1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
|
#!/usr/bin/env perl
#
# InspIRCd -- Internet Relay Chat Daemon
#
# Copyright (C) 2020-2021 Sadie Powell <sadie@witchery.services>
#
# This file is part of InspIRCd. InspIRCd is free software: you can
# redistribute it and/or modify it under the terms of the GNU General Public
# License as published by the Free Software Foundation, version 2.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
# details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
use v5.10.0;
use strict;
use warnings FATAL => qw(all);
use IO::Socket();
use IO::Socket::SSL();
use constant {
CC_BOLD => -t STDOUT ? "\e[1m" : '',
CC_RESET => -t STDOUT ? "\e[0m" : '',
CC_GREEN => -t STDOUT ? "\e[1;32m" : '',
CC_RED => -t STDOUT ? "\e[1;31m" : '',
};
if (scalar @ARGV < 2) {
say STDERR "Usage: $0 <hostip> <port> [selfsigned]";
exit 1;
}
# By default STDOUT is only flushed at the end of each line. This sucks for our
# needs so we disable it.
STDOUT->autoflush(1);
my $hostip = shift @ARGV;
if ($hostip =~ /[^A-Za-z0-9.:]/) {
say STDERR "Error: invalid hostname or IP address: $hostip";
exit 1;
}
my $port = shift @ARGV;
if ($port =~ /\D/ || $port < 1 || $port > 65535) {
say STDERR "Error: invalid TCP port: $port";
exit 1;
}
my $self_signed = shift // '' eq 'selfsigned';
print "Checking whether ${\CC_BOLD}$hostip/$port${\CC_RESET} is reachable ... ";
my $sock = IO::Socket::INET->new(
PeerAddr => $hostip,
PeerPort => $port,
);
unless ($sock) {
say <<"EOM";
${\CC_RED}no${\CC_RESET}
It seems like the server endpoint you specified is not reachable! Make sure that:
* You have specified a <bind> tag in your config for this endpoint.
* You have rehashed or restarted the server since adding the <bind> tag.
* If you are using a firewall incoming connections on TCP port $port are allowed.
* The endpoint your server is listening on is not local or private.
See https://docs.inspircd.org/3/configuration/#ltbindgt for more information.
EOM
exit 1;
}
say "${\CC_GREEN}yes${\CC_RESET}";
print "Checking whether ${\CC_BOLD}$hostip/$port${\CC_RESET} is using plaintext ... ";
my $error = $sock->recv(my $data, 1);
if ($error) {
say <<"EOM";
${\CC_RED}error${\CC_RESET}
It seems like the server dropped the connection before sending anything! Make sure that:
* The endpoint you specified is actually your IRC server.
* If you are using a firewall incoming data on TCP port $port are allowed.
See https://docs.inspircd.org/3/configuration/#ltbindgt for more information.
EOM
exit 1;
} elsif ($data =~ /[A-Z:@]/) {
say <<"EOM";
${\CC_RED}yes${\CC_RESET}
It appears that the server endpoint is using plaintext! Make sure that:
* You have one or more of the following modules loaded:
- ssl_gnutls
- ssl_openssl
- ssl_mbedtls
* If you have specified one or more <sslprofile> tags then the value of
<bind:sslprofile> is the same as an <sslprofile:name> field. Otherwise, it
should be set to "gnutls" for the ssl_gnutls module, "openssl" for the
ssl_openssl module, or "mbedtls" for the ssl_mbedtls module.
* If you have specified the name of an <sslprofile> in <bind:sslprofile> then
the value of <sslprofile:provider> is set to "gnutls" if using the
ssl_gnutls module, "openssl" if using the ssl_openssl module, or "mbedtls"
if using the ssl_mbedtls module.
* If you have your SSL configuration in a file other than inspircd.conf then
that file is included by inspircd.conf.
See the following links for more information:
https://docs.inspircd.org/3/modules/ssl_gnutls/#configuration
https://docs.inspircd.org/3/modules/ssl_mbedtls/#configuration
https://docs.inspircd.org/3/modules/ssl_openssl/#configuration
EOM
exit 1;
}
$sock->close();
say "${\CC_GREEN}no${\CC_RESET}";
print "Checking whether ${\CC_BOLD}$hostip/$port${\CC_RESET} can have an SSL session negotiated ... ";
$sock = IO::Socket::SSL->new(
PeerAddr => $hostip,
PeerPort => $port,
SSL_hostname => $hostip,
SSL_verify_mode => $self_signed ? IO::Socket::SSL::SSL_VERIFY_NONE : IO::Socket::SSL::SSL_VERIFY_PEER,
);
unless ($sock) {
say <<"EOM";
${\CC_RED}no${\CC_RESET}
It appears that something is wrong with your server. Make sure that:
- You are not using an old version of GnuTLS, mbedTLS, or OpenSSL which only
supports deprecated algorithms like SSLv3.
The error provided by the SSL library was:
$IO::Socket::SSL::SSL_ERROR
EOM
exit 1;
}
say <<"EOM";
${\CC_GREEN}yes${\CC_RESET}
It seems like SSL is working fine on your server. If you are having trouble
connecting try using a different client or connecting from a different host.
You may also find running some of the following commands to be helpful:
gnutls-cli-debug --port $port $hostip
openssl s_client -connect $hostip:$port -debug -security_debug
If you need any help working out what is wrong then visit our support channel
at irc.inspircd.org #inspircd.
EOM
|
