Difference between revisions of "IRC"
From Vague Hope Wiki
(→InspIRCd with SSL and client certs) |
(→InspIRCd with SSL and client certs) |
||
| Line 44: | Line 44: | ||
-keyout private/cakey.pem -out cacert.pem \ | -keyout private/cakey.pem -out cacert.pem \ | ||
-config ~root/<caname>/openssl.cnf | -config ~root/<caname>/openssl.cnf | ||
| + | |||
| + | |||
| + | Issue server certificate: | ||
| + | cd ~root/<caname> | ||
| + | mkdir <someserver> && cd <someserver> | ||
| + | openssl req -new \ | ||
| + | -keyout someserver_key.pem -out someserver_req.pem \ | ||
| + | -config ~root/<caname>/openssl.cnf | ||
| + | |||
| + | Issue client certificate: | ||
| + | cd ~root/<caname> | ||
| + | mkdir <someuser> && cd <someuser> | ||
| + | openssl req -new -nodes \ | ||
| + | -keyout someuser_key.pem -out someuser_req.pem \ | ||
| + | -config ~root/<caname>/openssl.cnf | ||
| + | |||
----- | ----- | ||
Revision as of 05:04, 6 July 2013
References
- http://wiki.inspircd.org/Commands
- http://wiki.inspircd.org/1.2/User_Modes
- http://wiki.inspircd.org/Modules/2.0/ssl_gnutls
- http://wiki.inspircd.org/Secure_Sockets_Layer
- http://www.oftc.net/NickServ/CertFP/
- http://workaround.org/certificate-authority
InspIRCd with SSL
Generate self-signed server certs:
openssl dhparam -out dhparam_4096.pem 4096 openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 1024
Configure in inspircd.conf
<bind address="" port="6697" type="clients" ssl="openssl"> <openssl cafile="conf/ca.pem" certfile="conf/cert.pem" keyfile="conf/key.pem" dhfile="conf/dhparam_4096.pem">
InspIRCd with SSL and client certs
Configure openssl
sudo -i cd ~root/<caname> cp /etc/ssl/openssl.cnf .
Edit ~root/<caname>/openssl.cnf ...
dir = ~root/<caname>/_ca
default_bits = 4096
*_default ...
FS layout:
cd ~root/<caname> mkdir _ca && cd _ca mkdir certs private newcerts echo 1000 > serial touch index.txt
Generate CA certificate:
cd ~root/<caname>/_ca openssl req -new -x509 -days 3650 -extensions v3_ca \ -keyout private/cakey.pem -out cacert.pem \ -config ~root/<caname>/openssl.cnf
Issue server certificate:
cd ~root/<caname> mkdir <someserver> && cd <someserver> openssl req -new \ -keyout someserver_key.pem -out someserver_req.pem \ -config ~root/<caname>/openssl.cnf
Issue client certificate:
cd ~root/<caname> mkdir <someuser> && cd <someuser> openssl req -new -nodes \ -keyout someuser_key.pem -out someuser_req.pem \ -config ~root/<caname>/openssl.cnf
Fix script: edit /usr/lib/ssl/misc/CA.sh and set CADAYS to 3650.
Generate a CA:
mkdir _ca && cd _ca /usr/lib/ssl/misc/CA.sh -newca mv demoCA/* . && rmdir demoCA && cd ..
Issue client certificate:
mkdir someuser && cd someuser /usr/lib/ssl/misc/CA.sh -newreq ln -s ../_ca demoCA # hack to avoid editing /usr/lib/ssl/openssl.cnf /usr/lib/ssl/misc/CA.sh -sign rename 's/new/testuser_/' *.pem
