1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768 |
- TLS-based server connection, wheezy/jessie interoperability
- ===========================================================
- There might be a problem when linking two ngircd servers running
- the wheezy and the jessie version respectively. If you see
- | gnutls_handshake: Could not negotiate a supported cipher suite.
- on the wheezy and
- | SSL error: The TLS connection was non-properly terminated. [gnutls_handshake].
- on the jessie side: As a workaround, set "Passive = yes" in jessie's
- [Server] section so the connection is always initiated by wheezy.
- This way around the negotiation will succeed.
- TLS support
- ===========
- Some things to take into account when configuring TLS/SSL support:
- * The irc user must be able to read the key file.
- * ngIRCd will run without a DH parameters file but that's a bad idea.
- * A certificate exchange requires restart.
- Certificate location
- --------------------
- * If your certificate and key are for ngIRCd only: Simply place them in
- /etc/ngircd, set KeyFile and CertFile accordingly. To secure the key
- file (server.key):
- chown irc:irc server.key
- chmod 600 server.key
- * If however you offer several TLS-based services that using the same
- certificate and key: Consider installing the ssl-cert package which
- provides the ssl-cert group. Place the certificate file (server.crt)
- in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
- and make sure ngIRCd can read it:
- chown root:ssl-cert /etc/ssl/private/server.key
- chmod 640 /etc/ssl/private/server.key
- adduser irc ssl-cert
- Repeat the last step for all users that run a daemon providing TLS.
- DH parameters file
- ------------------
- It is suggested to create a DH params file. If missing, ngIRCd will
- create one on the fly but this will prolong each startup.
- To create that file:
- * using gnutls (from gnutls-cli package):
- certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem
- * using openssl:
- openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048
- This has to be done only once. Don't forget to enable the DHFile
- setting in /etc/ngircd/ngircd.conf.
- Certificate exchange
- --------------------
- Due to limitations of GnuTLS, a re-start of ngIRCd is required if the
- certificates were changed. A reload is not sufficient.
|