mirror of
https://github.com/osmarks/ngircd.git
synced 2024-12-13 10:20:28 +00:00
49b2d0ec98
problem is that some clients refuse to connect to severs that only offer 1024. For interoperability it would be best to just use 4096, but that takes minutes, even on current hardware.
109 lines
3.5 KiB
Plaintext
109 lines
3.5 KiB
Plaintext
|
|
ngIRCd - Next Generation IRC Server
|
|
|
|
(c)2001-2008 Alexander Barton,
|
|
alex@barton.de, http://www.barton.de/
|
|
|
|
ngIRCd is free software and published under the
|
|
terms of the GNU General Public License.
|
|
|
|
-- SSL.txt --
|
|
|
|
|
|
ngIRCd supports SSL/TLSv1 encrypted connections using the OpenSSL or GnuTLS
|
|
libraries. Both encrypted server-server links as well as client-server links
|
|
are supported.
|
|
|
|
SSL is a compile-time option which is disabled by default. Use one of these
|
|
options of the ./configure script to enable it:
|
|
|
|
--with-openssl enable SSL support using OpenSSL
|
|
--with-gnutls enable SSL support using GnuTLS
|
|
|
|
You also need a key/certificate, see below for how to create a self-signed one.
|
|
|
|
From a feature point of view, ngIRCds support for both libraries is
|
|
comparable. The only major difference (at this time) is that ngircd with gnutls
|
|
does not support password protected private keys.
|
|
|
|
Configuration
|
|
~~~~~~~~~~~~~
|
|
|
|
To enable SSL connections a separate port must be configured: it is NOT
|
|
possible to handle unencrypted and encrypted connections on the same port!
|
|
This is a limitation of the IRC protocol ...
|
|
|
|
You have to set (at least) the following configuration variables in the
|
|
[GLOBAL] section of ngircd.conf(5): SSLPorts, SSLKeyFile, and SSLCertFile.
|
|
|
|
Now IRC clients are able to connect using SSL on the configured port(s).
|
|
(Using port 6697 for encrypted connections is common.)
|
|
|
|
To enable encrypted server-server links, you have to additionally set
|
|
SSLConnect to "yes" in the corresponding [SERVER] section.
|
|
|
|
|
|
Creating a self-signed certificate
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
OpenSSL:
|
|
|
|
Creating a self-signed certificate and key:
|
|
$ openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem -days 1461
|
|
Create DH parameters (optional):
|
|
$ openssl dhparam -2 -out dhparams.pem 4096
|
|
|
|
GnuTLS:
|
|
|
|
Creating a self-signed certificate and key:
|
|
$ certtool --generate-privkey --bits 2048 --outfile server-key.pem
|
|
$ certtool --generate-self-signed --load-privkey server-key.pem --outfile server-cert.pem
|
|
Create DH parameters (optional):
|
|
$ certtool --generate-dh-params --bits 4096 --outfile dhparams.pem
|
|
|
|
|
|
Alternate approach using stunnel(1)
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Alternatively (or if you are using ngIRCd compiled without support
|
|
for GnuTLS/OpenSSL), you can use external programs/tools like stunnel(1) to
|
|
get SSL encrypted connections:
|
|
|
|
<http://stunnel.mirt.net/>
|
|
<http://www.stunnel.org/>
|
|
|
|
Stefan Sperling (stefan at binarchy dot net) mailed the following text as a
|
|
short "how-to", thanks Stefan!
|
|
|
|
=== snip ===
|
|
! This guide applies to stunnel 4.x !
|
|
|
|
Put this in your stunnel.conf:
|
|
|
|
[ircs]
|
|
accept = 6667
|
|
connect = 6668
|
|
|
|
This makes stunnel listen for incoming connections
|
|
on port 6667 and forward decrypted data to port 6668.
|
|
We call the connection 'ircs'. Stunnel will use this
|
|
name when logging connection attempts via syslog.
|
|
You can also use the name in /etc/hosts.{allow,deny}
|
|
if you run tcp-wrappers.
|
|
|
|
To make sure ngircd is listening on the port where
|
|
the decrypted data arrives, set
|
|
|
|
Ports = 6668
|
|
|
|
in your ngircd.conf.
|
|
|
|
Start stunnel and restart ngircd.
|
|
|
|
That's it.
|
|
Don't forget to activate ssl support in your irc client ;)
|
|
The main drawback of this approach compared to using builtin ssl
|
|
is that from ngIRCds point of view, all ssl-enabled client connections will
|
|
originate from the host running stunnel.
|
|
=== snip ===
|