Annotation of ircnowd/doc/SSL.txt, Revision 1.1
1.1 ! tomglok 1:
! 2: ngIRCd - Next Generation IRC Server
! 3:
! 4: (c)2001-2008 Alexander Barton,
! 5: alex@barton.de, http://www.barton.de/
! 6:
! 7: ngIRCd is free software and published under the
! 8: terms of the GNU General Public License.
! 9:
! 10: -- SSL.txt --
! 11:
! 12:
! 13: ngIRCd supports SSL/TLSv1 encrypted connections using the OpenSSL or GnuTLS
! 14: libraries. Both encrypted server-server links as well as client-server links
! 15: are supported.
! 16:
! 17: SSL is a compile-time option which is disabled by default. Use one of these
! 18: options of the ./configure script to enable it:
! 19:
! 20: --with-openssl enable SSL support using OpenSSL
! 21: --with-gnutls enable SSL support using GnuTLS
! 22:
! 23: You also need a key/certificate, see below for how to create a self-signed one.
! 24:
! 25: From a feature point of view, ngIRCds support for both libraries is
! 26: comparable. The only major difference (at this time) is that ngircd with gnutls
! 27: does not support password protected private keys.
! 28:
! 29: Configuration
! 30: ~~~~~~~~~~~~~
! 31:
! 32: To enable SSL connections a separate port must be configured: it is NOT
! 33: possible to handle unencrypted and encrypted connections on the same port!
! 34: This is a limitation of the IRC protocol ...
! 35:
! 36: You have to set (at least) the following configuration variables in the
! 37: [SSL] section of ngircd.conf(5): Ports, KeyFile, and CertFile.
! 38:
! 39: Now IRC clients are able to connect using SSL on the configured port(s).
! 40: (Using port 6697 for encrypted connections is common.)
! 41:
! 42: To enable encrypted server-server links, you have to additionally set
! 43: SSLConnect to "yes" in the corresponding [SERVER] section.
! 44:
! 45:
! 46: Creating a self-signed certificate
! 47: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
! 48:
! 49: OpenSSL:
! 50:
! 51: Creating a self-signed certificate and key:
! 52: $ openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem -days 1461
! 53: Create DH parameters (optional):
! 54: $ openssl dhparam -2 -out dhparams.pem 4096
! 55:
! 56: GnuTLS:
! 57:
! 58: Creating a self-signed certificate and key:
! 59: $ certtool --generate-privkey --bits 2048 --outfile server-key.pem
! 60: $ certtool --generate-self-signed --load-privkey server-key.pem --outfile server-cert.pem
! 61: Create DH parameters (optional):
! 62: $ certtool --generate-dh-params --bits 4096 --outfile dhparams.pem
! 63:
! 64:
! 65: Alternate approach using stunnel(1)
! 66: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
! 67:
! 68: Alternatively (or if you are using ngIRCd compiled without support
! 69: for GnuTLS/OpenSSL), you can use external programs/tools like stunnel(1) to
! 70: get SSL encrypted connections:
! 71:
! 72: <http://stunnel.mirt.net/>
! 73: <http://www.stunnel.org/>
! 74:
! 75: Stefan Sperling (stefan at binarchy dot net) mailed the following text as a
! 76: short "how-to", thanks Stefan!
! 77:
! 78: === snip ===
! 79: ! This guide applies to stunnel 4.x !
! 80:
! 81: Put this in your stunnel.conf:
! 82:
! 83: [ircs]
! 84: accept = 6667
! 85: connect = 6668
! 86:
! 87: This makes stunnel listen for incoming connections
! 88: on port 6667 and forward decrypted data to port 6668.
! 89: We call the connection 'ircs'. Stunnel will use this
! 90: name when logging connection attempts via syslog.
! 91: You can also use the name in /etc/hosts.{allow,deny}
! 92: if you run tcp-wrappers.
! 93:
! 94: To make sure ngircd is listening on the port where
! 95: the decrypted data arrives, set
! 96:
! 97: Ports = 6668
! 98:
! 99: in your ngircd.conf.
! 100:
! 101: Start stunnel and restart ngircd.
! 102:
! 103: That's it.
! 104: Don't forget to activate ssl support in your irc client ;)
! 105: The main drawback of this approach compared to using builtin ssl
! 106: is that from ngIRCds point of view, all ssl-enabled client connections will
! 107: originate from the host running stunnel.
! 108: === snip ===
CVSweb
![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to SSL.txt CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [local] / ircnowd / doc