git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
ngircd
1
0
Fork 0
Files
Tree: c02f61d5fc
Branches Tags
ngircd
/
debian
/
ngircd.README.Debian

ngircd.README.Debian 2.9 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687 
  1. TLS-based server connection, wheezy/jessie interoperability
    2. 

  2. ===========================================================
    3. 

  3. 

  4. There might be a problem when linking two ngircd servers running
    5. 

  5. the wheezy and the jessie version respectively. If you see
    6. 

  6. | gnutls_handshake: Could not negotiate a supported cipher suite.
    7. 

  7. on the wheezy and
    8. 

  8. | SSL error: The TLS connection was non-properly terminated. [gnutls_handshake].
    9. 

  9. on the jessie side: As a workaround, set "Passive = yes" in jessie's
    10. 

  10. [Server] section so the connection is always initiated by wheezy.
    11. 

  11. This way around the negotiation will succeed.
    12. 

  12. 

  13. 

  14. TLS support
    15. 

  15. ===========
    16. 

  16. 

  17. Some things to take into account when configuring TLS/SSL support:
    18. 

  18. 

  19. * The irc user must be able to read the key file.
    20. 

  20. * ngIRCd will run without a DH parameters file but that's a bad idea.
    21. 

  21. * A certificate exchange requires restart.
    22. 

  22. 

  23. 

  24. Certificate location
    25. 

  25. --------------------
    26. 

  26. * If your certificate and key are for ngIRCd only: Simply place them in
    27. 

  27.   /etc/ngircd, set KeyFile and CertFile accordingly. To secure the key
    28. 

  28.   file (server.key):
    29. 

  29. 

  30.     chown irc:irc server.key
    31. 

  31.     chmod 600 server.key
    32. 

  32. 

  33. * If however you offer several TLS-based services that using the same
    34. 

  34.   certificate and key: Consider installing the ssl-cert package which
    35. 

  35.   provides the ssl-cert group. Place the certificate file (server.crt)
    36. 

  36.   in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
    37. 

  37.   and make sure ngIRCd can read it:
    38. 

  38. 

  39. 	chown root:ssl-cert /etc/ssl/private/server.key
    40. 

  40. 	chmod 640 /etc/ssl/private/server.key
    41. 

  41. 	adduser irc ssl-cert
    42. 

  42. 

  43.   Repeat the last step for all users that run a daemon providing TLS.
    44. 

  44. 

  45. 

  46. TLS-based server-server links
    47. 

  47. -----------------------------
    48. 

  48. When linking two ngircd servers, the connection should be TLS-based for
    49. 

  49. obvious reasons. To do so, edit ngircd.conf:
    50. 

  50. 

  51. * Enable SSLConnect in each [Server] stanza.
    52. 

  52. * Define CAFile in the [SSL] stanza. Note that by default *no*
    53. 

  53.   certificate is trusted.
    54. 

  54.   If the peers's certificate was signed by one of the well-known
    55. 

  55.   certificate authorities: Use the suggested value
    56. 

  56.   "/etc/ssl/certs/ca-certificates.crt" and install the ca-certificate
    57. 

  57.   package.
    58. 

  58.   Else set the value to the respective CA's certificate file.
    59. 

  59. 

  60. Verfication can be disabled entirely on a per-link base by setting
    61. 

  61. SSLVerify to false. This is strongly discouraged as you will lose all
    62. 

  62. security by that.
    63. 

  63. 

  64. 

  65. DH parameters file
    66. 

  66. ------------------
    67. 

  67. It is suggested to create a DH params file. If missing, ngIRCd will
    68. 

  68. create one on the fly but this will prolong each startup.
    69. 

  69. 

  70. To create that file:
    71. 

  71. 

  72. * using gnutls (from gnutls-cli package):
    73. 

  73. 

  74.     certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem
    75. 

  75. 

  76. * using openssl:
    77. 

  77. 

  78.     openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048
    79. 

  79. 

  80. This has to be done only once. Don't forget to enable the DHFile
    81. 

  81. setting in /etc/ngircd/ngircd.conf.
    82. 

  82. 

  83. 

  84. Certificate exchange
    85. 

  85. --------------------
    86. 

  86. Due to limitations of GnuTLS, a re-start of ngIRCd is required if the
    87. 

  87. certificates were changed. A reload is not sufficient.
    88.