ngircd.README.Debian 1.6 KB

  1. TLS support
  2. ===========
  3. Some things to take into account when configuring TLS/SSL support:
  4. * The irc user must be able to read the key file.
  5. * ngIRCd will run without a DH parameters file but that's a bad idea.
  6. * A certificate exchange requires restart.
  7. Certificate location
  8. --------------------
  9. * If your certificate and key are for ngIRCd only: Simply place them in
  10. /etc/ngircd, set KeyFile and CertFile accordingly. To secure the key
  11. file (server.key):
  12. chown irc:irc server.key
  13. chmod 600 server.key
  14. * If however you offer several TLS-based services that using the same
  15. certificate and key: Consider installing the ssl-cert package which
  16. provides the ssl-cert group. Place the certificate file (server.crt)
  17. in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
  18. and make sure ngIRCd can read it:
  19. chown root:ssl-cert /etc/ssl/private/server.key
  20. chmod 640 /etc/ssl/private/server.key
  21. adduser irc ssl-cert
  22. Repeat the last step for all users that run a daemon providing TLS.
  23. * DO NOT store these files in /home/ - due to 'ProtectHome=true' in
  24. ngircd.service the daemon will not be able to load the files.
  25. DH parameters file
  26. ------------------
  27. It is suggested to create a DH params file. If missing, ngIRCd will
  28. create one on the fly but this will prolong each startup.
  29. To create that file:
  30. * using gnutls (from gnutls-cli package):
  31. certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem
  32. * using openssl:
  33. openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048
  34. This has to be done only once. Don't forget to enable the DHFile
  35. setting in /etc/ngircd/ngircd.conf.