doc/SSL.txt


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79


                     ngIRCd - Next Generation IRC Server

                      (c)2001-2004 by Alexander Barton,
                    alex@barton.de, http://www.barton.de/

               ngIRCd is free software and published under the
                   terms of the GNU General Public License.

                                 -- SSL.txt --


ngIRCd supports SSL/TLSv1 encrypted connections using the
OpenSSL or gnutls library.
Both encryped server <-> client and server <-> server links should work.

BEWARE! The Code is mostly untested, use at your own risk!

Example that creates a self-signed certificate and key (using OpenSSL):
openssl req -newkey rsa:2048 -x509 -keyout server-key.pem \
		-out server-cert.pem -days 1461

Example that creates DH parameters (optional):
openssl dhparam -2 -out dhparams.pem 2048

Example that creates a self-signed certificate
and key (using gnutls):

certtool --generate-privkey --bits 2048 --outfile server-key.pem
certtool --generate-self-signed --load-privkey server-key.pem \
		 --outfile server-cert.pem

Example that creates DH parameters (optional):
certtool  --generate-dh-params --bits 2048 --outfile dhparams.pem

Alternatively, you may use external programs/tools like stunnel to
make it work:

  <http://stunnel.mirt.net/>
  <http://www.stunnel.org/>

Stefan Sperling (stefan at binarchy dot net) mailed me the following text as a
short "how-to", thanks Stefan!


=== snip ===
    ! This guide applies to stunnel 4.x !

    Put this in your stunnel.conf:

        [ircs]
        accept = 6667
        connect = 6668

    This makes stunnel listen for incoming connections
    on port 6667 and forward decrypted data to port 6668.
    We call the connection 'ircs'. Stunnel will use this
    name when logging connection attempts via syslog.
    You can also use the name in /etc/hosts.{allow,deny}
    if you run tcp-wrappers.

    To make sure ngircd is listening on the port where
    the decrypted data arrives, set

        Ports = 6668

    in your ngircd.conf.

    Start stunnel and restart ngircd.

    That's it.
    Don't forget to activate ssl support in your irc client ;)
=== snip ===


-- 
$Id: SSL.txt,v 1.2 2004/12/27 01:11:40 alex Exp $