Update documentation

debian/ngircd.NEWS

@@ -0,0 +1,8 @@
+ngircd (25-2+deb10u1) buster; urgency=high
+
+  * This version introduces x509 certificate validation on TLS-based
+    server-server links. Existing configurations will likely break, for
+    details see </usr/share/doc/ngircd/README.Debian>, starting at
+    "TLS-based server-server links".
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de>  Wed, 01 May 2024 10:00:00 +0200

debian/ngircd.README.Debian

@@ -43,6 +43,25 @@ Certificate location
   Repeat the last step for all users that run a daemon providing TLS.
 
 
+TLS-based server-server links
+-----------------------------
+When linking two ngircd servers, the connection should be TLS-based for
+obvious reasons. To do so, edit ngircd.conf:
+
+* Enable SSLConnect in each [Server] stanza.
+* Define CAFile in the [SSL] stanza. Note that by default *no*
+  certificate is trusted.
+  If the peers's certificate was signed by one of the well-known
+  certificate authorities: Use the suggested value
+  "/etc/ssl/certs/ca-certificates.crt" and install the ca-certificate
+  package.
+  Else set the value to the respective CA's certificate file.
+
+Verfication can be disabled entirely on a per-link base by setting
+SSLVerify to false. This is strongly discouraged as you will lose all
+security by that.
+
+
 DH parameters file
 ------------------
 It is suggested to create a DH params file. If missing, ngIRCd will