|
|
@@ -1,17 +1,27 @@
|
|
|
+What's new in ngIRCd 18
|
|
|
+=======================
|
|
|
+
|
|
|
+Generic
|
|
|
+-------
|
|
|
+For generic information, including the new names of configuration
|
|
|
+variables, see /usr/share/doc/ngircd/INSTALL.gz
|
|
|
+
|
|
|
+
|
|
|
TLS support
|
|
|
===========
|
|
|
|
|
|
Some things to take into account when configuring TLS/SSL support:
|
|
|
|
|
|
* The irc user must be able to read the key file.
|
|
|
-* ngircd will run without a DH parameters file but that's a bad idea.
|
|
|
+* ngIRCd will run without a DH parameters file but that's a bad idea.
|
|
|
+* A certificate exchange requires restart.
|
|
|
|
|
|
|
|
|
Certificate location
|
|
|
--------------------
|
|
|
-* If your certificate and key are for ngircd only: Simply place them in
|
|
|
- /etc/ngircd, set SSLKeyFile and SSLCertFile accordingly. To secure the
|
|
|
- key file (server.key):
|
|
|
+* If your certificate and key are for ngIRCd only: Simply place them in
|
|
|
+ /etc/ngircd, set KeyFile and CertFile accordingly. To secure the key
|
|
|
+ file (server.key):
|
|
|
|
|
|
chown irc:irc server.key
|
|
|
chmod 600 server.key
|
|
|
@@ -20,7 +30,7 @@ Certificate location
|
|
|
certificate and key: Consider installing the ssl-cert package which
|
|
|
provides the ssl-cert group. Place the certificate file (server.crt)
|
|
|
in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
|
|
|
- and make sure ngircd can read it:
|
|
|
+ and make sure ngIRCd can read it:
|
|
|
|
|
|
chown root:ssl-cert /etc/ssl/private/server.key
|
|
|
chmod 640 /etc/ssl/private/server.key
|
|
|
@@ -31,9 +41,8 @@ Certificate location
|
|
|
|
|
|
DH parameters file
|
|
|
------------------
|
|
|
-It is suggested to create a DH params file. If missing, ngircd will
|
|
|
-create one on the fly but this will prolong each startup, and users of
|
|
|
-certain clients (e.g. weechat) will be unable to connect using TLS.
|
|
|
+It is suggested to create a DH params file. If missing, ngIRCd will
|
|
|
+create one on the fly but this will prolong each startup.
|
|
|
|
|
|
To create that file:
|
|
|
|
|
|
@@ -45,5 +54,11 @@ To create that file:
|
|
|
|
|
|
openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048
|
|
|
|
|
|
-This has to be done only once. Don't forget to enable the SSLDHFile
|
|
|
-setting in ngircd.conf.
|
|
|
+This has to be done only once. Don't forget to enable the DHFile
|
|
|
+setting in /etc/ngircd/ngircd.conf.
|
|
|
+
|
|
|
+
|
|
|
+Certificate exchange
|
|
|
+--------------------
|
|
|
+Due to limitations of GnuTLS, a re-start of ngIRCd is required if the
|
|
|
+certificates were changed. A reload is not sufficient.
|
Christoph Biedl