TLS support
===========

Some things to take into account when configuring TLS/SSL support:

* The irc user must be able to read the key file.
* ngIRCd will run without a DH parameters file but that's a bad idea.
* A certificate exchange requires restart.


Certificate location
--------------------
* If your certificate and key are for ngIRCd only: Simply place them in
  /etc/ngircd, set KeyFile and CertFile accordingly. To secure the key
  file (server.key):

    chown irc:irc server.key
    chmod 600 server.key

* If however you offer several TLS-based services that using the same
  certificate and key: Consider installing the ssl-cert package which
  provides the ssl-cert group. Place the certificate file (server.crt)
  in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
  and make sure ngIRCd can read it:

	chown root:ssl-cert /etc/ssl/private/server.key
	chmod 640 /etc/ssl/private/server.key
	adduser irc ssl-cert

  Repeat the last step for all users that run a daemon providing TLS.

* DO NOT store these files in /home/ - due to 'ProtectHome=true' in
  ngircd.service the daemon will not be able to load the files.


DH parameters file
------------------
It is suggested to create a DH params file. If missing, ngIRCd will
create one on the fly but this will prolong each startup.

To create that file:

* using gnutls (from gnutls-cli package):

    certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem

* using openssl:

    openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048

This has to be done only once. Don't forget to enable the DHFile
setting in /etc/ngircd/ngircd.conf.