From beb7dac747df5e10fa83eced103a3316924ba7e1 Mon Sep 17 00:00:00 2001 From: pk910 Date: Tue, 7 Feb 2012 13:59:37 +0100 Subject: [PATCH] added small ssl documentation (thanks to lukas :D) --- doc/example.conf | 21 +++++++++++++++ doc/readme.ssl | 66 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 doc/readme.ssl diff --git a/doc/example.conf b/doc/example.conf index 235bd31..0e4c6c2 100644 --- a/doc/example.conf +++ b/doc/example.conf @@ -532,6 +532,19 @@ Kill reason = "You are infected with a Trojan"; }; +# [SSL] +# +#SSL { +# # There need to be the private key AND the public key INSIDE the certificate file +# cert = ""; +# # Optional CA certificate for non-self-signed certificates +# cacert = ""; +#}; + +SSL { + cert = "ircd.pem"; +}; + # [Connect] # # You probably want your server connected to other servers, so your users @@ -708,6 +721,8 @@ Operator { # server = yes; # # Setting to yes makes the port "hidden" from stats. # hidden = yes; +# # Setting to yes makes the port to handle incoming connection as SSL connections +# secure = no; # }; # # The port and vhost lines allow you to specify one or both of "ipv4" @@ -749,6 +764,12 @@ Port { port = 6666; }; +#SSL Port +Port { + port = 6697; + secure = yes; +}; + # This is a hidden client port, listening on 168.8.21.107. Port { vhost = "168.8.21.107"; diff --git a/doc/readme.ssl b/doc/readme.ssl new file mode 100644 index 0000000..1738327 --- /dev/null +++ b/doc/readme.ssl @@ -0,0 +1,66 @@ +Using SSL with IRCu + +SSL in IRCu is principally pretty easy. You just have to compile +the IRCd with the GnuTLS/OpenSSL headers. This will be done +automatically if the headers are found by the ./configure script. + +To see if the configure script found the GnuTLS/OpenSSL headers you +just have to look into the summary at the end: + OpenSSL: yes + GnuTLS: yes +If both headers were not found (`no` output) we have to install the +required SSL header first. On Debian, this is quite simple: +just install the following two packages using the build in +apt packet management: +apt-get install libssl-dev or apt-get install libgnutls-dev. + +Now we have to create a valid certificate for the IRCu. For a "normal" +IRC network usually a self signed SSL certificate should be enough. +If you want to buy a certificate for 200€+ you can do that too, of course. + +If you want to put this money aside and create your own SSL certificate now, +you just have to type (example for openssl): +openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout ircd.pem -out ircd.pem + +Generating a 1024 bit RSA private key +....................................................++++++ +......++++++ +writing new private key to 'ircd.pem' +----- +You are about to be asked to enter information that will be incorporated +into your certificate request. +What you are about to enter is what is called a Distinguished Name or a DN. +There are quite a few fields but you can leave some blank +For some fields there will be a default value, +If you enter '.', the field will be left blank. +----- +Country Name (2 letter code) [AU]: +State or Province Name (full name) [Some-State]: +Locality Name (eg, city) []: +Organization Name (eg, company) [Internet Widgits Pty Ltd]: +Organizational Unit Name (eg, section) []: +Common Name (eg, YOUR name) []: IMPORTANT: Here you have to enter the + address of your IRC Server. + You can use FQHN form (x.y.net) or + wildcarts (for all servers) *.y.net. +Email Address []: + +As we have a valid SSL certificate now, we have to tell the IRCu where it +can be found. For this, we add a SSL block to the configuration (ircd.conf): + SSL { + cert = "ircd.pem"; + }; + +The path (in our case ./ircd.pem) is relative to the lib directory of your +IRCu installation. Now our IRCu should already be working with SSL. To use +this feature, we now have to add a SSL port: + Port { + secure = yes; + port = 7776; + }; + +According to RFC the port 6697 should also be used for SSL. + Port { + secure = yes; + port = 6697; + }; -- 2.20.1