1
0

ngircd.README.Debian 2.2 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768
  1. TLS-based server connection, wheezy/jessie interoperability
  2. ===========================================================
  3. There might be a problem when linking two ngircd servers running
  4. the wheezy and the jessie version respectively. If you see
  5. | gnutls_handshake: Could not negotiate a supported cipher suite.
  6. on the wheezy and
  7. | SSL error: The TLS connection was non-properly terminated. [gnutls_handshake].
  8. on the jessie side: As a workaround, set "Passive = yes" in jessie's
  9. [Server] section so the connection is always initiated by wheezy.
  10. This way around the negotiation will succeed.
  11. TLS support
  12. ===========
  13. Some things to take into account when configuring TLS/SSL support:
  14. * The irc user must be able to read the key file.
  15. * ngIRCd will run without a DH parameters file but that's a bad idea.
  16. * A certificate exchange requires restart.
  17. Certificate location
  18. --------------------
  19. * If your certificate and key are for ngIRCd only: Simply place them in
  20. /etc/ngircd, set KeyFile and CertFile accordingly. To secure the key
  21. file (server.key):
  22. chown irc:irc server.key
  23. chmod 600 server.key
  24. * If however you offer several TLS-based services that using the same
  25. certificate and key: Consider installing the ssl-cert package which
  26. provides the ssl-cert group. Place the certificate file (server.crt)
  27. in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
  28. and make sure ngIRCd can read it:
  29. chown root:ssl-cert /etc/ssl/private/server.key
  30. chmod 640 /etc/ssl/private/server.key
  31. adduser irc ssl-cert
  32. Repeat the last step for all users that run a daemon providing TLS.
  33. DH parameters file
  34. ------------------
  35. It is suggested to create a DH params file. If missing, ngIRCd will
  36. create one on the fly but this will prolong each startup.
  37. To create that file:
  38. * using gnutls (from gnutls-cli package):
  39. certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem
  40. * using openssl:
  41. openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048
  42. This has to be done only once. Don't forget to enable the DHFile
  43. setting in /etc/ngircd/ngircd.conf.
  44. Certificate exchange
  45. --------------------
  46. Due to limitations of GnuTLS, a re-start of ngIRCd is required if the
  47. certificates were changed. A reload is not sufficient.