-
- ngIRCd - Next Generation IRC Server
-
- (c)2001-2008 Alexander Barton,
- alex@barton.de, http://www.barton.de/
-
- ngIRCd is free software and published under the
- terms of the GNU General Public License.
-
- -- SSL.txt --
-
-
-ngIRCd supports SSL/TLSv1 encrypted connections using the OpenSSL or GnuTLS
-libraries. Both encrypted server-server links as well as client-server links
-are supported.
-
-SSL is a compile-time option which is disabled by default. Use one of these
-options of the ./configure script to enable it:
-
- --with-openssl enable SSL support using OpenSSL
- --with-gnutls enable SSL support using GnuTLS
-
-You also need a key/certificate, see below for how to create a self-signed one.
-
-From a feature point of view, ngIRCds support for both libraries is
-comparable. The only major difference (at this time) is that ngircd with gnutls
-does not support password protected private keys.
-
-Configuration
-~~~~~~~~~~~~~
-
-To enable SSL connections a separate port must be configured: it is NOT
-possible to handle unencrypted and encrypted connections on the same port!
-This is a limitation of the IRC protocol ...
-
-You have to set (at least) the following configuration variables in the
-[SSL] section of ngircd.conf(5): Ports, KeyFile, and CertFile.
-
-Now IRC clients are able to connect using SSL on the configured port(s).
-(Using port 6697 for encrypted connections is common.)
-
-To enable encrypted server-server links, you have to additionally set
-SSLConnect to "yes" in the corresponding [SERVER] section.
-
-
-Creating a self-signed certificate
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-OpenSSL:
-
-Creating a self-signed certificate and key:
- $ openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem -days 1461
-Create DH parameters (optional):
- $ openssl dhparam -2 -out dhparams.pem 4096
-
-GnuTLS:
-
-Creating a self-signed certificate and key:
- $ certtool --generate-privkey --bits 2048 --outfile server-key.pem
- $ certtool --generate-self-signed --load-privkey server-key.pem --outfile server-cert.pem
-Create DH parameters (optional):
- $ certtool --generate-dh-params --bits 4096 --outfile dhparams.pem
-
-
-Alternate approach using stunnel(1)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Alternatively (or if you are using ngIRCd compiled without support
-for GnuTLS/OpenSSL), you can use external programs/tools like stunnel(1) to
-get SSL encrypted connections:
-
- <http://stunnel.mirt.net/>
- <http://www.stunnel.org/>
-
-Stefan Sperling (stefan at binarchy dot net) mailed the following text as a
-short "how-to", thanks Stefan!
-
-=== snip ===
- ! This guide applies to stunnel 4.x !
-
- Put this in your stunnel.conf:
-
- [ircs]
- accept = 6667
- connect = 6668
-
- This makes stunnel listen for incoming connections
- on port 6667 and forward decrypted data to port 6668.
- We call the connection 'ircs'. Stunnel will use this
- name when logging connection attempts via syslog.
- You can also use the name in /etc/hosts.{allow,deny}
- if you run tcp-wrappers.
-
- To make sure ngircd is listening on the port where
- the decrypted data arrives, set
-
- Ports = 6668
-
- in your ngircd.conf.
-
- Start stunnel and restart ngircd.
-
- That's it.
- Don't forget to activate ssl support in your irc client ;)
- The main drawback of this approach compared to using builtin ssl
- is that from ngIRCds point of view, all ssl-enabled client connections will
- originate from the host running stunnel.
-=== snip ===