Strict transport security

KICL supports the IRCv3 STS specification which adds support for strict transport security policies to be set by IRC server administrators.

These policies tell the client to connect only via a secure TLS connection for a given duration. They also specify the port on which the client can reach the secure service. Further details on how the system works can be found in the GitHub issue and in the aforementioned specification.

Currently, STS support in KICL is opt-in but in the future this may change to give new developers protection by default whilst ensuring experienced developers are able to turn off the functionality.

Why should I care?

With modern libraries, encryption of communication can be performed seamlessly to increase the privacy of IRC messaging. This is well-aligned with current best practices with other technologies, such as HTTP, and the internet as a whole.

Servers and clients that support this new capability will connect in a secure manner, even if the user misconfigures the client to connect over a plaintext port. It will also allow server operators/admins to seamlessly upgrade users to a secure connection if they haven't yet rolled out TLS.

Getting started with KICL and STS

To use STS, the client needs some way to persist information about the policies it encounters during the connection process. Within the codebase, an interface org.kitteh.irc.client.library.feature.sts.StsStorageManager is available which you can implement yourself for complete control over policy storage.

Alternatively, a default class (currently StsPropertiesStorageManager) which stores the STS policies in a properties file is available to use and built-in to KICL. A utility method makes using this default implementation very straightforward:

Client client = Client.builder().server().host("").then().management().stsStorageManager(StsUtil.getDefaultStorageManager()).then().buildAndConnect();

The STS policies will be persisted in a file in the home directory with name If you'd prefer to store them elsewhere, you can specify a java.nio.Path instance when calling StsUtil.getDefaultStorageManager.

Now, when the client connects it will automatically obey any relevant policies it has found.

Adding your own policies

StsPolicy policy = StsUtil.getStsPolicyFromString(",", "port=6697");
client.getStsMachine().get().getStorageManager().addEntry("", 5000, policy);

Testing STS

This section is aimed at KICL developers/contributors

The InspIRCd test network has support for STS, currently using a CAP key of "draft/sts". Due to a recent spec change, KICL's implementation supports this key.

There is a simple Charybdis module that was created as part of the work on this functionality for testing purposes only. This has also been updated to use the draft key.