12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364 |
- What's new in ngIRCd 18
- =======================
- Generic
- -------
- For generic information, including the new names of configuration
- variables, see /usr/share/doc/ngircd/INSTALL.gz
- TLS support
- ===========
- Some things to take into account when configuring TLS/SSL support:
- * The irc user must be able to read the key file.
- * ngIRCd will run without a DH parameters file but that's a bad idea.
- * A certificate exchange requires restart.
- Certificate location
- --------------------
- * If your certificate and key are for ngIRCd only: Simply place them in
- /etc/ngircd, set KeyFile and CertFile accordingly. To secure the key
- file (server.key):
- chown irc:irc server.key
- chmod 600 server.key
- * If however you offer several TLS-based services that using the same
- certificate and key: Consider installing the ssl-cert package which
- provides the ssl-cert group. Place the certificate file (server.crt)
- in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
- and make sure ngIRCd can read it:
- chown root:ssl-cert /etc/ssl/private/server.key
- chmod 640 /etc/ssl/private/server.key
- adduser irc ssl-cert
- Repeat the last step for all users that run a daemon providing TLS.
- DH parameters file
- ------------------
- It is suggested to create a DH params file. If missing, ngIRCd will
- create one on the fly but this will prolong each startup.
- To create that file:
- * using gnutls (from gnutls-cli package):
- certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem
- * using openssl:
- openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048
- This has to be done only once. Don't forget to enable the DHFile
- setting in /etc/ngircd/ngircd.conf.
- Certificate exchange
- --------------------
- Due to limitations of GnuTLS, a re-start of ngIRCd is required if the
- certificates were changed. A reload is not sufficient.
|