[Pkg-irc-commits] r277 - /packages/ngircd/trunk/debian/ngircd.README.Debian

cbiedl-guest at users.alioth.debian.org cbiedl-guest at users.alioth.debian.org
Sun Nov 13 17:01:36 UTC 2011


Author: cbiedl-guest
Date: Sun Nov 13 17:01:35 2011
New Revision: 277

URL: http://svn.debian.org/wsvn/pkg-irc/?sc=1&rev=277
Log:
[ngircd] Some recommendations about TLS

Added:
    packages/ngircd/trunk/debian/ngircd.README.Debian

Added: packages/ngircd/trunk/debian/ngircd.README.Debian
URL: http://svn.debian.org/wsvn/pkg-irc/packages/ngircd/trunk/debian/ngircd.README.Debian?rev=277&op=file
==============================================================================
--- packages/ngircd/trunk/debian/ngircd.README.Debian (added)
+++ packages/ngircd/trunk/debian/ngircd.README.Debian Sun Nov 13 17:01:35 2011
@@ -1,0 +1,49 @@
+TLS support
+===========
+
+Some things to take into account when configuring TLS/SSL support:
+
+* The irc user must be able to read the key file.
+* ngircd will run without a DH parameters file but that's a bad idea.
+
+
+Certificate location
+--------------------
+* If your certificate and key are for ngircd only: Simply place them in
+  /etc/ngircd, set SSLKeyFile and SSLCertFile accordingly. To secure the
+  key file (server.key):
+
+    chown irc:irc server.key
+    chmod 600 server.key
+
+* If however you offer several TLS-based services that using the same
+  certificate and key: Consider installing the ssl-cert package which
+  provides the ssl-cert group. Place the certificate file (server.crt)
+  in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
+  and make sure ngircd can read it:
+
+	chown root:ssl-cert /etc/ssl/private/server.key
+	chmod 640 /etc/ssl/private/server.key
+	adduser irc ssl-cert
+
+  Repeat the last step for all users that run a daemon providing TLS.
+
+
+DH parameters file
+------------------
+It is suggested to create a DH params file. If missing, ngircd will
+create one on the fly but this will prolong each startup, and users of
+certain clients (e.g. weechat) will be unable to connect using TLS.
+
+To create that file:
+
+* using gnutls (from gnutls-cli package):
+
+    certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem
+
+* using openssl:
+
+    openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048
+
+This has to be done only once. Don't forget to enable the SSLDHFile
+setting in ngircd.conf.




More information about the Pkg-irc-commits mailing list