Document configuration for verification of TLS-based server-server links

debian/ngircd.NEWS

@@ -0,0 +1,8 @@
+ngircd (27~rc1-1) unstable; urgency=high
+
+  * This version introduces x509 certificate validation on TLS-based
+    server-server links. Existing configurations will likely break, for
+    details see </usr/share/doc/ngircd/README.Debian>, starting at
+    "TLS-based server-server links".
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de>  Sat, 13 Apr 2024 19:16:02 +0200

debian/ngircd.README.Debian

@@ -24,9 +24,9 @@ Certificate location
   in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
   and make sure ngIRCd can read it:
 
-	chown root:ssl-cert /etc/ssl/private/server.key
-	chmod 640 /etc/ssl/private/server.key
-	adduser irc ssl-cert
+        chown root:ssl-cert /etc/ssl/private/server.key
+        chmod 640 /etc/ssl/private/server.key
+        adduser irc ssl-cert
 
   Repeat the last step for all users that run a daemon providing TLS.
 
@@ -34,6 +34,25 @@ Certificate location
   ngircd.service the daemon will not be able to load the files.
 
 
+TLS-based server-server links
+-----------------------------
+When linking two ngircd servers, the connection should be TLS-based for
+obvious reasons. To do so, edit ngircd.conf:
+
+* Enable SSLConnect in each [Server] stanza.
+* Define CAFile in the [SSL] stanza. Note that by default *no*
+  certificate is trusted.
+  If the peers's certificate was signed by one of the well-known
+  certificate authorities: Use the suggested value
+  "/etc/ssl/certs/ca-certificates.crt" and install the ca-certificate
+  package.
+  Else set the value to the respective CA's certificate file.
+
+Verfication can be disabled entirely on a per-link base by setting
+SSLVerify to false. This is strongly discouraged as you will lose all
+security by that.
+
+
 DH parameters file
 ------------------
 It is suggested to create a DH params file. If missing, ngIRCd will