File: ngircd.README.Debian

package info (click to toggle)
ngircd 25-2
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 2,736 kB
  • sloc: ansic: 19,041; sh: 5,175; makefile: 655; xml: 220
file content (68 lines) | stat: -rw-r--r-- 2,267 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
 
TLS-based server connection, wheezy/jessie interoperability
===========================================================

There might be a problem when linking two ngircd servers running
the wheezy and the jessie version respectively. If you see
| gnutls_handshake: Could not negotiate a supported cipher suite.
on the wheezy and
| SSL error: The TLS connection was non-properly terminated. [gnutls_handshake].
on the jessie side: As a workaround, set "Passive = yes" in jessie's
[Server] section so the connection is always initiated by wheezy.
This way around the negotiation will succeed.


TLS support
===========

Some things to take into account when configuring TLS/SSL support:

* The irc user must be able to read the key file.
* ngIRCd will run without a DH parameters file but that's a bad idea.
* A certificate exchange requires restart.


Certificate location
--------------------
* If your certificate and key are for ngIRCd only: Simply place them in
  /etc/ngircd, set KeyFile and CertFile accordingly. To secure the key
  file (server.key):

    chown irc:irc server.key
    chmod 600 server.key

* If however you offer several TLS-based services that using the same
  certificate and key: Consider installing the ssl-cert package which
  provides the ssl-cert group. Place the certificate file (server.crt)
  in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
  and make sure ngIRCd can read it:

	chown root:ssl-cert /etc/ssl/private/server.key
	chmod 640 /etc/ssl/private/server.key
	adduser irc ssl-cert

  Repeat the last step for all users that run a daemon providing TLS.


DH parameters file
------------------
It is suggested to create a DH params file. If missing, ngIRCd will
create one on the fly but this will prolong each startup.

To create that file:

* using gnutls (from gnutls-cli package):

    certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem

* using openssl:

    openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048

This has to be done only once. Don't forget to enable the DHFile
setting in /etc/ngircd/ngircd.conf.


Certificate exchange
--------------------
Due to limitations of GnuTLS, a re-start of ngIRCd is required if the
certificates were changed. A reload is not sufficient.