diff options
| author | Florian Westphal <fw@strlen.de> | 2008-09-13 15:10:08 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2008-09-13 15:10:08 +0200 |
| commit | ebf5edfd8788037c39818461d09874a851b845fc (patch) | |
| tree | 98f20ab2ed0c013c530437352adab4cd8e1d2bb1 /doc | |
| parent | bdd44eb0ab7e6ee080989c672ce6deeffae987c2 (diff) | |
| download | ngircd-ebf5edfd8788037c39818461d09874a851b845fc.tar.gz ngircd-ebf5edfd8788037c39818461d09874a851b845fc.zip | |
TLS/SSL support: documentation.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/SSL.txt | 29 | ||||
| -rw-r--r-- | doc/sample-ngircd.conf | 22 |
2 files changed, 46 insertions, 5 deletions
diff --git a/doc/SSL.txt b/doc/SSL.txt index 7578ad80..6ea207e6 100644 --- a/doc/SSL.txt +++ b/doc/SSL.txt @@ -10,9 +10,31 @@ -- SSL.txt -- -ngIRCd actually doesn't support secure connections for client-server or -server-server links using SSL, the Secure Socket Layer, by itself. But you can -use the stunnel(8) command to make this work. +ngIRCd supports SSL/TLSv1 encrypted connections using the +OpenSSL or gnutls library. +Both encryped server <-> client and server <-> server links should work. + +BEWARE! The Code is mostly untested, use at your own risk! + +Example that creates a self-signed certificate and key (using OpenSSL): +openssl req -newkey rsa:2048 -x509 -keyout server-key.pem \ + -out server-cert.pem -days 1461 + +Example that creates DH parameters (optional): +openssl dhparam -2 -out dhparams.pem 2048 + +Example that creates a self-signed certificate +and key (using gnutls): + +certtool --generate-privkey --bits 2048 --outfile server-key.pem +certtool --generate-self-signed --load-privkey server-key.pem \ + --outfile server-cert.pem + +Example that creates DH parameters (optional): +certtool --generate-dh-params --bits 2048 --outfile dhparams.pem + +Alternatively, you may use external programs/tools like stunnel to +make it work: <http://stunnel.mirt.net/> <http://www.stunnel.org/> @@ -51,7 +73,6 @@ short "how-to", thanks Stefan! === snip === -Probably ngIRCd will include support for SSL in the future ... -- diff --git a/doc/sample-ngircd.conf b/doc/sample-ngircd.conf index 87a94d9d..ba2d477b 100644 --- a/doc/sample-ngircd.conf +++ b/doc/sample-ngircd.conf @@ -13,6 +13,8 @@ # Use "ngircd --configtest" (see manual page ngircd(8)) to validate that the # server interprets the configuration file as expected! # +# Please see ngircd.conf(5) for a complete list of configuration options. +# [Global] # The [Global] section of this file is used to define the main @@ -40,6 +42,21 @@ # one port, separated with ",". (Default: 6667) ;Ports = 6667, 6668, 6669 + # Additional Listen Ports that expect SSL/TLS encrypted connections + ;SSLPorts = 9999,6668 + + # SSL Server Key + ;SSLKeyFile = /usr/local/etc/ngircd/ssl/server-key.pem + + # password to decrypt SSLKeyFile (OpenSSL only) + ;SSLKeyFilePassword = secret + + # SSL Server Key Certificate + ;SSLCertFile = /usr/local/etc/ngircd/ssl/server-cert.pem + + # Diffie-Hellman parameters + ;SSLDHFile = /usr/local/etc/ngircd/ssl/dhparams.pem + # comma seperated list of IP addresses on which the server should # listen. Default values are: # "0.0.0.0" or (if compiled with IPv6 support) "::,0.0.0.0" @@ -158,7 +175,7 @@ # IRC name of the remote server, must match the "Name" variable in # the [Global] section of the other server (when using ngIRCd). ;Name = irc2.the.net - + # Internet host name or IP address of the peer (only required when # this server should establish the connection). ;Host = connect-to-host.the.net @@ -189,6 +206,9 @@ # this specific server later. ;Passive = no + # Connect to the remote server using TLS/SSL (Default: false) + ; SSLConnect = yes + [Server] # More [Server] sections, if you like ... |