|
|
@@ -0,0 +1,49 @@
|
|
|
+TLS support
|
|
|
+===========
|
|
|
+
|
|
|
+Some things to take into account when configuring TLS/SSL support:
|
|
|
+
|
|
|
+* The irc user must be able to read the key file.
|
|
|
+* ngircd will run without a DH parameters file but that's a bad idea.
|
|
|
+
|
|
|
+
|
|
|
+Certificate location
|
|
|
+--------------------
|
|
|
+* If your certificate and key are for ngircd only: Simply place them in
|
|
|
+ /etc/ngircd, set SSLKeyFile and SSLCertFile accordingly. To secure the
|
|
|
+ key file (server.key):
|
|
|
+
|
|
|
+ chown irc:irc server.key
|
|
|
+ chmod 600 server.key
|
|
|
+
|
|
|
+* If however you offer several TLS-based services that using the same
|
|
|
+ certificate and key: Consider installing the ssl-cert package which
|
|
|
+ provides the ssl-cert group. Place the certificate file (server.crt)
|
|
|
+ in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
|
|
|
+ and make sure ngircd can read it:
|
|
|
+
|
|
|
+ chown root:ssl-cert /etc/ssl/private/server.key
|
|
|
+ chmod 640 /etc/ssl/private/server.key
|
|
|
+ adduser irc ssl-cert
|
|
|
+
|
|
|
+ Repeat the last step for all users that run a daemon providing TLS.
|
|
|
+
|
|
|
+
|
|
|
+DH parameters file
|
|
|
+------------------
|
|
|
+It is suggested to create a DH params file. If missing, ngircd will
|
|
|
+create one on the fly but this will prolong each startup, and users of
|
|
|
+certain clients (e.g. weechat) will be unable to connect using TLS.
|
|
|
+
|
|
|
+To create that file:
|
|
|
+
|
|
|
+* using gnutls (from gnutls-cli package):
|
|
|
+
|
|
|
+ certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem
|
|
|
+
|
|
|
+* using openssl:
|
|
|
+
|
|
|
+ openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048
|
|
|
+
|
|
|
+This has to be done only once. Don't forget to enable the SSLDHFile
|
|
|
+setting in ngircd.conf.
|
Christoph Biedl