TLS/SSL support: documentation.

This commit is contained in:
Florian Westphal 2008-09-13 15:10:08 +02:00
parent bdd44eb0ab
commit ebf5edfd87
3 changed files with 69 additions and 5 deletions

View File

@ -10,9 +10,31 @@
-- SSL.txt --
ngIRCd actually doesn't support secure connections for client-server or
server-server links using SSL, the Secure Socket Layer, by itself. But you can
use the stunnel(8) command to make this work.
ngIRCd supports SSL/TLSv1 encrypted connections using the
OpenSSL or gnutls library.
Both encryped server <-> client and server <-> server links should work.
BEWARE! The Code is mostly untested, use at your own risk!
Example that creates a self-signed certificate and key (using OpenSSL):
openssl req -newkey rsa:2048 -x509 -keyout server-key.pem \
-out server-cert.pem -days 1461
Example that creates DH parameters (optional):
openssl dhparam -2 -out dhparams.pem 2048
Example that creates a self-signed certificate
and key (using gnutls):
certtool --generate-privkey --bits 2048 --outfile server-key.pem
certtool --generate-self-signed --load-privkey server-key.pem \
--outfile server-cert.pem
Example that creates DH parameters (optional):
certtool --generate-dh-params --bits 2048 --outfile dhparams.pem
Alternatively, you may use external programs/tools like stunnel to
make it work:
<http://stunnel.mirt.net/>
<http://www.stunnel.org/>
@ -51,7 +73,6 @@ short "how-to", thanks Stefan!
=== snip ===
Probably ngIRCd will include support for SSL in the future ...
--

View File

@ -13,6 +13,8 @@
# Use "ngircd --configtest" (see manual page ngircd(8)) to validate that the
# server interprets the configuration file as expected!
#
# Please see ngircd.conf(5) for a complete list of configuration options.
#
[Global]
# The [Global] section of this file is used to define the main
@ -40,6 +42,21 @@
# one port, separated with ",". (Default: 6667)
;Ports = 6667, 6668, 6669
# Additional Listen Ports that expect SSL/TLS encrypted connections
;SSLPorts = 9999,6668
# SSL Server Key
;SSLKeyFile = /usr/local/etc/ngircd/ssl/server-key.pem
# password to decrypt SSLKeyFile (OpenSSL only)
;SSLKeyFilePassword = secret
# SSL Server Key Certificate
;SSLCertFile = /usr/local/etc/ngircd/ssl/server-cert.pem
# Diffie-Hellman parameters
;SSLDHFile = /usr/local/etc/ngircd/ssl/dhparams.pem
# comma seperated list of IP addresses on which the server should
# listen. Default values are:
# "0.0.0.0" or (if compiled with IPv6 support) "::,0.0.0.0"
@ -189,6 +206,9 @@
# this specific server later.
;Passive = no
# Connect to the remote server using TLS/SSL (Default: false)
; SSLConnect = yes
[Server]
# More [Server] sections, if you like ...

View File

@ -72,6 +72,27 @@ command.
Ports on which the server should listen. There may be more than one port,
separated with ','. Default: 6667.
.TP
\fBSSLPorts\fR
Same as \fBPorts\fR , except that ngircd will expect incoming connections
to be SSL/TLS encrypted. Default: None
.TP
\fBSSLKeyFile\fR
Filename of SSL Server Key to be used for SSL connections. This is required for
SSL/TLS support.
.TP
\fBSSLKeyFilePassword\fR
(OpenSSL only:) Password to decrypt private key.
.TP
\fBSSLCertFile\fR
Certificate of the private key
.TP
\fBSSLDHFile\fR
Name of the Diffie-Hellman Parameter file. Can be created with gnutls "certtool --generate-dh-params" or "openssl dhparam".
If this file is not present, it will be generated on startup when ngircd
was compiled with gnutls support (this may take some time). If ngircd
was compiled with OpenSSL, then (Ephemeral)-Diffie-Hellman Key Exchanges and several
Cipher Suites will not be available.
.TP
\fBListen\fR
A comma seperated list of IP address on which the server should listen.
If unset, the defaults value is "0.0.0.0", or, if ngircd was compiled
@ -188,6 +209,8 @@ Default: 10.
Maximum length of an user nick name (Default: 9, as in RFC 2812). Please
note that all servers in an IRC network MUST use the same maximum nick name
length!
\fBSSLConnect\fR
Connect to the remote server using TLS/SSL (Default: false)
.SH [OPERATOR]
.I [Operator]
sections are used to define IRC Operators. There may be more than one