| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849 |
- TLS support
- ===========
- Some things to take into account when configuring TLS/SSL support:
- * The irc user must be able to read the key file.
- * ngircd will run without a DH parameters file but that's a bad idea.
- Certificate location
- --------------------
- * If your certificate and key are for ngircd only: Simply place them in
- /etc/ngircd, set SSLKeyFile and SSLCertFile accordingly. To secure the
- key file (server.key):
- chown irc:irc server.key
- chmod 600 server.key
- * If however you offer several TLS-based services that using the same
- certificate and key: Consider installing the ssl-cert package which
- provides the ssl-cert group. Place the certificate file (server.crt)
- in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
- and make sure ngircd can read it:
- chown root:ssl-cert /etc/ssl/private/server.key
- chmod 640 /etc/ssl/private/server.key
- adduser irc ssl-cert
- Repeat the last step for all users that run a daemon providing TLS.
- DH parameters file
- ------------------
- It is suggested to create a DH params file. If missing, ngircd will
- create one on the fly but this will prolong each startup, and users of
- certain clients (e.g. weechat) will be unable to connect using TLS.
- To create that file:
- * using gnutls (from gnutls-cli package):
- certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem
- * using openssl:
- openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048
- This has to be done only once. Don't forget to enable the SSLDHFile
- setting in ngircd.conf.
|
