TLS support =========== Some things to take into account when configuring TLS/SSL support: * The irc user must be able to read the key file. * ngIRCd will run without a DH parameters file but that's a bad idea. * A certificate exchange requires restart. Certificate location -------------------- * If your certificate and key are for ngIRCd only: Simply place them in /etc/ngircd, set KeyFile and CertFile accordingly. To secure the key file (server.key): chown irc:irc server.key chmod 600 server.key * If however you offer several TLS-based services that using the same certificate and key: Consider installing the ssl-cert package which provides the ssl-cert group. Place the certificate file (server.crt) in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/, and make sure ngIRCd can read it: chown root:ssl-cert /etc/ssl/private/server.key chmod 640 /etc/ssl/private/server.key adduser irc ssl-cert Repeat the last step for all users that run a daemon providing TLS. * DO NOT store these files in /home/ - due to 'ProtectHome=true' in ngircd.service the daemon will not be able to load the files. TLS-based server-server links ----------------------------- When linking two ngircd servers, the connection should be TLS-based for obvious reasons. To do so, edit ngircd.conf: * Enable SSLConnect in each [Server] stanza. * Define CAFile in the [SSL] stanza. Note that by default *no* certificate is trusted. If the peers's certificate was signed by one of the well-known certificate authorities: Use the suggested value "/etc/ssl/certs/ca-certificates.crt" and install the ca-certificate package. Else set the value to the respective CA's certificate file. Verfication can be disabled entirely on a per-link base by setting SSLVerify to false. This is strongly discouraged as you will lose all security by that. DH parameters file ------------------ It is suggested to create a DH params file. If missing, ngIRCd will create one on the fly but this will prolong each startup. To create that file: * using gnutls (from gnutls-cli package): certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem * using openssl: openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048 This has to be done only once. Don't forget to enable the DHFile setting in /etc/ngircd/ngircd.conf.