Skip to content

ngIRCd 27~rc1

Pre-release
Pre-release
Compare
Choose a tag to compare
@alexbarton alexbarton released this 13 Apr 12:44
· 10 commits to master since this release
rel-27-rc1
This tag was signed with the committer’s verified signature.
alexbarton Alexander Barton
GPG key ID: 8A459AD2EAA15A24
Learn about vigilant mode.
b362b5a

More than three years have passed since the last release of ngIRCd – a free, portable and lightweight Internet Relay Chat server for small or private networks – and more than 130 individual patches have accumulated in the Git “master branch” in the meantime. Some are cosmetic, some bring new functionality, others improve the documentation or fix bugs. All in all, it’s more than time for the next “big” release of ngIRCd!

And here it is, the 1st release candidate for the upcoming ngIRCd release 27!

The most prominent and possibly breaking(!) change is that ngIRCd now validates SSL/TLS certificates on server-server links. Until now, ngIRCd optionally used encrypted server-server links (when SSLConnect = yes is set in a [Server] block, which is not the default) but never checked and validated any certificates. Oh my! Most probably we never should have released it this way in ngIRCd 13 back in 2008 … I hope you all were aware of this, right? Because you never configured a CA to trust, for example …?

But finally we made it, and ngIRCd now validates SSL/TLS certificates on outgoing server-server links by default and drops(!) connections when the remote certificate is invalid (for example self-signed, expired, not matching the host name, …). Therefore you have to make sure that all relevant certificates are valid (or to disable certificate validation on this connection using the new SSLVerify = false setting in the affected [Server] block, where the remote certificate is not valid and you can not fix this issue).

The original patch for OpenSSL certificate validation on server-links dates back to 2009 and was written by Florian Westphal and extended for GnuTLS in 2014 by Christoph Biedl. But it took us another 10 years to bring it to life … oh my! Many thanks to both Florian and Christoph! (This closes issue #120)

But that’s not all. In addition to the above, the following noteworthy changes are listed in the NEWS file:

  • Add support for the “sd_notify” protocol of systemd(8): Periodically “ping” the service manager (every 3 seconds) and set a status message showing current connection statistics which then is included in systemctl status ngircd.service output. In addition, this enables using the systemd(8) watchdog functionality (WatchdogSec) for the ngircd.service unit and allows it to use the notify service type, which results in better status tracking by the service manager.

  • Try to set file descriptor limit to its maximum and show info on startup: The number of possible parallel connections is limited by the file descriptor limit of the process (among other things). Therefore try to upgrade the current “soft” limit to its “hard” maximum (but limited to 100000 instead of “infinite”), and show an information or even warning when the limit is still less than the configured MaxConnections setting. Please note that ngIRCd and its linked libraries (like PAM) need file descriptors not only for incoming and outgoing IRC connections, but for reading files and inter-process communication, too! Therefore the actual connection limit is less(!) than the file descriptor limit!

  • Add a Docker file (contrib/Dockerfile) and corresponding documentation (doc/Container.md) to the project. The resulting container is based on the latest Debian “stable-slim” container and built using a “build container”.

  • No longer use a default built-in value for the IncludeDir directive when a configuration file was explicitly specified on the command line using --config/-f: This way no default include directory is scanned when a possibly non-default configuration file is used which (intentionally) did not specify an IncludeDir directive. So now you can use -f /dev/null for checking all built-in defaults, regardless of any local configuration files in the default drop-in directory (which would have been read in until this change).

  • The server Name in the [Global] section of the configuration file no longer needs to be set: When not set (or empty), ngIRCd now tries to deduce a valid IRC server name from the local host name (“node name”), possibly adding a .host extension when the host name does not contain a dot (.) which is required in an IRC server name (“ID”). This new behavior, with all configuration parameters now being optional, allows running ngIRCd without any configuration file at all.

  • Autodetect support for IPv6 by default: Until now, IPv6 support was disabled by default, which seems a bit outdated in 2024. Note: You still can pass --enable-ipv6/--disable-ipv6 to the ./configure script to forcefully activate or deactivate IPv6 support.

  • Do IDENT requests even when DNS lookups are disabled: Up to now disabling DNS in the configuration disabled IDENT lookups as well (for no good reason). Now you can activate/deactivate DNS lookups and IDENT requests completely separately. Thanks for reporting this, Miniontoby! Closes #291.

  • Allow SSL client-only configurations without keys/certificates: You don’t need to configure certificates/keys as long as you don’t configure SSL-enabled listening ports. This can make sense when you want to only link your local daemon to an uplink server using SSL and only have clients on your local host or in your fully trusted network, where SSL is not required.

  • Respect SSLConnect option for incoming connections and do not accept incoming plain-text (“non SSL”) server connections for servers configured with SSLConnect enabled. This change prevents an authenticated client-server being able to force the server-server to send its password on a plain-text connection when SSL/TLS was intended.

  • Add a new option Autojoin to [Channel] blocks: When it is set, ngIRCd automatically joins all local users to this channel on connect. Note: The users must have permissions to access the channel, otherwise joining them will fail. Thanks Ivan Agarkov for the initial patch!

  • Hide invisible (+i) users on WHOIS <pattern>: Let’s behave like most(?) other IRC daemons (at least ircd2.11) and hide all +i users when WHOIS is used with a pattern. Otherwise privacy of this users is not guaranteed and the +i mode a bit useless … Reported by Cahata on #ngircd, thanks!

  • Make the debug log level (--debug/-d command line option) always available, not only when ./configure’d with --enable-debug: the latter now only enables additional checks (like the tests done using assert(2)) and is signalled by adding +DEBUG to the version “feature string”. This change enables everyone to get even more detailed logging when required.

  • Allow IRC operators to use the WHO command on any channel.

  • Send the NAMES list and channel topic to users “forcefully” joined to a channel using NJOIN, like they joined on their own using JOIN, and streamline the order of NAMES list and channel topic messages. Closes #288.

  • Added a new command line option -y/--syslog, with which logging to syslog can be activated/deactivated separately from running on the console (using --nodaemon) or in the background. Thanks Katherine Peeters for the patch and pull request! Closes #294.

  • Update, enhance and extend our documentation in README.md, INSTALL.md, doc/HowToRelease.txt and the manual pages ngircd(8) and ngircd.conf(5), add a new doc/QuickStart.md document, and convert some more documentation files to Markdown (AUTHORS.md, contrib/README.md, doc/FAQ.md, doc/SSL.md).

And the ChangeLog has even more details and lists all the fixes, minor enhancements and tweaks.

You can download ngIRCd 27~rc1 from the download section on our homepage at https://ngircd.barton.de (mirror: https://ngircd.sourceforge.io). The primary download locations are:

It would be great if as many people as possible try to build this release candidate code on as many platforms as possible!

Please report any issues and glitches you find to the GitHub issue tracker (https://github.com/ngircd/ngircd/issues), the mailing list (ngircd@lists.barton.de), or to the #ngircd channel on IRC: irc://irc.barton.de/ngircd. Enhancements and additions to the documentation, manual pages and the homepage are welcome as well!

The easiest way to test ngIRCd is to run the ./contrib/platformtest.sh script which is included in the distribution archives, for example like this:

$ curl -#LO "https://ngircd.barton.de/pub/ngircd/ngircd-27~rc1.tar.gz"
$ tar xzf "ngircd-27~rc1.tar.gz"
$ cd ngircd-27~rc1
$ ./contrib/platformtest.sh

This will take a few minutes (4-5) as our test suite takes some time because of the “penalties” that the test clients have to cope with (the compile run itself is quite fast), and should result in a nice summary like this:

                                the executable works ("runs") as expected --+
                                  tests run successfully ("make check") --+ |
                                             ngIRCd compiles ("make") --+ | |
                                                  ./configure works --+ | | |
                                                                      | | | |
Platform                    Compiler     ngIRCd     Date     Tester   C M T R *
--------------------------- ------------ ---------- -------- -------- - - - - -
x86_64/pc/linux-gnu         gcc 12.2.0   26.1~122-g 24-03-27 alex     Y Y Y Y 1

If you like, and especially if you are on a bit more “special” system (non-amd64, non-arm64, non-Linux?), you can say “Hello!” in the irc://irc.barton.de/ngircd IRC channel and post this result line there: then we can include it in the doc/Platforms.txt file.

Thanks a lot to all contributors & testers!

Happy testing and have fun!

Assets 10