TLS support
===========

Some things to take into account when configuring TLS/SSL support:

* The irc user must be able to read the key file.
* ngircd will run without a DH parameters file but that's a bad idea.


Certificate location
--------------------
* If your certificate and key are for ngircd only: Simply place them in
  /etc/ngircd, set SSLKeyFile and SSLCertFile accordingly. To secure the
  key file (server.key):

    chown irc:irc server.key
    chmod 600 server.key

* If however you offer several TLS-based services that using the same
  certificate and key: Consider installing the ssl-cert package which
  provides the ssl-cert group. Place the certificate file (server.crt)
  in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
  and make sure ngircd can read it:

	chown root:ssl-cert /etc/ssl/private/server.key
	chmod 640 /etc/ssl/private/server.key
	adduser irc ssl-cert

  Repeat the last step for all users that run a daemon providing TLS.


DH parameters file
------------------
It is suggested to create a DH params file. If missing, ngircd will
create one on the fly but this will prolong each startup, and users of
certain clients (e.g. weechat) will be unable to connect using TLS.

To create that file:

* using gnutls (from gnutls-cli package):

    certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem

* using openssl:

    openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048

This has to be done only once. Don't forget to enable the SSLDHFile
setting in ngircd.conf.