From ebf5edfd8788037c39818461d09874a851b845fc Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Sat, 13 Sep 2008 15:10:08 +0200 Subject: [PATCH] TLS/SSL support: documentation. --- doc/SSL.txt | 29 +++++++++++++++++++++++++---- doc/sample-ngircd.conf | 22 +++++++++++++++++++++- man/ngircd.conf.5.tmpl | 23 +++++++++++++++++++++++ 3 files changed, 69 insertions(+), 5 deletions(-) diff --git a/doc/SSL.txt b/doc/SSL.txt index 7578ad80..6ea207e6 100644 --- a/doc/SSL.txt +++ b/doc/SSL.txt @@ -10,9 +10,31 @@ -- SSL.txt -- -ngIRCd actually doesn't support secure connections for client-server or -server-server links using SSL, the Secure Socket Layer, by itself. But you can -use the stunnel(8) command to make this work. +ngIRCd supports SSL/TLSv1 encrypted connections using the +OpenSSL or gnutls library. +Both encryped server <-> client and server <-> server links should work. + +BEWARE! The Code is mostly untested, use at your own risk! + +Example that creates a self-signed certificate and key (using OpenSSL): +openssl req -newkey rsa:2048 -x509 -keyout server-key.pem \ + -out server-cert.pem -days 1461 + +Example that creates DH parameters (optional): +openssl dhparam -2 -out dhparams.pem 2048 + +Example that creates a self-signed certificate +and key (using gnutls): + +certtool --generate-privkey --bits 2048 --outfile server-key.pem +certtool --generate-self-signed --load-privkey server-key.pem \ + --outfile server-cert.pem + +Example that creates DH parameters (optional): +certtool --generate-dh-params --bits 2048 --outfile dhparams.pem + +Alternatively, you may use external programs/tools like stunnel to +make it work: @@ -51,7 +73,6 @@ short "how-to", thanks Stefan! === snip === -Probably ngIRCd will include support for SSL in the future ... -- diff --git a/doc/sample-ngircd.conf b/doc/sample-ngircd.conf index 87a94d9d..ba2d477b 100644 --- a/doc/sample-ngircd.conf +++ b/doc/sample-ngircd.conf @@ -13,6 +13,8 @@ # Use "ngircd --configtest" (see manual page ngircd(8)) to validate that the # server interprets the configuration file as expected! # +# Please see ngircd.conf(5) for a complete list of configuration options. +# [Global] # The [Global] section of this file is used to define the main @@ -40,6 +42,21 @@ # one port, separated with ",". (Default: 6667) ;Ports = 6667, 6668, 6669 + # Additional Listen Ports that expect SSL/TLS encrypted connections + ;SSLPorts = 9999,6668 + + # SSL Server Key + ;SSLKeyFile = /usr/local/etc/ngircd/ssl/server-key.pem + + # password to decrypt SSLKeyFile (OpenSSL only) + ;SSLKeyFilePassword = secret + + # SSL Server Key Certificate + ;SSLCertFile = /usr/local/etc/ngircd/ssl/server-cert.pem + + # Diffie-Hellman parameters + ;SSLDHFile = /usr/local/etc/ngircd/ssl/dhparams.pem + # comma seperated list of IP addresses on which the server should # listen. Default values are: # "0.0.0.0" or (if compiled with IPv6 support) "::,0.0.0.0" @@ -158,7 +175,7 @@ # IRC name of the remote server, must match the "Name" variable in # the [Global] section of the other server (when using ngIRCd). ;Name = irc2.the.net - + # Internet host name or IP address of the peer (only required when # this server should establish the connection). ;Host = connect-to-host.the.net @@ -189,6 +206,9 @@ # this specific server later. ;Passive = no + # Connect to the remote server using TLS/SSL (Default: false) + ; SSLConnect = yes + [Server] # More [Server] sections, if you like ... diff --git a/man/ngircd.conf.5.tmpl b/man/ngircd.conf.5.tmpl index 7c9ce316..61e2f5fe 100644 --- a/man/ngircd.conf.5.tmpl +++ b/man/ngircd.conf.5.tmpl @@ -72,6 +72,27 @@ command. Ports on which the server should listen. There may be more than one port, separated with ','. Default: 6667. .TP +\fBSSLPorts\fR +Same as \fBPorts\fR , except that ngircd will expect incoming connections +to be SSL/TLS encrypted. Default: None +.TP +\fBSSLKeyFile\fR +Filename of SSL Server Key to be used for SSL connections. This is required for +SSL/TLS support. +.TP +\fBSSLKeyFilePassword\fR +(OpenSSL only:) Password to decrypt private key. +.TP +\fBSSLCertFile\fR +Certificate of the private key +.TP +\fBSSLDHFile\fR +Name of the Diffie-Hellman Parameter file. Can be created with gnutls "certtool --generate-dh-params" or "openssl dhparam". +If this file is not present, it will be generated on startup when ngircd +was compiled with gnutls support (this may take some time). If ngircd +was compiled with OpenSSL, then (Ephemeral)-Diffie-Hellman Key Exchanges and several +Cipher Suites will not be available. +.TP \fBListen\fR A comma seperated list of IP address on which the server should listen. If unset, the defaults value is "0.0.0.0", or, if ngircd was compiled @@ -188,6 +209,8 @@ Default: 10. Maximum length of an user nick name (Default: 9, as in RFC 2812). Please note that all servers in an IRC network MUST use the same maximum nick name length! +\fBSSLConnect\fR +Connect to the remote server using TLS/SSL (Default: false) .SH [OPERATOR] .I [Operator] sections are used to define IRC Operators. There may be more than one