TLS

From Xertion Wiki
Jump to navigation Jump to search

=Notice of upcoming changes to Xertion's IRCd TLS certificate - effective 25-Nov-2024
=Effective Monday, November 25, 2024, we will NO LONGER SUPPORT any SANs (Subject Alternative Names) other than Xertion's main hostnames as a valid TLS hostname for connecting to the Xertion IRC Network. A "SAN", or "Subject Alternative Name" is a way for TLS certificate admins to protect multiple hostnames under the same TLS certificate thus that any hostname listed in this field would be considered "valid" for the certificate. From that day forward, the only accepted and valid names for connecting to the Xertion IRC network over TLS will be one of irc.xertion.org, irc6.xertion.org, irc.us.xertion.org, irc.eu.xertion.org, or irc.ap.xertion.org, OR one of the direct server names (though you should be using the main rotation hostname). All other SANs will be REMOVED from Xertion's TLS certificate, making them invalid for use. This unfortunately also includes the former Immortal-Anime irc.* hostnames.

Why is Xertion making this change?

This decision was not one made lightly, as we have historically supported the use of hostnames outside of Xertion's own, on our IRCd's TLS certificate. This would include the Immortal-Anime irc.* hostnames, which we merged into our own certificate over 2 years ago to better support their transition into our network. To be able to support the use of all these external hostnames, we had to significantly alter our infrastructure to be able to include them, since they all existed outside of Xertion's control. Since we use Let's Encrypt, we're bound by the same 90-day certificate policy as everyone else that uses the CA. This turnaround time, combined with our supporting additional external hostnames on the TLS certificate, complicated the TLS certificate renewal process by making it far more tedious and time-consuming than it really needed to be. If we had the capability to support 1-year TLS certificates this would be far easier to deal with but unfortunately, the options there are extremely limited these days especially with how much Let's Encrypt was adopted by the internet as a whole.


We looked at what options we had to help ease this process and the burden it creates on us to maintain, but unfortunately the best (and really, ONLY) way we could address this maintenance complexity was to simply restrict the IRCd's TLS certificate to only be valid for Xertion hostnames. As stated before, this was not an easy decision to make given the network's historical flexibility with TLS and we really wish we could keep doing it, but the complexity involved makes it hard to manage for simple volunteers like us.

What you need to do

If you currently connect to the Xertion IRC network OVER TLS using one of THESE hostnames, then no action is required:

  • irc.xertion.org
  • irc6.xertion.org
  • irc.us.xertion.org
  • irc.eu.xertion.org
  • irc.ap.xertion.org

If you still connect to the Xertion IRC network over a PLAINTEXT port (port 6660 thru 6669, port 7000), that is you DO NOT USE TLS, then this announcement DOES NOT affect you.

However, if NEITHER above condition applies and you currently connect to the Xertion IRC network OVER TLS using a hostname that IS NOT in the above list, then you WILL need to change your IRC client's configuration for Xertion, to connect to irc.xertion.org (or equivalent regional hostname as listed above, or irc6.xertion.org for IPv6 support) BEFORE NOVEMBER 21, 2024! Failure to do this will result in TLS certificate validation errors after that date!!!


We thank you for using TLS instead of our plaintext ports, and strongly encourage you to keep doing so. We also strongly encourage any users still connecting over our plaintext ports to begin using TLS as well on port 6697, 9998 or 9999 - simply change your IRC client's configuration for Xertion to use one of those 3 ports, turn on SSL/TLS in your client, and you should be set.


We sincerely and profusely apologize for any inconvenience this causes our users that connect to Xertion over TLS.