Commit Diff

Commit:
ebf5edfd8788037c39818461d09874a851b845fc
From:
Florian Westphal <fw@strlen.de>
Date:
Message:
TLS/SSL support: documentation.
Actions:
Patch | Tree
commit - bdd44eb0ab7e6ee080989c672ce6deeffae987c2
commit + ebf5edfd8788037c39818461d09874a851b845fc
blob - 7578ad80704b5ccbe256a7ead42eead4bcbbd653
blob + 6ea207e6ccf9bdf6f59bd752ef0c321345b02cda
--- doc/SSL.txt
+++ doc/SSL.txt
@@ -10,10 +10,32 @@
                                  -- SSL.txt --
 
 
-ngIRCd actually doesn't support secure connections for client-server or
-server-server links using SSL, the Secure Socket Layer, by itself. But you can
-use the stunnel(8) command to make this work.
+ngIRCd supports SSL/TLSv1 encrypted connections using the
+OpenSSL or gnutls library.
+Both encryped server <-> client and server <-> server links should work.
 
+BEWARE! The Code is mostly untested, use at your own risk!
+
+Example that creates a self-signed certificate and key (using OpenSSL):
+openssl req -newkey rsa:2048 -x509 -keyout server-key.pem \
+		-out server-cert.pem -days 1461
+
+Example that creates DH parameters (optional):
+openssl dhparam -2 -out dhparams.pem 2048
+
+Example that creates a self-signed certificate
+and key (using gnutls):
+
+certtool --generate-privkey --bits 2048 --outfile server-key.pem
+certtool --generate-self-signed --load-privkey server-key.pem \
+		 --outfile server-cert.pem
+
+Example that creates DH parameters (optional):
+certtool  --generate-dh-params --bits 2048 --outfile dhparams.pem
+
+Alternatively, you may use external programs/tools like stunnel to
+make it work:
+
   <http://stunnel.mirt.net/>
   <http://www.stunnel.org/>
 
@@ -51,7 +73,6 @@ short "how-to", thanks Stefan!
 === snip ===
 
 
-Probably ngIRCd will include support for SSL in the future ...
 
 
 -- 
blob - 87a94d9df8be365b4de8d2597cf06ed4d316800b
blob + ba2d477b10d99d2f91753ae46c000bfe08b81adb
--- doc/sample-ngircd.conf
+++ doc/sample-ngircd.conf
@@ -13,6 +13,8 @@
 # Use "ngircd --configtest" (see manual page ngircd(8)) to validate that the
 # server interprets the configuration file as expected!
 #
+# Please see ngircd.conf(5) for a complete list of configuration options.
+#
 
 [Global]
 	# The [Global] section of this file is used to define the main
@@ -40,6 +42,21 @@
 	# one port, separated with ",". (Default: 6667)
 	;Ports = 6667, 6668, 6669
 
+	# Additional Listen Ports that expect SSL/TLS encrypted connections
+	;SSLPorts = 9999,6668
+
+	# SSL Server Key
+        ;SSLKeyFile = /usr/local/etc/ngircd/ssl/server-key.pem
+
+	# password to decrypt SSLKeyFile (OpenSSL only)
+	;SSLKeyFilePassword = secret
+
+	# SSL Server Key Certificate
+	;SSLCertFile = /usr/local/etc/ngircd/ssl/server-cert.pem
+
+	# Diffie-Hellman parameters
+	;SSLDHFile = /usr/local/etc/ngircd/ssl/dhparams.pem
+
 	# comma seperated list of IP addresses on which the server should
 	# listen. Default values are:
 	# "0.0.0.0" or (if compiled with IPv6 support) "::,0.0.0.0"
@@ -158,7 +175,7 @@
 	# IRC name of the remote server, must match the "Name" variable in
 	# the [Global] section of the other server (when using ngIRCd).
 	;Name = irc2.the.net
-  
+
 	# Internet host name or IP address of the peer (only required when
 	# this server should establish the connection).
 	;Host = connect-to-host.the.net
@@ -189,6 +206,9 @@
 	# this specific server later.
 	;Passive = no
 
+	# Connect to the remote server using TLS/SSL (Default: false)
+	; SSLConnect = yes
+
 [Server]
 	# More [Server] sections, if you like ...
 
blob - 7c9ce3163e4f8b0b69b0cca9cecd66bf993199f7
blob + 61e2f5fe0ec28a88acaa8371aac1a3903f443629
--- man/ngircd.conf.5.tmpl
+++ man/ngircd.conf.5.tmpl
@@ -72,6 +72,27 @@ command.
 Ports on which the server should listen. There may be more than one port,
 separated with ','. Default: 6667.
 .TP
+\fBSSLPorts\fR
+Same as \fBPorts\fR , except that ngircd will expect incoming connections
+to be SSL/TLS encrypted. Default: None
+.TP
+\fBSSLKeyFile\fR
+Filename of SSL Server Key to be used for SSL connections. This is required for
+SSL/TLS support.
+.TP
+\fBSSLKeyFilePassword\fR
+(OpenSSL only:) Password to decrypt private key.
+.TP
+\fBSSLCertFile\fR
+Certificate of the private key
+.TP
+\fBSSLDHFile\fR
+Name of the Diffie-Hellman Parameter file.  Can be created with gnutls "certtool --generate-dh-params" or "openssl dhparam".
+If this file is not present, it will be generated on startup when ngircd
+was compiled with gnutls support (this may take some time). If ngircd
+was compiled with OpenSSL, then (Ephemeral)-Diffie-Hellman Key Exchanges and several
+Cipher Suites will not be available.
+.TP
 \fBListen\fR
 A comma seperated list of IP address on which the server should listen.
 If unset, the defaults value is "0.0.0.0", or, if ngircd was compiled
@@ -188,6 +209,8 @@ Default: 10.
 Maximum length of an user nick name (Default: 9, as in RFC 2812). Please
 note that all servers in an IRC network MUST use the same maximum nick name
 length!
+\fBSSLConnect\fR
+Connect to the remote server using TLS/SSL (Default: false)
 .SH [OPERATOR]
 .I [Operator]
 sections are used to define IRC Operators. There may be more than one