Hi. I have added SSL/TLS support to ngircd. What works: - incoming ssl/tls client and server connections - outgoing server connections (server links) What does not work yet: - (X509) Certificate support. The patch is here (created against ngircd CVSHEAD): http://www.strlen.de/ngircd/ngircd-ssl-2007-01-28.diff.bz2 Alternatively, you can grab ngircd-ssl from svn: svn co svn://svn.strlen.de/fw/ngircd-ssl/branches/ngircd-ssl-0.1.X You need to pass either --with-openssl or --with-gnutls to the configure script. A sample config file is included in the docs directory. Please test and let me know if it works on your platform. Thanks, Florian
Folks, I am trying out the new SSL stuff and got the following error: Feb 16 11:47:39 calculon ngircd[23498]: SSL_CTX_use_certificate_file: /usr/local/etc/ngircd/ssl/server.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line It could be that I did not create the cert correctly.. here is what I did: openssl genrsa 1024 > server.key openssl req -new -nodes -sha1 -days 1825 -key server.key >server.cert cat server.cert server.key > server.pem && rm server.key system is x86_64 Centos 4 Florian Westphal wrote:
Hi.
I have added SSL/TLS support to ngircd.
What works: - incoming ssl/tls client and server connections - outgoing server connections (server links)
What does not work yet: - (X509) Certificate support.
The patch is here (created against ngircd CVSHEAD): http://www.strlen.de/ngircd/ngircd-ssl-2007-01-28.diff.bz2
Alternatively, you can grab ngircd-ssl from svn: svn co svn://svn.strlen.de/fw/ngircd-ssl/branches/ngircd-ssl-0.1.X
You need to pass either --with-openssl or --with-gnutls to the configure script. A sample config file is included in the docs directory. Please test and let me know if it works on your platform.
Thanks, Florian _______________________________________________ ngIRCd-ML mailing list ngIRCd-ML@Arthur.Ath.CX http://arthur.ath.cx/mailman/listinfo/ngircd-ml
-- -- Michael R. Belanger ____________________________________________________ CICLOPS/Space Science Institute --- - - __o 4750 Walnut St, Ste 205 -- _ \<,_ Boulder, CO 80301 (720) 974-5853 (_)/ (_) FAX (720) 974-5860 Join us on IRC: irc.ciclops.org port=6668 channel=#iss ---------------------------------------------------- "The advantage of a bad memory is that one enjoys several times the same good things for the first time." -- Friedrich Nietzsche
Michael Belanger <mrb@ciclops.org> wrote:
Folks, I am trying out the new SSL stuff and got the following error:
Feb 16 11:47:39 calculon ngircd[23498]: SSL_CTX_use_certificate_file: /usr/local/etc/ngircd/ssl/server.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line
It could be that I did not create the cert correctly.. here is what I did:
openssl genrsa 1024 > server.key openssl req -new -nodes -sha1 -days 1825 -key server.key >server.cert cat server.cert server.key > server.pem && rm server.key
Could you please try: openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem -days 1461 (you can adjust -days and the key length). The commands you posted create a private key and a certificate request, the above generates a self-signed key. I've added examples to create self-signed keys with openssl and gnutls certtool to doc/SSL.txt. Thanks, Florian
Florian, That is much better, but my client still cannot connect.. I will look into this further on Monday. Thanks! Florian Westphal wrote:
Michael Belanger <mrb@ciclops.org> wrote:
Folks, I am trying out the new SSL stuff and got the following error:
Feb 16 11:47:39 calculon ngircd[23498]: SSL_CTX_use_certificate_file: /usr/local/etc/ngircd/ssl/server.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line
It could be that I did not create the cert correctly.. here is what I did:
openssl genrsa 1024 > server.key openssl req -new -nodes -sha1 -days 1825 -key server.key >server.cert cat server.cert server.key > server.pem && rm server.key
Could you please try: openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem -days 1461
(you can adjust -days and the key length). The commands you posted create a private key and a certificate request, the above generates a self-signed key. I've added examples to create self-signed keys with openssl and gnutls certtool to doc/SSL.txt.
Thanks, Florian _______________________________________________ ngIRCd-ML mailing list ngIRCd-ML@Arthur.Ath.CX http://arthur.ath.cx/mailman/listinfo/ngircd-ml
-- -- Michael R. Belanger ____________________________________________________ CICLOPS/Space Science Institute --- - - __o 4750 Walnut St, Ste 205 -- _ \<,_ Boulder, CO 80301 (720) 974-5853 (_)/ (_) FAX (720) 974-5860 Join us on IRC: irc.ciclops.org port=6668 channel=#iss ---------------------------------------------------- "This is glue... Strong stuff!" --The Blues Brothers
Michael Belanger <mrb@ciclops.org> wrote:
Florian, That is much better, but my client still cannot connect.. I will look into this further on Monday.
You can use "openssl s_client -host <yourhost> -port <listening-port>" to see wether this is a server-or clientside problem. If the SSL-Connect works, it is client-side, otherwise you should perhaps run ngircd in debug mode to see more of what is going on. Thanks for testing! Florian
Teilnehmer (2)
-
Florian Westphal -
Michael Belanger