X-Git-Url: https://arthur.barton.de/cgi-bin/gitweb.cgi?p=ngircd-alex.git;a=blobdiff_plain;f=doc%2FSSL.txt;h=28ea2cd92213d6e7fdd63b319ff1b2defe63b722;hp=6b590b8681ee872633597f7dfc1928f3bf83a8f3;hb=beb9f65dc8dfb4517ab59512ddaf1e111a4e3132;hpb=e070d93f649f76a57ce4c01782887e375f3cfba3 diff --git a/doc/SSL.txt b/doc/SSL.txt index 6b590b86..28ea2cd9 100644 --- a/doc/SSL.txt +++ b/doc/SSL.txt @@ -20,8 +20,11 @@ options of the ./configure script to enable it: --with-openssl enable SSL support using OpenSSL --with-gnutls enable SSL support using GnuTLS -You need a SSL certificate, see below for how to create a self-signed one. +You also need a key/certificate, see below for how to create a self-signed one. +From a feature point of view, ngIRCds support for both libraries is +comparable. The only major difference (at this time) is that ngircd with gnutls +does not support password protected private keys. Configuration ~~~~~~~~~~~~~ @@ -31,7 +34,7 @@ possible to handle unencrypted and encrypted connections on the same port! This is a limitation of the IRC protocol ... You have to set (at least) the following configuration variables in the -[GLOBAL] section of ngircd.conf(5): SSLPorts, SSLKeyFile, and SSLCertFile. +[SSL] section of ngircd.conf(5): Ports, KeyFile, and CertFile. Now IRC clients are able to connect using SSL on the configured port(s). (Using port 6697 for encrypted connections is common.) @@ -46,25 +49,23 @@ Creating a self-signed certificate OpenSSL: Creating a self-signed certificate and key: - $ openssl req -newkey rsa:2048 -x509 -keyout server-key.pem \ - -out server-cert.pem -days 1461 + $ openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem -days 1461 Create DH parameters (optional): - $ openssl dhparam -2 -out dhparams.pem 2048 + $ openssl dhparam -2 -out dhparams.pem 4096 GnuTLS: Creating a self-signed certificate and key: $ certtool --generate-privkey --bits 2048 --outfile server-key.pem - $ certtool --generate-self-signed --load-privkey server-key.pem \ - --outfile server-cert.pem + $ certtool --generate-self-signed --load-privkey server-key.pem --outfile server-cert.pem Create DH parameters (optional): - $ certtool --generate-dh-params --bits 2048 --outfile dhparams.pem + $ certtool --generate-dh-params --bits 4096 --outfile dhparams.pem Alternate approach using stunnel(1) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Alternatively (or if you are using ngIRCd without compiled without support +Alternatively (or if you are using ngIRCd compiled without support for GnuTLS/OpenSSL), you can use external programs/tools like stunnel(1) to get SSL encrypted connections: @@ -101,4 +102,7 @@ short "how-to", thanks Stefan! That's it. Don't forget to activate ssl support in your irc client ;) + The main drawback of this approach compared to using builtin ssl + is that from ngIRCds point of view, all ssl-enabled client connections will + originate from the host running stunnel. === snip ===