X-Git-Url: https://arthur.barton.de/cgi-bin/gitweb.cgi?p=ngircd-alex.git;a=blobdiff_plain;f=doc%2FSSL.txt;h=b98c2fbeef7c2fa5273643f84f13d3fc7c73f4d7;hp=7578ad80704b5ccbe256a7ead42eead4bcbbd653;hb=49b2d0ec98d001fbc8eedd5a183d66974f70fd52;hpb=81bacda627ee3f9e69212ddd8ab804e7d15f8c16

diff --git a/doc/SSL.txt b/doc/SSL.txt
index 7578ad80..b98c2fbe 100644
--- a/doc/SSL.txt
+++ b/doc/SSL.txt
@@ -1,7 +1,7 @@
 
                      ngIRCd - Next Generation IRC Server
 
-                      (c)2001-2004 by Alexander Barton,
+                        (c)2001-2008 Alexander Barton,
                     alex@barton.de, http://www.barton.de/
 
                ngIRCd is free software and published under the
@@ -10,17 +10,71 @@
                                  -- SSL.txt --
 
 
-ngIRCd actually doesn't support secure connections for client-server or
-server-server links using SSL, the Secure Socket Layer, by itself. But you can
-use the stunnel(8) command to make this work.
+ngIRCd supports SSL/TLSv1 encrypted connections using the OpenSSL or GnuTLS
+libraries. Both encrypted server-server links as well as client-server links
+are supported.
+
+SSL is a compile-time option which is disabled by default. Use one of these
+options of the ./configure script to enable it:
+
+  --with-openssl     enable SSL support using OpenSSL
+  --with-gnutls      enable SSL support using GnuTLS
+
+You also need a key/certificate, see below for how to create a self-signed one.
+
+From a feature point of view, ngIRCds support for both libraries is
+comparable. The only major difference (at this time) is that ngircd with gnutls
+does not support password protected private keys.
+
+Configuration
+~~~~~~~~~~~~~
+
+To enable SSL connections a separate port must be configured: it is NOT
+possible to handle unencrypted and encrypted connections on the same port!
+This is a limitation of the IRC protocol ...
+
+You have to set (at least) the following configuration variables in the
+[GLOBAL] section of ngircd.conf(5): SSLPorts, SSLKeyFile, and SSLCertFile.
+
+Now IRC clients are able to connect using SSL on the configured port(s).
+(Using port 6697 for encrypted connections is common.)
+
+To enable encrypted server-server links, you have to additionally set
+SSLConnect to "yes" in the corresponding [SERVER] section.
+
+
+Creating a self-signed certificate
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+OpenSSL:
+
+Creating a self-signed certificate and key:
+ $ openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem -days 1461
+Create DH parameters (optional):
+ $ openssl dhparam -2 -out dhparams.pem 4096
+
+GnuTLS:
+
+Creating a self-signed certificate and key:
+ $ certtool --generate-privkey --bits 2048 --outfile server-key.pem
+ $ certtool --generate-self-signed --load-privkey server-key.pem --outfile server-cert.pem
+Create DH parameters (optional):
+ $ certtool  --generate-dh-params --bits 4096 --outfile dhparams.pem
+
+
+Alternate approach using stunnel(1)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Alternatively (or if you are using ngIRCd compiled without support
+for GnuTLS/OpenSSL), you can use external programs/tools like stunnel(1) to
+get SSL encrypted connections:
 
   <http://stunnel.mirt.net/>
   <http://www.stunnel.org/>
 
-Stefan Sperling (stefan at binarchy dot net) mailed me the following text as a
+Stefan Sperling (stefan at binarchy dot net) mailed the following text as a
 short "how-to", thanks Stefan!
 
-
 === snip ===
     ! This guide applies to stunnel 4.x !
 
@@ -48,11 +102,7 @@ short "how-to", thanks Stefan!
 
     That's it.
     Don't forget to activate ssl support in your irc client ;)
+    The main drawback of this approach compared to using builtin ssl
+    is that from ngIRCds point of view, all ssl-enabled client connections will
+    originate from the host running stunnel.
 === snip ===
-
-
-Probably ngIRCd will include support for SSL in the future ...
-
-
--- 
-$Id: SSL.txt,v 1.2 2004/12/27 01:11:40 alex Exp $