TLS-based server connection, wheezy/jessie interoperability =========================================================== There might be a problem when linking two ngircd servers running the wheezy and the jessie version respectively. If you see | gnutls_handshake: Could not negotiate a supported cipher suite. on the wheezy and | SSL error: The TLS connection was non-properly terminated. [gnutls_handshake]. on the jessie side: As a workaround, set "Passive = yes" in jessie's [Server] section so the connection is always initiated by wheezy. This way around the negotiation will succeed. TLS support =========== Some things to take into account when configuring TLS/SSL support: * The irc user must be able to read the key file. * ngIRCd will run without a DH parameters file but that's a bad idea. * A certificate exchange requires restart. Certificate location -------------------- * If your certificate and key are for ngIRCd only: Simply place them in /etc/ngircd, set KeyFile and CertFile accordingly. To secure the key file (server.key): chown irc:irc server.key chmod 600 server.key * If however you offer several TLS-based services that using the same certificate and key: Consider installing the ssl-cert package which provides the ssl-cert group. Place the certificate file (server.crt) in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/, and make sure ngIRCd can read it: chown root:ssl-cert /etc/ssl/private/server.key chmod 640 /etc/ssl/private/server.key adduser irc ssl-cert Repeat the last step for all users that run a daemon providing TLS. DH parameters file ------------------ It is suggested to create a DH params file. If missing, ngIRCd will create one on the fly but this will prolong each startup. To create that file: * using gnutls (from gnutls-cli package): certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem * using openssl: openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048 This has to be done only once. Don't forget to enable the DHFile setting in /etc/ngircd/ngircd.conf. Certificate exchange -------------------- Due to limitations of GnuTLS, a re-start of ngIRCd is required if the certificates were changed. A reload is not sufficient.