git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
ngircd
1
0
Fork 0
Files
Tree: 8813aafd87
Branches Tags
ngircd
/
debian
/
ngircd.README.Debian

ngircd.README.Debian 2.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 
  1. 

  2. TLS support
    3. 

  3. ===========
    4. 

  4. 

  5. Some things to take into account when configuring TLS/SSL support:
    6. 

  6. 

  7. * The irc user must be able to read the key file.
    8. 

  8. * ngIRCd will run without a DH parameters file but that's a bad idea.
    9. 

  9. * A certificate exchange requires restart.
    10. 

  10. 

  11. 

  12. Certificate location
    13. 

  13. --------------------
    14. 

  14. * If your certificate and key are for ngIRCd only: Simply place them in
    15. 

  15.   /etc/ngircd, set KeyFile and CertFile accordingly. To secure the key
    16. 

  16.   file (server.key):
    17. 

  17. 

  18.     chown irc:irc server.key
    19. 

  19.     chmod 600 server.key
    20. 

  20. 

  21. * If however you offer several TLS-based services that using the same
    22. 

  22.   certificate and key: Consider installing the ssl-cert package which
    23. 

  23.   provides the ssl-cert group. Place the certificate file (server.crt)
    24. 

  24.   in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
    25. 

  25.   and make sure ngIRCd can read it:
    26. 

  26. 

  27. 	chown root:ssl-cert /etc/ssl/private/server.key
    28. 

  28. 	chmod 640 /etc/ssl/private/server.key
    29. 

  29. 	adduser irc ssl-cert
    30. 

  30. 

  31.   Repeat the last step for all users that run a daemon providing TLS.
    32. 

  32. 

  33. * DO NOT store these files in /home/ - due to 'ProtectHome=true' in
    34. 

  34.   ngircd.service the daemon will not be able to load the files.
    35. 

  35. 

  36. 

  37. TLS-based server-server links
    38. 

  38. -----------------------------
    39. 

  39. When linking two ngircd servers, the connection should be TLS-based for
    40. 

  40. obvious reasons. To do so, edit ngircd.conf:
    41. 

  41. 

  42. * Enable SSLConnect in each [Server] stanza.
    43. 

  43. * Define CAFile in the [SSL] stanza. Note that by default *no*
    44. 

  44.   certificate is trusted.
    45. 

  45.   If the peers's certificate was signed by one of the well-known
    46. 

  46.   certificate authorities: Use the suggested value
    47. 

  47.   "/etc/ssl/certs/ca-certificates.crt" and install the ca-certificate
    48. 

  48.   package.
    49. 

  49.   Else set the value to the respective CA's certificate file.
    50. 

  50. 

  51. Verfication can be disabled entirely on a per-link base by setting
    52. 

  52. SSLVerify to false. This is strongly discouraged as you will lose all
    53. 

  53. security by that.
    54. 

  54. 

  55. 

  56. DH parameters file
    57. 

  57. ------------------
    58. 

  58. It is suggested to create a DH params file. If missing, ngIRCd will
    59. 

  59. create one on the fly but this will prolong each startup.
    60. 

  60. 

  61. To create that file:
    62. 

  62. 

  63. * using gnutls (from gnutls-cli package):
    64. 

  64. 

  65.     certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem
    66. 

  66. 

  67. * using openssl:
    68. 

  68. 

  69.     openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048
    70. 

  70. 

  71. This has to be done only once. Don't forget to enable the DHFile
    72. 

  72. setting in /etc/ngircd/ngircd.conf.
    73.