To create new wiki account, please join us on #znc at Libera.Chat and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.

Q and OpenSSL.cnf SelfSigned: Difference between pages

From ZNC
(Difference between pages)
Jump to navigation Jump to search
Zarthus (talk | contribs)
No edit summary
 
DoctorD90 (talk | contribs)
Created page with " [default] default_md = sha512 name_opt = ca_default cert_opt = ca_default default_days = 375 policy = @policy_selfsigned [ re..."
 
Line 1: Line 1:
{{DISPLAYTITLE:q}}
[default]
 
default_md        = sha512
 
name_opt          = ca_default
{{ambox | type = delete | text = '''Q is retired'''.<br/>
cert_opt          = ca_default
<small>The Q module has been retired from ZNC version 1.8. There is no alternative, though you can go back through the git history to re-obtain the module if you still need it.</small>}}
default_days      = 375
 
policy            = @policy_selfsigned
This module allows you to authenticate with Q when connecting to QuakeNet, either with the standard AUTH command or the CHALLENGEAUTH mechanism which prevents sending your password in cleartext.
 
[ req ]
In addition to that, it can activate QuakeNet's hidden host functionality (usermode +x) and request voice and op from Q when you join a channel (like Q's autoop flag +a and autovoice +g) or get deopped/devoiced (like Q's protect +p).
#Options from the [ req ] section are applied
 
#when creating certificates or certificate signing requests.
== Usage ==
# Options for the `req` tool (`man req`).
{{Module arguments
default_bits        = 4096
| type = network
distinguished_name = req_selfsigned
| count = two optional
string_mask        = utf8only
| extra = The arguments are your username and password for Q.
default_md          = sha512
}}
 
=== Commands ===
[ req_selfsigned ]
==== set ====
# The [ req_dn ] section declares the information
First, you have to set your Q username and password.
# normally required in a certificate signing request.
For this and for changing any other settings, there is a <code>set</code> command.
# You can optionally specify some defaults.
  /msg *q set <setting> <value>
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
The following settings are available:
  countryName                    = Country Name (2 letter code)
{| style="border: 1px solid black"
countryName_min                = 2
! Setting      !! Type    !! Description
countryName_max                = 2
|-
stateOrProvinceName            = State or Province Name (full name)
| Username      || String || Your Q username.
localityName                    = Locality Name (eg, city)
|-
  organizationName                = Organization Name (eg, company)
| Password      || String || Your Q password.
organizationalUnitName          = Organizational Unit Name (eg, section)
|-
  commonName                      = Common Name (e.g. server FQDN or YOUR name)
| UseHiddenHost || Boolean || Whether to cloak your hostname (+x) automatically on connect.
emailAddress                    = Email Address
|-
   
| UseChallenge || Boolean || Whether to use the CHALLENGEAUTH mechanism to avoid sending passwords in cleartext.
  # Optionally, specify some defaults.
|-
countryName_default            = IT
| RequestPerms || Boolean || Whether to request voice/op from Q on join/devoice/deop.
stateOrProvinceName_default    = Italy
|}
localityName_default            = Italy
 
organizationName_default        = ZNC.in
==== get ====
#organizationalUnitName_default  = ZNC Service
To list your current configuration, use the <code>get</code> <small>(or <code>list</code>)</small> command.
#commonName_default            = wiki.znc.in
  <kroimon> get
  emailAddress_default            = user [at] example [dot] com
  <*q> +---------------+---------+
   
  <*q> | Setting      | Value  |
  [ policy_selfsigned ]
  <*q> +---------------+---------+
  # See the POLICY FORMAT section of the `ca` man page.
  <*q> | Username      | kroimon |
  countryName            = optional
  <*q> | Password      | *****  |
  stateOrProvinceName    = optional
  <*q> | UseHiddenHost | true    |
  localityName            = optional
  <*q> | UseChallenge  | true    |
  organizationName        = optional
  <*q> | RequestPerms | true    |
  organizationalUnitName = optional
  <*q> +---------------+---------+
  commonName              = optional
The password is never shown here to prevent abuse.
emailAddress            = optional
 
==== auth [<username> <password>] ====
[ usr_cert ]
The auth command allows you to auth yourself manually (for example after setting your username and password for the first time).<br />
# We’ll apply the usr_cert extension when signing client certificates,
This command takes two optional parameters: <code><username> <password></code>. The given values will be set as you Q username and password in the settings, too.
# such as those used for remote user authentication.
 
# Extensions for client certificates (`man x509v3_config`).
==== cloak ====
basicConstraints = critical, CA:FALSE
The <code>cloak</code> command tries to set usermode +x if you're not already cloaked.
subjectKeyIdentifier = hash
 
authorityKeyIdentifier = keyid:always, issuer:always
==== status ====
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
  <kroimon> status
extendedKeyUsage = critical, clientAuth, emailProtection, codeSigning
  <*q> Connected: yes
  <*q> Cloaked: yes
[ server_cert ]
  <*q> Authed: yes
# We’ll apply the server_cert extension when signing server certificates,
 
# such as those used for web servers.
==== update ====
  # Extensions for server certificates (`man x509v3_config`).
This command re-requests your current auth state and your channel flags from Q.<br />
  basicConstraints = critical, CA:FALSE
Usually you will only need this command after changing your channel flags.
  subjectKeyIdentifier = hash
 
  authorityKeyIdentifier = keyid:always, issuer:always
[[Category:Modules]]
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth

Revision as of 18:03, 23 August 2021

[default]
default_md        = sha512
name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
policy            = @policy_selfsigned

[ req ]
#Options from the [ req ] section are applied
#when creating certificates or certificate signing requests.
# Options for the `req` tool (`man req`).
default_bits        = 4096
distinguished_name  = req_selfsigned
string_mask         = utf8only
default_md          = sha512


[ req_selfsigned ]
# The [ req_dn ] section declares the information
# normally required in a certificate signing request.
# You can optionally specify some defaults.
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
localityName                    = Locality Name (eg, city)
organizationName                = Organization Name (eg, company)
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (e.g. server FQDN or YOUR name)
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = IT
stateOrProvinceName_default     = Italy
localityName_default            = Italy
organizationName_default        = ZNC.in
#organizationalUnitName_default  = ZNC Service
#commonName_default             = wiki.znc.in
emailAddress_default            = user [at] example [dot] com

[ policy_selfsigned ]
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
emailAddress            = optional

[ usr_cert ]
# We’ll apply the usr_cert extension when signing client certificates,
# such as those used for remote user authentication.
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
extendedKeyUsage = critical, clientAuth, emailProtection, codeSigning

[ server_cert ]
# We’ll apply the server_cert extension when signing server certificates,
# such as those used for web servers.
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth