mirrors/ngircd
1
0
Fork 0
mirror of https://github.com/osmarks/ngircd.git synced 2025-10-13 21:57:40 +00:00
Code Issues Releases Wiki Activity

TLS/SSL support: documentation.

Browse Source
This commit is contained in:
Florian Westphal
2008-09-13 15:10:08 +02:00
parent bdd44eb0ab
commit ebf5edfd87
3 changed files with 69 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
doc/SSL.txt
View File

@@ -10,9 +10,31 @@
-- SSL.txt -- -- SSL.txt --
ngIRCd actually doesn't support secure connections for client-server or ngIRCd supports SSL/TLSv1 encrypted connections using the
server-server links using SSL, the Secure Socket Layer, by itself. But you can OpenSSL or gnutls library.
use the stunnel(8) command to make this work. Both encryped server <-> client and server <-> server links should work.
BEWARE! The Code is mostly untested, use at your own risk!
Example that creates a self-signed certificate and key (using OpenSSL):
openssl req -newkey rsa:2048 -x509 -keyout server-key.pem \
-out server-cert.pem -days 1461
Example that creates DH parameters (optional):
openssl dhparam -2 -out dhparams.pem 2048
Example that creates a self-signed certificate
and key (using gnutls):
certtool --generate-privkey --bits 2048 --outfile server-key.pem
certtool --generate-self-signed --load-privkey server-key.pem \
--outfile server-cert.pem
Example that creates DH parameters (optional):
certtool --generate-dh-params --bits 2048 --outfile dhparams.pem
Alternatively, you may use external programs/tools like stunnel to
make it work:
<http://stunnel.mirt.net/> <http://stunnel.mirt.net/>
<http://www.stunnel.org/> <http://www.stunnel.org/>
@@ -51,7 +73,6 @@ short "how-to", thanks Stefan!
=== snip === === snip ===
Probably ngIRCd will include support for SSL in the future ...
-- --

22
doc/sample-ngircd.conf
View File

@@ -13,6 +13,8 @@
# Use "ngircd --configtest" (see manual page ngircd(8)) to validate that the # Use "ngircd --configtest" (see manual page ngircd(8)) to validate that the
# server interprets the configuration file as expected! # server interprets the configuration file as expected!
# #
# Please see ngircd.conf(5) for a complete list of configuration options.
#
[Global] [Global]
# The [Global] section of this file is used to define the main # The [Global] section of this file is used to define the main
@@ -40,6 +42,21 @@
# one port, separated with ",". (Default: 6667) # one port, separated with ",". (Default: 6667)
;Ports = 6667, 6668, 6669 ;Ports = 6667, 6668, 6669
# Additional Listen Ports that expect SSL/TLS encrypted connections
;SSLPorts = 9999,6668
# SSL Server Key
;SSLKeyFile = /usr/local/etc/ngircd/ssl/server-key.pem
# password to decrypt SSLKeyFile (OpenSSL only)
;SSLKeyFilePassword = secret
# SSL Server Key Certificate
;SSLCertFile = /usr/local/etc/ngircd/ssl/server-cert.pem
# Diffie-Hellman parameters
;SSLDHFile = /usr/local/etc/ngircd/ssl/dhparams.pem
# comma seperated list of IP addresses on which the server should # comma seperated list of IP addresses on which the server should
# listen. Default values are: # listen. Default values are:
# "0.0.0.0" or (if compiled with IPv6 support) "::,0.0.0.0" # "0.0.0.0" or (if compiled with IPv6 support) "::,0.0.0.0"
@@ -158,7 +175,7 @@
# IRC name of the remote server, must match the "Name" variable in # IRC name of the remote server, must match the "Name" variable in
# the [Global] section of the other server (when using ngIRCd). # the [Global] section of the other server (when using ngIRCd).
;Name = irc2.the.net ;Name = irc2.the.net
# Internet host name or IP address of the peer (only required when # Internet host name or IP address of the peer (only required when
# this server should establish the connection). # this server should establish the connection).
;Host = connect-to-host.the.net ;Host = connect-to-host.the.net
@@ -189,6 +206,9 @@
# this specific server later. # this specific server later.
;Passive = no ;Passive = no
# Connect to the remote server using TLS/SSL (Default: false)
; SSLConnect = yes
[Server] [Server]
# More [Server] sections, if you like ... # More [Server] sections, if you like ...

23
man/ngircd.conf.5.tmpl
View File

@@ -72,6 +72,27 @@ command.
Ports on which the server should listen. There may be more than one port, Ports on which the server should listen. There may be more than one port,
separated with ','. Default: 6667. separated with ','. Default: 6667.
.TP .TP
\fBSSLPorts\fR
Same as \fBPorts\fR , except that ngircd will expect incoming connections
to be SSL/TLS encrypted. Default: None
.TP
\fBSSLKeyFile\fR
Filename of SSL Server Key to be used for SSL connections. This is required for
SSL/TLS support.
.TP
\fBSSLKeyFilePassword\fR
(OpenSSL only:) Password to decrypt private key.
.TP
\fBSSLCertFile\fR
Certificate of the private key
.TP
\fBSSLDHFile\fR
Name of the Diffie-Hellman Parameter file. Can be created with gnutls "certtool --generate-dh-params" or "openssl dhparam".
If this file is not present, it will be generated on startup when ngircd
was compiled with gnutls support (this may take some time). If ngircd
was compiled with OpenSSL, then (Ephemeral)-Diffie-Hellman Key Exchanges and several
Cipher Suites will not be available.
.TP
\fBListen\fR \fBListen\fR
A comma seperated list of IP address on which the server should listen. A comma seperated list of IP address on which the server should listen.
If unset, the defaults value is "0.0.0.0", or, if ngircd was compiled If unset, the defaults value is "0.0.0.0", or, if ngircd was compiled
@@ -188,6 +209,8 @@ Default: 10.
Maximum length of an user nick name (Default: 9, as in RFC 2812). Please Maximum length of an user nick name (Default: 9, as in RFC 2812). Please
note that all servers in an IRC network MUST use the same maximum nick name note that all servers in an IRC network MUST use the same maximum nick name
length! length!
\fBSSLConnect\fR
Connect to the remote server using TLS/SSL (Default: false)
.SH [OPERATOR] .SH [OPERATOR]
.I [Operator] .I [Operator]
sections are used to define IRC Operators. There may be more than one sections are used to define IRC Operators. There may be more than one