Hi.
I have added SSL/TLS support to ngircd.
What works: - incoming ssl/tls client and server connections - outgoing server connections (server links)
What does not work yet: - (X509) Certificate support.
The patch is here (created against ngircd CVSHEAD): http://www.strlen.de/ngircd/ngircd-ssl-2007-01-28.diff.bz2
Alternatively, you can grab ngircd-ssl from svn: svn co svn://svn.strlen.de/fw/ngircd-ssl/branches/ngircd-ssl-0.1.X
You need to pass either --with-openssl or --with-gnutls to the configure script. A sample config file is included in the docs directory. Please test and let me know if it works on your platform.
Thanks, Florian
Folks, I am trying out the new SSL stuff and got the following error:
Feb 16 11:47:39 calculon ngircd[23498]: SSL_CTX_use_certificate_file: /usr/local/etc/ngircd/ssl/server.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line
It could be that I did not create the cert correctly.. here is what I did:
openssl genrsa 1024 > server.key openssl req -new -nodes -sha1 -days 1825 -key server.key >server.cert cat server.cert server.key > server.pem && rm server.key
system is x86_64 Centos 4
Florian Westphal wrote:
Hi.
I have added SSL/TLS support to ngircd.
What works:
- incoming ssl/tls client and server connections
- outgoing server connections (server links)
What does not work yet:
- (X509) Certificate support.
The patch is here (created against ngircd CVSHEAD): http://www.strlen.de/ngircd/ngircd-ssl-2007-01-28.diff.bz2
Alternatively, you can grab ngircd-ssl from svn: svn co svn://svn.strlen.de/fw/ngircd-ssl/branches/ngircd-ssl-0.1.X
You need to pass either --with-openssl or --with-gnutls to the configure script. A sample config file is included in the docs directory. Please test and let me know if it works on your platform.
Thanks, Florian _______________________________________________ ngIRCd-ML mailing list ngIRCd-ML@Arthur.Ath.CX http://arthur.ath.cx/mailman/listinfo/ngircd-ml
Michael Belanger mrb@ciclops.org wrote:
Folks, I am trying out the new SSL stuff and got the following error:
Feb 16 11:47:39 calculon ngircd[23498]: SSL_CTX_use_certificate_file: /usr/local/etc/ngircd/ssl/server.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line
It could be that I did not create the cert correctly.. here is what I did:
openssl genrsa 1024 > server.key openssl req -new -nodes -sha1 -days 1825 -key server.key >server.cert cat server.cert server.key > server.pem && rm server.key
Could you please try: openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem -days 1461
(you can adjust -days and the key length). The commands you posted create a private key and a certificate request, the above generates a self-signed key. I've added examples to create self-signed keys with openssl and gnutls certtool to doc/SSL.txt.
Thanks, Florian
Florian, That is much better, but my client still cannot connect.. I will look into this further on Monday.
Thanks!
Florian Westphal wrote:
Michael Belanger mrb@ciclops.org wrote:
Folks, I am trying out the new SSL stuff and got the following error:
Feb 16 11:47:39 calculon ngircd[23498]: SSL_CTX_use_certificate_file: /usr/local/etc/ngircd/ssl/server.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line
It could be that I did not create the cert correctly.. here is what I did:
openssl genrsa 1024 > server.key openssl req -new -nodes -sha1 -days 1825 -key server.key >server.cert cat server.cert server.key > server.pem && rm server.key
Could you please try: openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem -days 1461
(you can adjust -days and the key length). The commands you posted create a private key and a certificate request, the above generates a self-signed key. I've added examples to create self-signed keys with openssl and gnutls certtool to doc/SSL.txt.
Thanks, Florian _______________________________________________ ngIRCd-ML mailing list ngIRCd-ML@Arthur.Ath.CX http://arthur.ath.cx/mailman/listinfo/ngircd-ml
Michael Belanger mrb@ciclops.org wrote:
Florian, That is much better, but my client still cannot connect.. I will look into this further on Monday.
You can use "openssl s_client -host <yourhost> -port <listening-port>" to see wether this is a server-or clientside problem. If the SSL-Connect works, it is client-side, otherwise you should perhaps run ngircd in debug mode to see more of what is going on.
Thanks for testing! Florian
-
Florian Westphal -
Michael Belanger