git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
ngircd
1
0
Fork 0
Files
Tree: b0760fa6cd
Branches Tags
ngircd
/
debian
/
ngircd.README.Debian

ngircd.README.Debian 2.2 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768 
  1. TLS-based server connection, wheezy/jessie interoperability
    2. 

  2. ===========================================================
    3. 

  3. 

  4. There might be a problem when linking two ngircd servers running
    5. 

  5. the wheezy and the jessie version respectively. If you see
    6. 

  6. | gnutls_handshake: Could not negotiate a supported cipher suite.
    7. 

  7. on the wheezy and
    8. 

  8. | SSL error: The TLS connection was non-properly terminated. [gnutls_handshake].
    9. 

  9. on the jessie side: As a workaround, set "Passive = yes" in jessie's
    10. 

  10. [Server] section so the connection is always initiated by wheezy.
    11. 

  11. This way around the negotiation will succeed.
    12. 

  12. 

  13. 

  14. TLS support
    15. 

  15. ===========
    16. 

  16. 

  17. Some things to take into account when configuring TLS/SSL support:
    18. 

  18. 

  19. * The irc user must be able to read the key file.
    20. 

  20. * ngIRCd will run without a DH parameters file but that's a bad idea.
    21. 

  21. * A certificate exchange requires restart.
    22. 

  22. 

  23. 

  24. Certificate location
    25. 

  25. --------------------
    26. 

  26. * If your certificate and key are for ngIRCd only: Simply place them in
    27. 

  27.   /etc/ngircd, set KeyFile and CertFile accordingly. To secure the key
    28. 

  28.   file (server.key):
    29. 

  29. 

  30.     chown irc:irc server.key
    31. 

  31.     chmod 600 server.key
    32. 

  32. 

  33. * If however you offer several TLS-based services that using the same
    34. 

  34.   certificate and key: Consider installing the ssl-cert package which
    35. 

  35.   provides the ssl-cert group. Place the certificate file (server.crt)
    36. 

  36.   in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
    37. 

  37.   and make sure ngIRCd can read it:
    38. 

  38. 

  39. 	chown root:ssl-cert /etc/ssl/private/server.key
    40. 

  40. 	chmod 640 /etc/ssl/private/server.key
    41. 

  41. 	adduser irc ssl-cert
    42. 

  42. 

  43.   Repeat the last step for all users that run a daemon providing TLS.
    44. 

  44. 

  45. 

  46. DH parameters file
    47. 

  47. ------------------
    48. 

  48. It is suggested to create a DH params file. If missing, ngIRCd will
    49. 

  49. create one on the fly but this will prolong each startup.
    50. 

  50. 

  51. To create that file:
    52. 

  52. 

  53. * using gnutls (from gnutls-cli package):
    54. 

  54. 

  55.     certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem
    56. 

  56. 

  57. * using openssl:
    58. 

  58. 

  59.     openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048
    60. 

  60. 

  61. This has to be done only once. Don't forget to enable the DHFile
    62. 

  62. setting in /etc/ngircd/ngircd.conf.
    63. 

  63. 

  64. 

  65. Certificate exchange
    66. 

  66. --------------------
    67. 

  67. Due to limitations of GnuTLS, a re-start of ngIRCd is required if the
    68. 

  68. certificates were changed. A reload is not sufficient.
    69.