--with-openssl enable SSL support using OpenSSL
--with-gnutls enable SSL support using GnuTLS
-You need a SSL certificate, see below for how to create a self-signed one.
+You also need a key/certificate, see below for how to create a self-signed one.
+From a feature point of view, ngIRCds support for both libraries is
+comparable. The only major difference (at this time) is that ngircd with gnutls
+does not support password protected private keys.
Configuration
~~~~~~~~~~~~~
This is a limitation of the IRC protocol ...
You have to set (at least) the following configuration variables in the
-[GLOBAL] section of ngircd.conf(5): SSLPorts, SSLKeyFile, and SSLCertFile.
+[SSL] section of ngircd.conf(5): Ports, KeyFile, and CertFile.
Now IRC clients are able to connect using SSL on the configured port(s).
(Using port 6697 for encrypted connections is common.)
OpenSSL:
Creating a self-signed certificate and key:
- $ openssl req -newkey rsa:2048 -x509 -keyout server-key.pem \
- -out server-cert.pem -days 1461
+ $ openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem -days 1461
Create DH parameters (optional):
- $ openssl dhparam -2 -out dhparams.pem 2048
+ $ openssl dhparam -2 -out dhparams.pem 4096
GnuTLS:
Creating a self-signed certificate and key:
$ certtool --generate-privkey --bits 2048 --outfile server-key.pem
- $ certtool --generate-self-signed --load-privkey server-key.pem \
- --outfile server-cert.pem
+ $ certtool --generate-self-signed --load-privkey server-key.pem --outfile server-cert.pem
Create DH parameters (optional):
- $ certtool --generate-dh-params --bits 2048 --outfile dhparams.pem
+ $ certtool --generate-dh-params --bits 4096 --outfile dhparams.pem
Alternate approach using stunnel(1)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Alternatively (or if you are using ngIRCd without compiled without support
+Alternatively (or if you are using ngIRCd compiled without support
for GnuTLS/OpenSSL), you can use external programs/tools like stunnel(1) to
get SSL encrypted connections:
That's it.
Don't forget to activate ssl support in your irc client ;)
+ The main drawback of this approach compared to using builtin ssl
+ is that from ngIRCds point of view, all ssl-enabled client connections will
+ originate from the host running stunnel.
=== snip ===