[BACK]Return to SSL.txt CVS log [TXT][DIR] Up to [local] / ircnowd / doc

Annotation of ircnowd/doc/SSL.txt, Revision 1.1.1.1

1.1       tomglok     1:
                      2:                      ngIRCd - Next Generation IRC Server
                      3:
                      4:                         (c)2001-2008 Alexander Barton,
                      5:                     alex@barton.de, http://www.barton.de/
                      6:
                      7:                ngIRCd is free software and published under the
                      8:                    terms of the GNU General Public License.
                      9:
                     10:                                  -- SSL.txt --
                     11:
                     12:
                     13: ngIRCd supports SSL/TLSv1 encrypted connections using the OpenSSL or GnuTLS
                     14: libraries. Both encrypted server-server links as well as client-server links
                     15: are supported.
                     16:
                     17: SSL is a compile-time option which is disabled by default. Use one of these
                     18: options of the ./configure script to enable it:
                     19:
                     20:   --with-openssl     enable SSL support using OpenSSL
                     21:   --with-gnutls      enable SSL support using GnuTLS
                     22:
                     23: You also need a key/certificate, see below for how to create a self-signed one.
                     24:
                     25: From a feature point of view, ngIRCds support for both libraries is
                     26: comparable. The only major difference (at this time) is that ngircd with gnutls
                     27: does not support password protected private keys.
                     28:
                     29: Configuration
                     30: ~~~~~~~~~~~~~
                     31:
                     32: To enable SSL connections a separate port must be configured: it is NOT
                     33: possible to handle unencrypted and encrypted connections on the same port!
                     34: This is a limitation of the IRC protocol ...
                     35:
                     36: You have to set (at least) the following configuration variables in the
                     37: [SSL] section of ngircd.conf(5): Ports, KeyFile, and CertFile.
                     38:
                     39: Now IRC clients are able to connect using SSL on the configured port(s).
                     40: (Using port 6697 for encrypted connections is common.)
                     41:
                     42: To enable encrypted server-server links, you have to additionally set
                     43: SSLConnect to "yes" in the corresponding [SERVER] section.
                     44:
                     45:
                     46: Creating a self-signed certificate
                     47: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                     48:
                     49: OpenSSL:
                     50:
                     51: Creating a self-signed certificate and key:
                     52:  $ openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem -days 1461
                     53: Create DH parameters (optional):
                     54:  $ openssl dhparam -2 -out dhparams.pem 4096
                     55:
                     56: GnuTLS:
                     57:
                     58: Creating a self-signed certificate and key:
                     59:  $ certtool --generate-privkey --bits 2048 --outfile server-key.pem
                     60:  $ certtool --generate-self-signed --load-privkey server-key.pem --outfile server-cert.pem
                     61: Create DH parameters (optional):
                     62:  $ certtool  --generate-dh-params --bits 4096 --outfile dhparams.pem
                     63:
                     64:
                     65: Alternate approach using stunnel(1)
                     66: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                     67:
                     68: Alternatively (or if you are using ngIRCd compiled without support
                     69: for GnuTLS/OpenSSL), you can use external programs/tools like stunnel(1) to
                     70: get SSL encrypted connections:
                     71:
                     72:   <http://stunnel.mirt.net/>
                     73:   <http://www.stunnel.org/>
                     74:
                     75: Stefan Sperling (stefan at binarchy dot net) mailed the following text as a
                     76: short "how-to", thanks Stefan!
                     77:
                     78: === snip ===
                     79:     ! This guide applies to stunnel 4.x !
                     80:
                     81:     Put this in your stunnel.conf:
                     82:
                     83:         [ircs]
                     84:         accept = 6667
                     85:         connect = 6668
                     86:
                     87:     This makes stunnel listen for incoming connections
                     88:     on port 6667 and forward decrypted data to port 6668.
                     89:     We call the connection 'ircs'. Stunnel will use this
                     90:     name when logging connection attempts via syslog.
                     91:     You can also use the name in /etc/hosts.{allow,deny}
                     92:     if you run tcp-wrappers.
                     93:
                     94:     To make sure ngircd is listening on the port where
                     95:     the decrypted data arrives, set
                     96:
                     97:         Ports = 6668
                     98:
                     99:     in your ngircd.conf.
                    100:
                    101:     Start stunnel and restart ngircd.
                    102:
                    103:     That's it.
                    104:     Don't forget to activate ssl support in your irc client ;)
                    105:     The main drawback of this approach compared to using builtin ssl
                    106:     is that from ngIRCds point of view, all ssl-enabled client connections will
                    107:     originate from the host running stunnel.
                    108: === snip ===

CVSweb