ngircd.README.Debian 1.6 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556
  1. TLS support
  2. ===========
  3. Some things to take into account when configuring TLS/SSL support:
  4. * The irc user must be able to read the key file.
  5. * ngIRCd will run without a DH parameters file but that's a bad idea.
  6. * A certificate exchange requires restart.
  7. Certificate location
  8. --------------------
  9. * If your certificate and key are for ngIRCd only: Simply place them in
  10. /etc/ngircd, set KeyFile and CertFile accordingly. To secure the key
  11. file (server.key):
  12. chown irc:irc server.key
  13. chmod 600 server.key
  14. * If however you offer several TLS-based services that using the same
  15. certificate and key: Consider installing the ssl-cert package which
  16. provides the ssl-cert group. Place the certificate file (server.crt)
  17. in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
  18. and make sure ngIRCd can read it:
  19. chown root:ssl-cert /etc/ssl/private/server.key
  20. chmod 640 /etc/ssl/private/server.key
  21. adduser irc ssl-cert
  22. Repeat the last step for all users that run a daemon providing TLS.
  23. DH parameters file
  24. ------------------
  25. It is suggested to create a DH params file. If missing, ngIRCd will
  26. create one on the fly but this will prolong each startup.
  27. To create that file:
  28. * using gnutls (from gnutls-cli package):
  29. certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem
  30. * using openssl:
  31. openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048
  32. This has to be done only once. Don't forget to enable the DHFile
  33. setting in /etc/ngircd/ngircd.conf.
  34. Certificate exchange
  35. --------------------
  36. Due to limitations of GnuTLS, a re-start of ngIRCd is required if the
  37. certificates were changed. A reload is not sufficient.