2004-12-27 02:04:35 +01:00
|
|
|
|
|
|
|
ngIRCd - Next Generation IRC Server
|
|
|
|
|
2008-12-04 13:20:38 +01:00
|
|
|
(c)2001-2008 Alexander Barton,
|
2004-12-27 02:04:35 +01:00
|
|
|
alex@barton.de, http://www.barton.de/
|
|
|
|
|
|
|
|
ngIRCd is free software and published under the
|
|
|
|
terms of the GNU General Public License.
|
|
|
|
|
|
|
|
-- SSL.txt --
|
|
|
|
|
|
|
|
|
2008-12-04 13:20:38 +01:00
|
|
|
ngIRCd supports SSL/TLSv1 encrypted connections using the OpenSSL or GnuTLS
|
|
|
|
libraries. Both encrypted server-server links as well as client-server links
|
|
|
|
are supported.
|
2008-09-13 15:10:08 +02:00
|
|
|
|
2008-12-04 13:20:38 +01:00
|
|
|
SSL is a compile-time option which is disabled by default. Use one of these
|
|
|
|
options of the ./configure script to enable it:
|
2008-09-13 15:10:08 +02:00
|
|
|
|
2008-12-04 13:20:38 +01:00
|
|
|
--with-openssl enable SSL support using OpenSSL
|
|
|
|
--with-gnutls enable SSL support using GnuTLS
|
2008-09-13 15:10:08 +02:00
|
|
|
|
2009-01-09 21:30:43 +01:00
|
|
|
You also need a key/certificate, see below for how to create a self-signed one.
|
2008-09-13 15:10:08 +02:00
|
|
|
|
2009-01-09 21:30:43 +01:00
|
|
|
From a feature point of view, ngIRCds support for both libraries is
|
|
|
|
comparable. The only major difference (at this time) is that ngircd with gnutls
|
|
|
|
does not support password protected private keys.
|
2008-09-13 15:10:08 +02:00
|
|
|
|
2008-12-04 13:20:38 +01:00
|
|
|
Configuration
|
|
|
|
~~~~~~~~~~~~~
|
2008-09-13 15:10:08 +02:00
|
|
|
|
2008-12-04 13:20:38 +01:00
|
|
|
To enable SSL connections a separate port must be configured: it is NOT
|
|
|
|
possible to handle unencrypted and encrypted connections on the same port!
|
|
|
|
This is a limitation of the IRC protocol ...
|
2008-09-13 15:10:08 +02:00
|
|
|
|
2008-12-04 13:20:38 +01:00
|
|
|
You have to set (at least) the following configuration variables in the
|
|
|
|
[GLOBAL] section of ngircd.conf(5): SSLPorts, SSLKeyFile, and SSLCertFile.
|
|
|
|
|
|
|
|
Now IRC clients are able to connect using SSL on the configured port(s).
|
|
|
|
(Using port 6697 for encrypted connections is common.)
|
|
|
|
|
|
|
|
To enable encrypted server-server links, you have to additionally set
|
|
|
|
SSLConnect to "yes" in the corresponding [SERVER] section.
|
|
|
|
|
|
|
|
|
|
|
|
Creating a self-signed certificate
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
OpenSSL:
|
|
|
|
|
|
|
|
Creating a self-signed certificate and key:
|
2010-05-01 20:29:14 +02:00
|
|
|
$ openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem -days 1461
|
2008-12-04 13:20:38 +01:00
|
|
|
Create DH parameters (optional):
|
2011-06-04 22:57:29 +02:00
|
|
|
$ openssl dhparam -2 -out dhparams.pem 4096
|
2008-12-04 13:20:38 +01:00
|
|
|
|
|
|
|
GnuTLS:
|
|
|
|
|
|
|
|
Creating a self-signed certificate and key:
|
|
|
|
$ certtool --generate-privkey --bits 2048 --outfile server-key.pem
|
2010-05-01 20:29:14 +02:00
|
|
|
$ certtool --generate-self-signed --load-privkey server-key.pem --outfile server-cert.pem
|
2008-12-04 13:20:38 +01:00
|
|
|
Create DH parameters (optional):
|
2011-06-04 22:57:29 +02:00
|
|
|
$ certtool --generate-dh-params --bits 4096 --outfile dhparams.pem
|
2008-12-04 13:20:38 +01:00
|
|
|
|
|
|
|
|
|
|
|
Alternate approach using stunnel(1)
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
2009-01-09 21:30:43 +01:00
|
|
|
Alternatively (or if you are using ngIRCd compiled without support
|
2008-12-04 13:20:38 +01:00
|
|
|
for GnuTLS/OpenSSL), you can use external programs/tools like stunnel(1) to
|
|
|
|
get SSL encrypted connections:
|
2004-12-27 02:11:40 +01:00
|
|
|
|
|
|
|
<http://stunnel.mirt.net/>
|
|
|
|
<http://www.stunnel.org/>
|
2004-12-27 02:04:35 +01:00
|
|
|
|
2008-12-04 13:20:38 +01:00
|
|
|
Stefan Sperling (stefan at binarchy dot net) mailed the following text as a
|
2004-12-27 02:04:35 +01:00
|
|
|
short "how-to", thanks Stefan!
|
|
|
|
|
|
|
|
=== snip ===
|
|
|
|
! This guide applies to stunnel 4.x !
|
|
|
|
|
|
|
|
Put this in your stunnel.conf:
|
|
|
|
|
|
|
|
[ircs]
|
|
|
|
accept = 6667
|
|
|
|
connect = 6668
|
|
|
|
|
|
|
|
This makes stunnel listen for incoming connections
|
|
|
|
on port 6667 and forward decrypted data to port 6668.
|
|
|
|
We call the connection 'ircs'. Stunnel will use this
|
|
|
|
name when logging connection attempts via syslog.
|
|
|
|
You can also use the name in /etc/hosts.{allow,deny}
|
|
|
|
if you run tcp-wrappers.
|
|
|
|
|
|
|
|
To make sure ngircd is listening on the port where
|
|
|
|
the decrypted data arrives, set
|
|
|
|
|
|
|
|
Ports = 6668
|
|
|
|
|
|
|
|
in your ngircd.conf.
|
|
|
|
|
|
|
|
Start stunnel and restart ngircd.
|
|
|
|
|
|
|
|
That's it.
|
|
|
|
Don't forget to activate ssl support in your irc client ;)
|
2009-01-09 21:30:43 +01:00
|
|
|
The main drawback of this approach compared to using builtin ssl
|
|
|
|
is that from ngIRCds point of view, all ssl-enabled client connections will
|
|
|
|
originate from the host running stunnel.
|
2004-12-27 02:04:35 +01:00
|
|
|
=== snip ===
|