Annotation of ircnowd/doc/SSL.txt, Revision 1.1.1.1
1.1 bountyht 1:
2: ngIRCd - Next Generation IRC Server
3:
4: (c)2001-2008 Alexander Barton,
5: alex@barton.de, http://www.barton.de/
6:
7: ngIRCd is free software and published under the
8: terms of the GNU General Public License.
9:
10: -- SSL.txt --
11:
12:
13: ngIRCd supports SSL/TLSv1 encrypted connections using the OpenSSL or GnuTLS
14: libraries. Both encrypted server-server links as well as client-server links
15: are supported.
16:
17: SSL is a compile-time option which is disabled by default. Use one of these
18: options of the ./configure script to enable it:
19:
20: --with-openssl enable SSL support using OpenSSL
21: --with-gnutls enable SSL support using GnuTLS
22:
23: You also need a key/certificate, see below for how to create a self-signed one.
24:
25: From a feature point of view, ngIRCds support for both libraries is
26: comparable. The only major difference (at this time) is that ngircd with gnutls
27: does not support password protected private keys.
28:
29: Configuration
30: ~~~~~~~~~~~~~
31:
32: To enable SSL connections a separate port must be configured: it is NOT
33: possible to handle unencrypted and encrypted connections on the same port!
34: This is a limitation of the IRC protocol ...
35:
36: You have to set (at least) the following configuration variables in the
37: [SSL] section of ngircd.conf(5): Ports, KeyFile, and CertFile.
38:
39: Now IRC clients are able to connect using SSL on the configured port(s).
40: (Using port 6697 for encrypted connections is common.)
41:
42: To enable encrypted server-server links, you have to additionally set
43: SSLConnect to "yes" in the corresponding [SERVER] section.
44:
45:
46: Creating a self-signed certificate
47: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
48:
49: OpenSSL:
50:
51: Creating a self-signed certificate and key:
52: $ openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem -days 1461
53: Create DH parameters (optional):
54: $ openssl dhparam -2 -out dhparams.pem 4096
55:
56: GnuTLS:
57:
58: Creating a self-signed certificate and key:
59: $ certtool --generate-privkey --bits 2048 --outfile server-key.pem
60: $ certtool --generate-self-signed --load-privkey server-key.pem --outfile server-cert.pem
61: Create DH parameters (optional):
62: $ certtool --generate-dh-params --bits 4096 --outfile dhparams.pem
63:
64:
65: Alternate approach using stunnel(1)
66: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
67:
68: Alternatively (or if you are using ngIRCd compiled without support
69: for GnuTLS/OpenSSL), you can use external programs/tools like stunnel(1) to
70: get SSL encrypted connections:
71:
72: <http://stunnel.mirt.net/>
73: <http://www.stunnel.org/>
74:
75: Stefan Sperling (stefan at binarchy dot net) mailed the following text as a
76: short "how-to", thanks Stefan!
77:
78: === snip ===
79: ! This guide applies to stunnel 4.x !
80:
81: Put this in your stunnel.conf:
82:
83: [ircs]
84: accept = 6667
85: connect = 6668
86:
87: This makes stunnel listen for incoming connections
88: on port 6667 and forward decrypted data to port 6668.
89: We call the connection 'ircs'. Stunnel will use this
90: name when logging connection attempts via syslog.
91: You can also use the name in /etc/hosts.{allow,deny}
92: if you run tcp-wrappers.
93:
94: To make sure ngircd is listening on the port where
95: the decrypted data arrives, set
96:
97: Ports = 6668
98:
99: in your ngircd.conf.
100:
101: Start stunnel and restart ngircd.
102:
103: That's it.
104: Don't forget to activate ssl support in your irc client ;)
105: The main drawback of this approach compared to using builtin ssl
106: is that from ngIRCds point of view, all ssl-enabled client connections will
107: originate from the host running stunnel.
108: === snip ===
CVSweb
![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to SSL.txt CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [local] / ircnowd / doc