TLS/SSL support: documentation.
This commit is contained in:
parent
bdd44eb0ab
commit
ebf5edfd87
29
doc/SSL.txt
29
doc/SSL.txt
|
@ -10,9 +10,31 @@
|
|||
-- SSL.txt --
|
||||
|
||||
|
||||
ngIRCd actually doesn't support secure connections for client-server or
|
||||
server-server links using SSL, the Secure Socket Layer, by itself. But you can
|
||||
use the stunnel(8) command to make this work.
|
||||
ngIRCd supports SSL/TLSv1 encrypted connections using the
|
||||
OpenSSL or gnutls library.
|
||||
Both encryped server <-> client and server <-> server links should work.
|
||||
|
||||
BEWARE! The Code is mostly untested, use at your own risk!
|
||||
|
||||
Example that creates a self-signed certificate and key (using OpenSSL):
|
||||
openssl req -newkey rsa:2048 -x509 -keyout server-key.pem \
|
||||
-out server-cert.pem -days 1461
|
||||
|
||||
Example that creates DH parameters (optional):
|
||||
openssl dhparam -2 -out dhparams.pem 2048
|
||||
|
||||
Example that creates a self-signed certificate
|
||||
and key (using gnutls):
|
||||
|
||||
certtool --generate-privkey --bits 2048 --outfile server-key.pem
|
||||
certtool --generate-self-signed --load-privkey server-key.pem \
|
||||
--outfile server-cert.pem
|
||||
|
||||
Example that creates DH parameters (optional):
|
||||
certtool --generate-dh-params --bits 2048 --outfile dhparams.pem
|
||||
|
||||
Alternatively, you may use external programs/tools like stunnel to
|
||||
make it work:
|
||||
|
||||
<http://stunnel.mirt.net/>
|
||||
<http://www.stunnel.org/>
|
||||
|
@ -51,7 +73,6 @@ short "how-to", thanks Stefan!
|
|||
=== snip ===
|
||||
|
||||
|
||||
Probably ngIRCd will include support for SSL in the future ...
|
||||
|
||||
|
||||
--
|
||||
|
|
|
@ -13,6 +13,8 @@
|
|||
# Use "ngircd --configtest" (see manual page ngircd(8)) to validate that the
|
||||
# server interprets the configuration file as expected!
|
||||
#
|
||||
# Please see ngircd.conf(5) for a complete list of configuration options.
|
||||
#
|
||||
|
||||
[Global]
|
||||
# The [Global] section of this file is used to define the main
|
||||
|
@ -40,6 +42,21 @@
|
|||
# one port, separated with ",". (Default: 6667)
|
||||
;Ports = 6667, 6668, 6669
|
||||
|
||||
# Additional Listen Ports that expect SSL/TLS encrypted connections
|
||||
;SSLPorts = 9999,6668
|
||||
|
||||
# SSL Server Key
|
||||
;SSLKeyFile = /usr/local/etc/ngircd/ssl/server-key.pem
|
||||
|
||||
# password to decrypt SSLKeyFile (OpenSSL only)
|
||||
;SSLKeyFilePassword = secret
|
||||
|
||||
# SSL Server Key Certificate
|
||||
;SSLCertFile = /usr/local/etc/ngircd/ssl/server-cert.pem
|
||||
|
||||
# Diffie-Hellman parameters
|
||||
;SSLDHFile = /usr/local/etc/ngircd/ssl/dhparams.pem
|
||||
|
||||
# comma seperated list of IP addresses on which the server should
|
||||
# listen. Default values are:
|
||||
# "0.0.0.0" or (if compiled with IPv6 support) "::,0.0.0.0"
|
||||
|
@ -189,6 +206,9 @@
|
|||
# this specific server later.
|
||||
;Passive = no
|
||||
|
||||
# Connect to the remote server using TLS/SSL (Default: false)
|
||||
; SSLConnect = yes
|
||||
|
||||
[Server]
|
||||
# More [Server] sections, if you like ...
|
||||
|
||||
|
|
|
@ -72,6 +72,27 @@ command.
|
|||
Ports on which the server should listen. There may be more than one port,
|
||||
separated with ','. Default: 6667.
|
||||
.TP
|
||||
\fBSSLPorts\fR
|
||||
Same as \fBPorts\fR , except that ngircd will expect incoming connections
|
||||
to be SSL/TLS encrypted. Default: None
|
||||
.TP
|
||||
\fBSSLKeyFile\fR
|
||||
Filename of SSL Server Key to be used for SSL connections. This is required for
|
||||
SSL/TLS support.
|
||||
.TP
|
||||
\fBSSLKeyFilePassword\fR
|
||||
(OpenSSL only:) Password to decrypt private key.
|
||||
.TP
|
||||
\fBSSLCertFile\fR
|
||||
Certificate of the private key
|
||||
.TP
|
||||
\fBSSLDHFile\fR
|
||||
Name of the Diffie-Hellman Parameter file. Can be created with gnutls "certtool --generate-dh-params" or "openssl dhparam".
|
||||
If this file is not present, it will be generated on startup when ngircd
|
||||
was compiled with gnutls support (this may take some time). If ngircd
|
||||
was compiled with OpenSSL, then (Ephemeral)-Diffie-Hellman Key Exchanges and several
|
||||
Cipher Suites will not be available.
|
||||
.TP
|
||||
\fBListen\fR
|
||||
A comma seperated list of IP address on which the server should listen.
|
||||
If unset, the defaults value is "0.0.0.0", or, if ngircd was compiled
|
||||
|
@ -188,6 +209,8 @@ Default: 10.
|
|||
Maximum length of an user nick name (Default: 9, as in RFC 2812). Please
|
||||
note that all servers in an IRC network MUST use the same maximum nick name
|
||||
length!
|
||||
\fBSSLConnect\fR
|
||||
Connect to the remote server using TLS/SSL (Default: false)
|
||||
.SH [OPERATOR]
|
||||
.I [Operator]
|
||||
sections are used to define IRC Operators. There may be more than one
|
||||
|
|
Loading…
Reference in New Issue