From Vague Hope Wiki
Jump to: navigation, search


InspIRCd with SSL

OpenSSL CA from scratch

Generate self-signed server certs:

openssl dhparam -out dhparam_4096.pem 4096
openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 1024

Configure in inspircd.conf

<bind address="" port="6697" type="clients" ssl="openssl">
<openssl cafile="conf/ca.pem" certfile="conf/cert.pem" keyfile="conf/key.pem" dhfile="conf/dhparam_4096.pem">

InspIRCd with SSL and client certs

Configure openssl

sudo -i
cd ~root/<caname>
cp /etc/ssl/openssl.cnf .

Edit ~root/<caname>/openssl.cnf ...

dir = ~root/<caname>/_ca
default_bits = 4096
*_default ...

FS layout:

cd ~root/<caname>
mkdir _ca && cd _ca
mkdir certs private newcerts
echo 1000 > serial
touch index.txt

Generate 10 year CA certificate:

cd ~root/<caname>/_ca
openssl req -new -x509 -days 3650 -extensions v3_ca \ 
 -keyout private/cakey.pem -out cacert.pem \
 -config ~root/<caname>/openssl.cnf

Issue client certificate (remove -nodes to encrypt):

cd ~root/<caname>
mkdir <someuser> && cd <someuser>
openssl req -new -nodes \
 -keyout someuser_key.pem -out someuser_req.pem \
 -config ~root/<caname>/openssl.cnf
openssl ca \
 -config ~root/<caname>/openssl.cnf \
 -out someuser_cert.pem \
 -infiles someuser_req.pem

Configuring InspIRCd

Enable ssl_info in conf/modules.conf:

<module name="">

Tell InspIRCd to require client certificates:

<connect ... requiressl="trusted">

Configuring Irssi

Merge certs for Irssi:

openssl pkcs12 -inkey someuser_key.pem -in someuser_cert.pem -export -out someuser.p12
openssl pkcs12 -in someuser.p12 -nodes -clcerts -out someuser.pem

Configure Irssi:

servers = (
   chatnet = "somechatnet";
   address = "someserver";
   port = "6697";
   use_ssl = "yes";
   ssl_cert = "/home/haku/.ssl/someca/someuser/someuser.pem";
   ssl_cafile = "/home/haku/.ssl/someca/someca_cacert.pem";
   ssl_verify = "yes";
   autoconnect = "yes";