2 6960cb4c 2004-12-27 alex ngIRCd - Next Generation IRC Server
4 6960cb4c 2004-12-27 alex (c)2001-2004 by Alexander Barton,
5 6960cb4c 2004-12-27 alex alex@barton.de, http://www.barton.de/
7 6960cb4c 2004-12-27 alex ngIRCd is free software and published under the
8 6960cb4c 2004-12-27 alex terms of the GNU General Public License.
10 6960cb4c 2004-12-27 alex -- SSL.txt --
13 ebf5edfd 2008-09-13 fw ngIRCd supports SSL/TLSv1 encrypted connections using the
14 ebf5edfd 2008-09-13 fw OpenSSL or gnutls library.
15 ebf5edfd 2008-09-13 fw Both encryped server <-> client and server <-> server links should work.
17 ebf5edfd 2008-09-13 fw BEWARE! The Code is mostly untested, use at your own risk!
19 ebf5edfd 2008-09-13 fw Example that creates a self-signed certificate and key (using OpenSSL):
20 ebf5edfd 2008-09-13 fw openssl req -newkey rsa:2048 -x509 -keyout server-key.pem \
21 ebf5edfd 2008-09-13 fw -out server-cert.pem -days 1461
23 ebf5edfd 2008-09-13 fw Example that creates DH parameters (optional):
24 ebf5edfd 2008-09-13 fw openssl dhparam -2 -out dhparams.pem 2048
26 ebf5edfd 2008-09-13 fw Example that creates a self-signed certificate
27 ebf5edfd 2008-09-13 fw and key (using gnutls):
29 ebf5edfd 2008-09-13 fw certtool --generate-privkey --bits 2048 --outfile server-key.pem
30 ebf5edfd 2008-09-13 fw certtool --generate-self-signed --load-privkey server-key.pem \
31 ebf5edfd 2008-09-13 fw --outfile server-cert.pem
33 ebf5edfd 2008-09-13 fw Example that creates DH parameters (optional):
34 ebf5edfd 2008-09-13 fw certtool --generate-dh-params --bits 2048 --outfile dhparams.pem
36 ebf5edfd 2008-09-13 fw Alternatively, you may use external programs/tools like stunnel to
39 81bacda6 2004-12-27 alex <http://stunnel.mirt.net/>
40 81bacda6 2004-12-27 alex <http://www.stunnel.org/>
42 6960cb4c 2004-12-27 alex Stefan Sperling (stefan at binarchy dot net) mailed me the following text as a
43 6960cb4c 2004-12-27 alex short "how-to", thanks Stefan!
46 6960cb4c 2004-12-27 alex === snip ===
47 6960cb4c 2004-12-27 alex ! This guide applies to stunnel 4.x !
49 6960cb4c 2004-12-27 alex Put this in your stunnel.conf:
52 6960cb4c 2004-12-27 alex accept = 6667
53 6960cb4c 2004-12-27 alex connect = 6668
55 6960cb4c 2004-12-27 alex This makes stunnel listen for incoming connections
56 6960cb4c 2004-12-27 alex on port 6667 and forward decrypted data to port 6668.
57 6960cb4c 2004-12-27 alex We call the connection 'ircs'. Stunnel will use this
58 6960cb4c 2004-12-27 alex name when logging connection attempts via syslog.
59 6960cb4c 2004-12-27 alex You can also use the name in /etc/hosts.{allow,deny}
60 6960cb4c 2004-12-27 alex if you run tcp-wrappers.
62 6960cb4c 2004-12-27 alex To make sure ngircd is listening on the port where
63 6960cb4c 2004-12-27 alex the decrypted data arrives, set
65 6960cb4c 2004-12-27 alex Ports = 6668
67 6960cb4c 2004-12-27 alex in your ngircd.conf.
69 6960cb4c 2004-12-27 alex Start stunnel and restart ngircd.
72 6960cb4c 2004-12-27 alex Don't forget to activate ssl support in your irc client ;)
73 6960cb4c 2004-12-27 alex === snip ===
79 81bacda6 2004-12-27 alex $Id: SSL.txt,v 1.2 2004/12/27 01:11:40 alex Exp $