#1125469 inspircd: TLS links fail with self-signed certificates after bookworm→trixie upgrade, misleading “malformed link definition” error

Package:
inspircd
Source:
inspircd
Description:
Modular IRCd written in C++
Submitter:
Juha Kallio
Date:
2026-03-07 12:11:02 UTC
Severity:
normal
#1125469#5
Date:
2026-01-14 11:13:22 UTC
From:
To:
Dear Maintainer,

After upgrading from Debian bookworm to trixie, existing InspIRCd server-to-server links using self-signed TLS certificates fail. The error reported claims the link definition is malformed, but the configuration is unchanged and valid. This is a regression that occurs only after upgrading from bookworm to trixie; the same configuration worked correctly on bookworm and still works after downgrading.

To reproduce

1. Configure two InspIRCd servers on Debian bookworm with a working TLS server link using self-signed certificates.
2. Upgrade the system(s) to Debian trixie.
3. Restart inspircd.

Server link fails.
Error message reports that the link definition is malformed.
No useful certificate or TLS verification error is logged.

Server link should continue to work, or a clear error should indicate certificate verification failure.

Self-signed certificates are the standard configuration for IRC server linking. This regression breaks normal multi-server IRC deployments and can lead to persistent netsplits after upgrade.
The misleading error message nearly led me to leave the servers permanently unlinked.

Upstream InspIRCd 4.9.0 changelog documents fixes for incorrect rejection of self-signed certificates and improved diagnostics when server linking fails due to certificate issues, suggesting Debian’s 4.7.0 package lacks a known upstream fix.

Downgrading back to bookworm version of inspircd restores correct operation. No configuration changes were required.

Regards,
Juha Kallio

#1125469#10
Date:
2026-01-14 11:37:26 UTC
From:
To:
Jan 14 13:19:05 psychedelic.fi systemd[1]: Started inspircd.service -
InspIRCd - Internet Relay Chat Daemon.
Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: InspIRCd - Internet Relay
Chat Daemon
Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: See /INFO for
contributors & authors
Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: InspIRCd Process ID:
3019177
Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: Loading core modules
.....................
Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: [*] Loading module:
 m_spanningtree.so
Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: [*] Loading module:
 m_sslinfo.so
Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: [*] Loading module:
 m_ssl_gnutls.so
Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: [*] Unable to read the
configuration for m_ssl_gnutls.so: You have not specified any <sslprofile>
tags that are usable by this module!
Jan 14 13:19:05 psychedelic.fi systemd[1]: inspircd.service: Main process
exited, code=exited, status=1/FAILURE
Jan 14 13:19:05 psychedelic.fi systemd[1]: inspircd.service: Failed with
result 'exit-code'.

#1125469#17
Date:
2026-03-07 12:01:03 UTC
From:
To:
Hello Juha, there is not an issue with debian's inspircd package. I use
self-signed certificates to link servers on trixie just fine. There were
VAST configuration changes from v3 to v4 of inspircd and you MUST adapt
your configuration file.

Looking at your log you posted, and your small configuration snippet,
it's incorrect. Your log clearly states,

Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: [*] Unable to read the
configuration for m_ssl_gnutls.so: You have not specified any <sslprofile>
tags that are usable by this module!

Your IP and port binding for the SSL port, commonly 6697, has to have an
sslprofile defined to it. Like this,
<bind
     address="7.8.9.9"
     port="6697"
     protocols="tcp"
     type="clients"
     sslprofile="client_ssl">

You then have a <connect block with the name of clients and port 6697.

You then define an <sslprofile block that includes location to the cert
and key, if not defined it defaults to /etc/inspircd/cert.pem and
key.pem and they need chown irc:irc. I have a separate sslprofile for
server linking specifically with it's own cert and keypair named
linked-cert.pem and link-key.pem. That is where the self signed linking
cert is at.

Example:

<sslprofile
     name="client_ssl"
     provider="gnutls"
     cafile="" # Keep this blank unless you are doing client cert auth
against your own CA.
     crlfile="" # Same thing but this is the revocation list file for
your CA. Keep blank unless you are doing cert auth.
     hash="sha256"> # Algo used to generate cert fingerprints.
<sslprofile
     name="server_ssl"
     provider="gnutls"
     cafile=""
     crlfile=""
     certfile="link-cert.pem"
     keyfile="link-key.pem"
     hash="sha256">

If you need additional help, please reach out to InspIRCd support on IRC
and also see the documentation before opening a "serious" bug against
the Debian package.

See:
https://docs.inspircd.org/4/breaking-changes/
https://docs.inspircd.org/4/modules/ssl_gnutls/

Maintainer, please close this bug. There is no issue here.

Regards,
Victor Coss