From 1e3e2229908c7eed63beacf830baa959c415c993 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Sat, 18 Nov 2023 23:13:29 +0100
Subject: [PATCH 1/5] Rename use_ssl to use_tls, keep use_ssl as an alias.

---
 plugins/modules/irc.py | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/plugins/modules/irc.py b/plugins/modules/irc.py
index df9d026ac90..f8a8ecedaca 100644
--- a/plugins/modules/irc.py
+++ b/plugins/modules/irc.py
@@ -79,11 +79,15 @@
       - Timeout to use while waiting for successful registration and join
         messages, this is to prevent an endless loop
     default: 30
-  use_ssl:
+  use_tls:
     description:
       - Designates whether TLS/SSL should be used when connecting to the IRC server
+      - O(use_tls) is available since community.general 8.1.0, before the option
+        was exlusively called O(use_ssl). The latter is now an alias of O(use_tls).
     type: bool
     default: false
+    aliases:
+      - use_ssl
   part:
     description:
       - Designates whether user should part from channel after sending message or not.
@@ -150,7 +154,7 @@
 
 
 def send_msg(msg, server='localhost', port='6667', channel=None, nick_to=None, key=None, topic=None,
-             nick="ansible", color='none', passwd=False, timeout=30, use_ssl=False, part=True, style=None):
+             nick="ansible", color='none', passwd=False, timeout=30, use_tls=False, part=True, style=None):
     '''send message to IRC'''
     nick_to = [] if nick_to is None else nick_to
 
@@ -194,7 +198,7 @@ def send_msg(msg, server='localhost', port='6667', channel=None, nick_to=None, k
     message = styletext + colortext + msg
 
     irc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    if use_ssl:
+    if use_tls:
         if getattr(ssl, 'PROTOCOL_TLS', None) is not None:
             # Supported since Python 2.7.13
             context = ssl.SSLContext(ssl.PROTOCOL_TLS)
@@ -282,7 +286,7 @@ def main():
             passwd=dict(no_log=True),
             timeout=dict(type='int', default=30),
             part=dict(type='bool', default=True),
-            use_ssl=dict(type='bool', default=False)
+            use_tls=dict(type='bool', default=False, aliases=['use_ssl']),
         ),
         supports_check_mode=True,
         required_one_of=[['channel', 'nick_to']]
@@ -301,12 +305,12 @@ def main():
     key = module.params["key"]
     passwd = module.params["passwd"]
     timeout = module.params["timeout"]
-    use_ssl = module.params["use_ssl"]
+    use_tls = module.params["use_tls"]
     part = module.params["part"]
     style = module.params["style"]
 
     try:
-        send_msg(msg, server, port, channel, nick_to, key, topic, nick, color, passwd, timeout, use_ssl, part, style)
+        send_msg(msg, server, port, channel, nick_to, key, topic, nick, color, passwd, timeout, use_tls, part, style)
     except Exception as e:
         module.fail_json(msg="unable to send to IRC: %s" % to_native(e), exception=traceback.format_exc())
 

From aea5fb67f68cda0f5e9b8a0a054bfeb7b77e6ed3 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Sat, 18 Nov 2023 23:19:53 +0100
Subject: [PATCH 2/5] Add validate_certs option.

---
 plugins/modules/irc.py | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/plugins/modules/irc.py b/plugins/modules/irc.py
index f8a8ecedaca..4b00be69c37 100644
--- a/plugins/modules/irc.py
+++ b/plugins/modules/irc.py
@@ -100,6 +100,14 @@
       - Text style for the message. Note italic does not work on some clients
     choices: [ "bold", "underline", "reverse", "italic", "none" ]
     default: none
+  validate_certs:
+    description:
+      - If set to V(false), the SSL certificates will not be validated.
+      - This should always be set to V(true). Using V(false) is unsafe and should only be done
+        if the network between between Ansible and the IRC server is known to be safe.
+    default: false
+    type: bool
+    version_added: 8.1.0
 
 # informational: requirements for nodes
 requirements: [ socket ]
@@ -154,7 +162,8 @@
 
 
 def send_msg(msg, server='localhost', port='6667', channel=None, nick_to=None, key=None, topic=None,
-             nick="ansible", color='none', passwd=False, timeout=30, use_tls=False, part=True, style=None):
+             nick="ansible", color='none', passwd=False, timeout=30, use_tls=False, validate_certs=True,
+             part=True, style=None):
     '''send message to IRC'''
     nick_to = [] if nick_to is None else nick_to
 
@@ -199,13 +208,18 @@ def send_msg(msg, server='localhost', port='6667', channel=None, nick_to=None, k
 
     irc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
     if use_tls:
-        if getattr(ssl, 'PROTOCOL_TLS', None) is not None:
-            # Supported since Python 2.7.13
-            context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+        if validate_certs:
+            try:
+                context = ssl.create_default_context()
+            except AttributeError:
+                raise Exception('Need at least Python 2.7.9 for SSL certificate validation')
         else:
-            context = ssl.SSLContext()
-        context.verify_mode = ssl.CERT_NONE
-        # TODO: create a secure context with `context = ssl.create_default_context()` instead!
+            if getattr(ssl, 'PROTOCOL_TLS', None) is not None:
+                # Supported since Python 2.7.13
+                context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+            else:
+                context = ssl.SSLContext()
+            context.verify_mode = ssl.CERT_NONE
         irc = context.wrap_socket(irc)
     irc.connect((server, int(port)))
 
@@ -287,6 +301,7 @@ def main():
             timeout=dict(type='int', default=30),
             part=dict(type='bool', default=True),
             use_tls=dict(type='bool', default=False, aliases=['use_ssl']),
+            validate_certs=dict(type='bool', default=False),
         ),
         supports_check_mode=True,
         required_one_of=[['channel', 'nick_to']]
@@ -308,9 +323,10 @@ def main():
     use_tls = module.params["use_tls"]
     part = module.params["part"]
     style = module.params["style"]
+    validate_certs = module.params["validate_certs"]
 
     try:
-        send_msg(msg, server, port, channel, nick_to, key, topic, nick, color, passwd, timeout, use_tls, part, style)
+        send_msg(msg, server, port, channel, nick_to, key, topic, nick, color, passwd, timeout, use_tls, validate_certs, part, style)
     except Exception as e:
         module.fail_json(msg="unable to send to IRC: %s" % to_native(e), exception=traceback.format_exc())
 

From c11470858a5699673073b30c642a187c7000fe27 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Sat, 18 Nov 2023 23:24:53 +0100
Subject: [PATCH 3/5] Add changelog fragment and recommend setting TLS related
 settings to true.

---
 changelogs/fragments/7550-irc-use_tls-validate_certs.yml | 5 +++++
 plugins/modules/irc.py                                   | 4 ++++
 2 files changed, 9 insertions(+)
 create mode 100644 changelogs/fragments/7550-irc-use_tls-validate_certs.yml

diff --git a/changelogs/fragments/7550-irc-use_tls-validate_certs.yml b/changelogs/fragments/7550-irc-use_tls-validate_certs.yml
new file mode 100644
index 00000000000..0c99d8fd6ff
--- /dev/null
+++ b/changelogs/fragments/7550-irc-use_tls-validate_certs.yml
@@ -0,0 +1,5 @@
+minor_changes:
+  - "irc - add ``validate_certs`` option, and rename ``use_ssl`` to ``use_tls``, while keeping ``use_ssl`` as an alias.
+     The default value for ``validate_certs`` is ``false`` for backwards compatibility. We recommend to every user of
+     this module to explicitly set ``use_tls=true`` and `validate_certs=true`` whenever possible, especially when
+     communicating to IRC servers over the internet (https://github.com/ansible-collections/community.general/pull/7550)."
diff --git a/plugins/modules/irc.py b/plugins/modules/irc.py
index 4b00be69c37..8d6014b65b5 100644
--- a/plugins/modules/irc.py
+++ b/plugins/modules/irc.py
@@ -84,6 +84,8 @@
       - Designates whether TLS/SSL should be used when connecting to the IRC server
       - O(use_tls) is available since community.general 8.1.0, before the option
         was exlusively called O(use_ssl). The latter is now an alias of O(use_tls).
+      - B(Note): for security reasons, you should always set O(use_tls=true) and
+        O(validate_certs=true) whenever possible.
     type: bool
     default: false
     aliases:
@@ -105,6 +107,8 @@
       - If set to V(false), the SSL certificates will not be validated.
       - This should always be set to V(true). Using V(false) is unsafe and should only be done
         if the network between between Ansible and the IRC server is known to be safe.
+      - B(Note): for security reasons, you should always set O(use_tls=true) and
+        O(validate_certs=true) whenever possible.
     default: false
     type: bool
     version_added: 8.1.0

From ff46ba27d91047a5409f72c9148f5252ab90a54f Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Sat, 18 Nov 2023 23:36:04 +0100
Subject: [PATCH 4/5] Fix formatting.

---
 plugins/modules/irc.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/modules/irc.py b/plugins/modules/irc.py
index 8d6014b65b5..ec004f79973 100644
--- a/plugins/modules/irc.py
+++ b/plugins/modules/irc.py
@@ -84,7 +84,7 @@
       - Designates whether TLS/SSL should be used when connecting to the IRC server
       - O(use_tls) is available since community.general 8.1.0, before the option
         was exlusively called O(use_ssl). The latter is now an alias of O(use_tls).
-      - B(Note): for security reasons, you should always set O(use_tls=true) and
+      - B(Note:) for security reasons, you should always set O(use_tls=true) and
         O(validate_certs=true) whenever possible.
     type: bool
     default: false
@@ -107,7 +107,7 @@
       - If set to V(false), the SSL certificates will not be validated.
       - This should always be set to V(true). Using V(false) is unsafe and should only be done
         if the network between between Ansible and the IRC server is known to be safe.
-      - B(Note): for security reasons, you should always set O(use_tls=true) and
+      - B(Note:) for security reasons, you should always set O(use_tls=true) and
         O(validate_certs=true) whenever possible.
     default: false
     type: bool

From 76dc3a365d810702a6961486147c2932da9a22d0 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Wed, 22 Nov 2023 19:02:05 +0100
Subject: [PATCH 5/5] Update documentation to use use_tls=true and
 validate_certs=true.

---
 plugins/modules/irc.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/plugins/modules/irc.py b/plugins/modules/irc.py
index ec004f79973..7cdf80633ca 100644
--- a/plugins/modules/irc.py
+++ b/plugins/modules/irc.py
@@ -124,6 +124,8 @@
 - name: Send a message to an IRC channel from nick ansible
   community.general.irc:
     server: irc.example.net
+    use_tls: true
+    validate_certs: true
     channel: #t1
     msg: Hello world
 
@@ -132,6 +134,8 @@
     module: irc
     port: 6669
     server: irc.example.net
+    use_tls: true
+    validate_certs: true
     channel: #t1
     msg: 'All finished at {{ ansible_date_time.iso8601 }}'
     color: red
@@ -142,6 +146,8 @@
     module: irc
     port: 6669
     server: irc.example.net
+    use_tls: true
+    validate_certs: true
     channel: #t1
     nick_to:
       - nick1