly alter our infrastructure to be able to include them, since they all existed outside of Xertion's control. Since we use Let's Encrypt, we're bound by the same 90-day certificate policy as everyone else that uses the CA. This turnaround time, combined with our supporting additional external hostnames on the TLS certificate, complicated the TLS certificate renewal process by making it far more tedious and time-consuming than it really needed to be. If we had the capability to support 1-year TLS certificates this would be far easier to deal with but unfortunately, the options there are extremely limited these days especially with how much Let's Encrypt was adopted by the internet as a whole.
==Where can I get more information?==
 
You may find more details on the general nature of TLS 1.0 and security recommendations at the following links:
 
* [https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0 Wikipedia article on TLS 1.0]
We looked at what options we had to help ease this process and the burden it creates on us to maintain, but unfortunately the best (and really, ONLY) way we could address this maintenance complexity was to simply restrict the IRCd's TLS certificate to only be valid for Xertion hostnames. As stated before, this was not an easy decision to make given the network's historical flexibility with TLS and we really wish we could keep doing it, but the complexity involved makes it hard to manage for simple volunteers like us.
* [https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls PCI Council recommendation to stop using TLS 1.0]
==What you need to do<br />==
* [https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0/ Vendors come together to end TLS 1.0]
<span style="color: rgb(51, 153, 102);" data-mce-style="color: #339966;">'''If you currently connect to the Xertion IRC network OVER TLS using one of THESE hostnames, then ''<u>no action is required</u>'':'''</span>
* <span style="color: rgb(51, 153, 102);" data-mce-style="color: #339966;">'''irc.xertion.org'''</span>
* <span style="color: rgb(51, 153, 102);" data-mce-style="color: #339966;">'''irc6.xertion.org'''</span>
* <span style="color: rgb(51, 153, 102);" data-mce-style="color: #339966;">'''irc.us.xertion.org'''</span>
* <span style="color: rgb(51, 153, 102);" data-mce-style="color: #339966;">'''irc.eu.xertion.org'''</span>
* <span style="color: rgb(51, 153, 102);" data-mce-style="color: #339966;">'''irc.ap.xertion.org'''</span>
<span style="color: rgb(51, 153, 102);" data-mce-style="color: #339966;">'''If you still connect to the Xertion IRC network over a PLAINTEXT port (port 6660 thru 6669, port 7000), that is you DO NOT USE TLS, then <u>''this announcement DOES NOT affect you.''</u>'''</span>
 
'''<span style="color: rgb(255, 0, 0);" data-mce-style="color: #ff0000;">However, if NEITHER above condition applies and you currently connect to the Xertion IRC network OVER TLS using a hostname that IS NOT in the above list, then you <u>WILL</u> need to change your IRC client's configuration for Xertion, to connect to irc.xertion.org (or equivalent regional hostname as listed above, or irc6.xertion.org for IPv6 support) BEFORE NOVEMBER 21, 2024! Failure to do this will result in TLS certificate validation errors after that date!!!</span>'''
 
 
We thank you for using TLS instead of our plaintext ports, and strongly encourage you to keep doing so. We also strongly encourage any users still connecting over our plaintext ports to begin using TLS as well on port 6697, 9998 or 9999 - simply change your IRC client's configuration for Xertion to use one of those 3 ports, turn on SSL/TLS in your client, and you should be set.
 
 
We sincerely and profusely apologize for any inconvenience this causes our users that connect to Xertion over TLS.'''<br />'''

Revision as of 19:26, 11 November 2024

Notice of upcoming changes to Xertion's IRCd TLS certificate - effective 21-Nov-2024

Effective Thursday, November 21, 2024, we will NO LONGER SUPPORT any SANs (Subject Alternative Names) other than Xertion's main hostnames as a valid TLS hostname for connecting to the Xertion IRC Network. A "SAN", or "Subject Alternative Name" is a way for TLS certificate admins to protect multiple hostnames under the same TLS certificate thus that any hostname listed in this field would be considered "valid" for the certificate. From that day forward, the only accepted and valid names for connecting to the Xertion IRC network over TLS will be one of irc.xertion.org, irc6.xertion.org, irc.us.xertion.org, irc.eu.xertion.org, or irc.ap.xertion.org. All other SANs will be REMOVED from Xertion's TLS certificate, making them invalid for use. This unfortunately also includes the former Immortal-Anime irc.* hostnames.

Why is Xertion making this change?

This decision was not one made lightly, as we have historically supported the use of hostnames outside of Xertion's own, on our IRCd's TLS certificate. This would include the Immortal-Anime irc.* hostnames, which we merged into our own certificate over 2 years ago to better support their transition into our network. To be able to support the use of all these external hostnames, we had to significantly alter our infrastructure to be able to include them, since they all existed outside of Xertion's control. Since we use Let's Encrypt, we're bound by the same 90-day certificate policy as everyone else that uses the CA. This turnaround time, combined with our supporting additional external hostnames on the TLS certificate, complicated the TLS certificate renewal process by making it far more tedious and time-consuming than it really needed to be. If we had the capability to support 1-year TLS certificates this would be far easier to deal with but unfortunately, the options there are extremely limited these days especially with how much Let's Encrypt was adopted by the internet as a whole.


We looked at what options we had to help ease this process and the burden it creates on us to maintain, but unfortunately the best (and really, ONLY) way we could address this maintenance complexity was to simply restrict the IRCd's TLS certificate to only be valid for Xertion hostnames. As stated before, this was not an easy decision to make given the network's historical flexibility with TLS and we really wish we could keep doing it, but the complexity involved makes it hard to manage for simple volunteers like us.

What you need to do

If you currently connect to the Xertion IRC network OVER TLS using one of THESE hostnames, then no action is required:

  • irc.xertion.org
  • irc6.xertion.org
  • irc.us.xertion.org
  • irc.eu.xertion.org
  • irc.ap.xertion.org

If you still connect to the Xertion IRC network over a PLAINTEXT port (port 6660 thru 6669, port 7000), that is you DO NOT USE TLS, then this announcement DOES NOT affect you.

However, if NEITHER above condition applies and you currently connect to the Xertion IRC network OVER TLS using a hostname that IS NOT in the above list, then you WILL need to change your IRC client's configuration for Xertion, to connect to irc.xertion.org (or equivalent regional hostname as listed above, or irc6.xertion.org for IPv6 support) BEFORE NOVEMBER 21, 2024! Failure to do this will result in TLS certificate validation errors after that date!!!


We thank you for using TLS instead of our plaintext ports, and strongly encourage you to keep doing so. We also strongly encourage any users still connecting over our plaintext ports to begin using TLS as well on port 6697, 9998 or 9999 - simply change your IRC client's configuration for Xertion to use one of those 3 ports, turn on SSL/TLS in your client, and you should be set.


We sincerely and profusely apologize for any inconvenience this causes our users that connect to Xertion over TLS.