What's new in ngIRCd 18
=======================

Generic
-------
For generic information, including the new names of configuration
variables, see /usr/share/doc/ngircd/INSTALL.gz

Debian specific
---------------
The configuration of the user and group ID ngIRCd runs as has
changed in ngircd 18-1. If you see messages like

    Can't change group ID to 65534: Operation not permitted

Change the lines

    ;ServerUID = 65534
    ;ServerGID = 65534

into

    ServerGID = irc
    ServerUID = irc


TLS support
===========

Some things to take into account when configuring TLS/SSL support:

* The irc user must be able to read the key file.
* ngIRCd will run without a DH parameters file but that's a bad idea.
* A certificate exchange requires restart.


Certificate location
--------------------
* If your certificate and key are for ngIRCd only: Simply place them in
  /etc/ngircd, set KeyFile and CertFile accordingly. To secure the key
  file (server.key):

    chown irc:irc server.key
    chmod 600 server.key

* If however you offer several TLS-based services that using the same
  certificate and key: Consider installing the ssl-cert package which
  provides the ssl-cert group. Place the certificate file (server.crt)
  in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
  and make sure ngIRCd can read it:

	chown root:ssl-cert /etc/ssl/private/server.key
	chmod 640 /etc/ssl/private/server.key
	adduser irc ssl-cert

  Repeat the last step for all users that run a daemon providing TLS.


DH parameters file
------------------
It is suggested to create a DH params file. If missing, ngIRCd will
create one on the fly but this will prolong each startup.

To create that file:

* using gnutls (from gnutls-cli package):

    certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem

* using openssl:

    openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048

This has to be done only once. Don't forget to enable the DHFile
setting in /etc/ngircd/ngircd.conf.


Certificate exchange
--------------------
Due to limitations of GnuTLS, a re-start of ngIRCd is required if the
certificates were changed. A reload is not sufficient.