1
0

ngircd.README.Debian 1.5 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849
  1. TLS support
  2. ===========
  3. Some things to take into account when configuring TLS/SSL support:
  4. * The irc user must be able to read the key file.
  5. * ngircd will run without a DH parameters file but that's a bad idea.
  6. Certificate location
  7. --------------------
  8. * If your certificate and key are for ngircd only: Simply place them in
  9. /etc/ngircd, set SSLKeyFile and SSLCertFile accordingly. To secure the
  10. key file (server.key):
  11. chown irc:irc server.key
  12. chmod 600 server.key
  13. * If however you offer several TLS-based services that using the same
  14. certificate and key: Consider installing the ssl-cert package which
  15. provides the ssl-cert group. Place the certificate file (server.crt)
  16. in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
  17. and make sure ngircd can read it:
  18. chown root:ssl-cert /etc/ssl/private/server.key
  19. chmod 640 /etc/ssl/private/server.key
  20. adduser irc ssl-cert
  21. Repeat the last step for all users that run a daemon providing TLS.
  22. DH parameters file
  23. ------------------
  24. It is suggested to create a DH params file. If missing, ngircd will
  25. create one on the fly but this will prolong each startup, and users of
  26. certain clients (e.g. weechat) will be unable to connect using TLS.
  27. To create that file:
  28. * using gnutls (from gnutls-cli package):
  29. certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem
  30. * using openssl:
  31. openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048
  32. This has to be done only once. Don't forget to enable the SSLDHFile
  33. setting in ngircd.conf.