Project

General

Profile

Client-Core SSL support » History » Version 12

javex, 04/09/2016 05:14 AM
Add instructions on how to add intermediate CAs

1 1 seezer
h1. Client-Core SSL support
2 1 seezer
3 2 seezer
If you wish to setup an SSL connection between the core and client, you must have compiled both with the "-DWITH_OPENSSL=ON" cmake option.
4 2 seezer
In case you use a binary version, verify that it was built with SSL support.
5 6 avih
* The *Windows* binary distribution supports SSL out of the box. See Windows notes at the bottom.
6 1 seezer
7 2 seezer
You don't know where to look for whether SSL support is available in your core?
8 2 seezer
9 5 javier
>Start your core once and look out for warnings in /var/log/quassel/quasselcore like:
10 2 seezer
<pre>Warning: SslServer: Certificate file /home/quassel/.config/quassel-irc.org/quasselCert.pem does not exist
11 2 seezer
Warning: SslServer: Unable to set certificate file
12 2 seezer
Quassel Core will still work, but cannot provide SSL for client connections.</pre>
13 2 seezer
14 2 seezer
Then you need to generate a certificate file to be used for the connections.
15 2 seezer
As the user that starts quassel-core, issue something like the following command on the server running the core:
16 2 seezer
17 4 johu
*>=Version 0.4*
18 11 Sputnick
<pre>openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout ~/.config/quassel-irc.org/quasselCert.pem -out ~/.config/quassel-irc.org/quasselCert.pem</pre>
19 1 seezer
>You might use a different configuration directory. Check if your core gets started with the --configdir command-line option.
20 1 seezer
21 1 seezer
Note that Kubuntu packages for Jaunty (9.04) and later do this step for you.
22 1 seezer
23 1 seezer
Start the core and select SSL in your Client as shown below:
24 3 seezer
25 3 seezer
!ssl_dialog_client.png!
26 6 avih
27 6 avih
h2. Creating a certificate on Windows:
28 6 avih
29 7 avih
# Download "Open SSL for Windows":http://slproweb.com/products/Win32OpenSSL.html . I used the *Win32 OpenSSL v1.0.1c Light* version, but other/later versions will work too as long as your system supports them. Don't forget to also download the relevant Visual C++ redist from that page and install it first. When installing OpenSSL, I chose to *install the OpenSSL DLLs to the OpenSSL directory* (not to windows directory), but it SHOULD work either way.
30 6 avih
# Open a command prompt, navigate to the openssl bin directory (typically @cd c:\openssl-win32\bin@), then issue the following command:
31 6 avih
<pre>
32 10 Sputnick
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout %APPDATA%/quassel-irc.org/quasselCert.pem -out %APPDATA%/quassel-irc.org/quasselCert.pem -config openssl.cfg 
33 8 avih
</pre>(Note that the only difference from the *nix command is the target directory for the cert (typically results in @C:\Users\<USERNAME>\AppData\Roaming\quassel-irc.org@) and the config file for OpenSSL which uses the sample config at the OpenSSL bin directory (openssl.cfg). If you installed the OpenSSL DLLs to the windows directory, your sample config file might be there.)
34 9 ChrisH
If you still get errors. Try removing <code>%APPDATA%/quassel-irc.org/</code> from the paths. After the file has generated (into @c:\openssl-win32\bin@), manually move it to the proper location in @%APPDATA%/quassel-irc.org/@.
35 8 avih
# Fill in the details for the certificate generation (pressing enter for all will also work), and now core should have its certificate ready for encrypted communication with the clients.
36 12 javex
37 12 javex
h2. Certificate chains
38 12 javex
39 12 javex
If you happen to have a certificate chain with intermediate certificate authorities (CAs) then you need a specific structure for _quasselCert.pem_. If you do not know what an intermediate CA is, check with your certificate issuer. If you followed the instructions above, you do _not_ have an intermediate CA and do not need these instructions.
40 12 javex
41 12 javex
Your CA should provide you with all intermediate CAs required to complete the chain from your certificate to the root CA. To make this chain work with quassel, make sure the file has the PEM encoded objects in the following order:
42 12 javex
43 12 javex
* Your certificate as issued by the CA
44 12 javex
* The intermediate CA that signed your certificate
45 12 javex
* The intermediate CA that signed the previous CA
46 12 javex
* ... and so on and until you have the intermediate CA that is signed by the root CA
47 12 javex
* Your private key 
48 12 javex
49 12 javex
Note that often you only have one intermediate CA so your file looks like this:
50 12 javex
51 12 javex
* Your certificate
52 12 javex
* Intermediate CA
53 12 javex
* Your private key