1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
#!/usr/bin/perl
#
# InspIRCd -- Internet Relay Chat Daemon
#
# Copyright (C) 2021 Matt Schatz <genius3000@g3k.solutions>
# Copyright (C) 2020-2022, 2024 Sadie Powell <sadie@witchery.services>
#
# This file is part of InspIRCd. InspIRCd is free software: you can
# redistribute it and/or modify it under the terms of the GNU General Public
# License as published by the Free Software Foundation, version 2.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
# details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
use v5.26.0;
use strict;
use warnings FATAL => qw(all);
use IO::Socket();
use IO::Socket::SSL();
use constant {
CC_BOLD => -t STDOUT ? "\e[1m" : '',
CC_RESET => -t STDOUT ? "\e[0m" : '',
CC_GREEN => -t STDOUT ? "\e[1;32m" : '',
CC_RED => -t STDOUT ? "\e[1;31m" : '',
};
if (scalar @ARGV < 2) {
say STDERR "Usage: $0 <hostip> <port> [selfsigned]";
exit 1;
}
# By default STDOUT is only flushed at the end of each line. This sucks for our
# needs so we disable it.
STDOUT->autoflush(1);
# If a server closes the connection whilst an SSL session is being initiated we
# want EPIPE instead of SIGPIPE.
$SIG{PIPE} = 'IGNORE';
my $hostip = shift @ARGV;
if ($hostip =~ /[^A-Za-z0-9.:-]/) {
say STDERR "Error: invalid hostname or IP address: $hostip";
exit 1;
}
my $port = shift @ARGV;
if ($port =~ /\D/ || $port < 1 || $port > 65535) {
say STDERR "Error: invalid TCP port: $port";
exit 1;
}
my $self_signed = shift // '' eq 'selfsigned';
print "Checking whether ${\CC_BOLD}$hostip/$port${\CC_RESET} is reachable ... ";
my $sock = IO::Socket::INET->new(
PeerAddr => $hostip,
PeerPort => $port,
);
unless ($sock) {
say <<"EOM";
${\CC_RED}no${\CC_RESET}
It seems like the server endpoint you specified is not reachable! Make sure that:
* You have specified a <bind> tag in your config for this endpoint.
* You have rehashed or restarted the server since adding the <bind> tag.
* If you are using a firewall incoming connections on TCP port $port are allowed.
* The endpoint your server is listening on is not local or private.
The error provided by the socket library was:
$IO::Socket::errstr
See https://docs.inspircd.org/4/configuration/#bind for more information.
EOM
exit 1;
}
say "${\CC_GREEN}yes${\CC_RESET}";
print "Checking whether ${\CC_BOLD}$hostip/$port${\CC_RESET} is using plaintext ... ";
my $error = $sock->recv(my $data, 1);
if (!defined $error || $data eq '') {
say <<"EOM";
${\CC_RED}error${\CC_RESET}
It seems like the server dropped the connection before sending anything! Make sure that:
* The endpoint you specified is actually your IRC server.
* If you are using a firewall incoming data on TCP port $port are allowed.
* The IP address you are connecting from has not been banned from the server.
See https://docs.inspircd.org/4/configuration/#bind for more information.
EOM
exit 1;
} elsif ($data =~ /[A-Z:@]/) {
say <<"EOM";
${\CC_RED}yes${\CC_RESET}
It appears that the server endpoint is using plaintext! Make sure that:
* You have one or more of the following modules loaded:
- ssl_gnutls
- ssl_openssl
* The value of <bind:sslprofile> is the same as an <sslprofile:name> field.
* The value of <sslprofile:provider> for your used TLS profile is set to
"gnutls" if using the ssl_gnutls module or "openssl" if using the
ssl_openssl module.
* If you have your TLS configuration in a file other than inspircd.conf then
that file is included by inspircd.conf.
See the following links for more information:
https://docs.inspircd.org/4/modules/ssl_gnutls/#configuration
https://docs.inspircd.org/4/modules/ssl_openssl/#configuration
EOM
exit 1;
}
$sock->close();
say "${\CC_GREEN}no${\CC_RESET}";
print "Checking whether ${\CC_BOLD}$hostip/$port${\CC_RESET} can have an TLS session negotiated ... ";
$sock = IO::Socket::SSL->new(
PeerAddr => $hostip,
PeerPort => $port,
SSL_hostname => $hostip,
SSL_verify_mode => $self_signed ? IO::Socket::SSL::SSL_VERIFY_NONE : IO::Socket::SSL::SSL_VERIFY_PEER,
);
unless ($sock) {
say <<"EOM";
${\CC_RED}no${\CC_RESET}
It appears that something is wrong with your server. Make sure that:
* You are not using an old version of GnuTLS or OpenSSL which only supports
deprecated algorithms like SSLv3.
* If you are using a self-signed certificate (not recommended) that you passed
the `selfsigned` argument to this script.
The error provided by the TLS library was:
$IO::Socket::SSL::SSL_ERROR
EOM
exit 1;
}
say <<"EOM";
${\CC_GREEN}yes${\CC_RESET}
It seems like TLS is working fine on your server. If you are having trouble
connecting try using a different client or connecting from a different host.
You may also find running some of the following commands to be helpful:
gnutls-cli-debug --port $port $hostip
openssl s_client -connect $hostip:$port -debug -security_debug
If you need any help working out what is wrong then visit our support channel
at ircs://irc.teranova.net/inspircd.
EOM
|
