* To use them, uncomment the lines below.
*
* Channel mode +-A (admin only) -- chm_adminonly
+ * Channel mode +-T (blocks notices) -- chm_nonotice
* Channel mode +-O (oper only) -- chm_operonly
* Channel mode +-S (ssl only) -- chm_sslonly
* Emulates channel mode +-O (oper only) (+-iI $o) -- chm_operonly_compat
* Stop services kills -- no_kill_services
*/
#loadmodule "extensions/chm_adminonly";
+#loadmodule "extensions/chm_nonotice";
#loadmodule "extensions/chm_operonly";
#loadmodule "extensions/chm_sslonly";
#loadmodule "extensions/chm_operonly_compat";
*/
#vhost6 = "2001:db7:2::6";
- /* ssl_private_key: our ssl private key */
- ssl_private_key = "etc/ssl.key";
-
- /* ssl_cert: certificate for our ssl server */
+ /* ssl_cert: certificate (and optionally key) for our ssl server */
ssl_cert = "etc/ssl.pem";
- /* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
+ /* ssl_private_key: our ssl private key (if not contained in ssl_cert file) */
+ #ssl_private_key = "etc/ssl.key";
+
+ /* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 2048 */
+ /* If you do not provide parameters, some TLS backends will fail on DHE- ciphers,
+ and some will succeed but use weak, common DH groups! */
ssl_dh_params = "etc/dh.pem";
/* ssl_cipher_list: A list of ciphers, dependent on your TLS backend */
/* port: listen on all available IPs, ports 5000 and 6665 to 6669 */
port = 5000, 6665 .. 6669;
- /* sslport: listen for ssl connections on all available IPs, port 9999 */
- sslport = 9999;
+ /* sslport: listen for ssl connections on all available IPs, port 6697 */
+ sslport = 6697;
/* host: set a specific IP/host the ports after the line will listen
* on. This may be ipv4 or ipv6.
host = "2001:db8:2::6";
port = 7002;
sslport = 9002;
+
+ /* wsock: listeners defined with this option enabled will be websocket listeners,
+ * and will not accept normal clients.
+ */
+ wsock = yes;
+ sslport = 9999;
};
/* auth {}: allow users to connect to the ircd (OLD I:) */
* compressed - compress traffic via ziplinks
* topicburst - burst topics between servers
* ssl - ssl/tls encrypted server connections
+ * no-export - marks the link as a no-export link (not exported to other links)
*/
flags = compressed, topicburst;
};
* The spki_* variants operate on the SubjectPublicKeyInfo of the certificate, which does
* not change unless the private key is changed. This allows the fingerprint to stay
* constant even if the certificate is reissued. These fingerprints will be prefixed with
- * "SPKI:SHA2-256:" or "SPKI:SHA2-512:" depending on the hash type.
+ * "SPKI:SHA2-256:" or "SPKI:SHA2-512:" depending on the hash type. These fingerprints
+ * are not supported on servers running charybdis 3.5 or earlier.
+ *
+ * To generate a fingerprint from a certificate file, please use the mkfingerprint utility
+ * program located in the bin/ subdirectory of your IRCd installation. Running it with no
+ * arguments will give you a brief usage message; it takes method and filename arguments.
*/
certfp_method = spki_sha256;