So-net無料ブログ作成

CentOS5.8(x64)でircサーバ(ngircd)をSSL対応で構築しよう [irc]


過去にngircdの構築について書きました。詳しくはこちら
SSL設定について記事にしてもらえないかとコメントを頂きました。
ということで、やってみました。

まず、yumでインストールしたngircdですが、confにSSLのサンプルが全くないことから、SSLには対応していないと思います。
そのため、ngircdをコンパイルすることにしました。

構築は以下のような手順になります。
①gccのインストール
②zlib-develのインストール
③opensslのコンパイル(yumでもいいのですが)
④ngircdのコンパイル
⑤自己認証局の作成
⑥ngircdのSSL設定
⑦LimeChat2から接続

①gccのインストール
[assimane@ngircd ~]$ su -
パスワード: ********
[root@ngircd ~]# yum install gcc
Loaded plugins: fastestmirror, security
(省略)
Complete!



②zlib-develのインストール
[root@ngircd ~]# yum install zlib-devel
Loaded plugins: fastestmirror, security
(省略)
Complete!



③opensslのコンパイル
[root@ngircd ~]# cd /usr/local/src

[root@ngircd src]# wget http://www.openssl.org/source/openssl-0.9.8x.tar.gz
--2013-01-13 16:31:42--  http://www.openssl.org/source/openssl-0.9.8x.tar.gz
(省略)
2013-01-13 16:31:53 (369 KB/s) - `openssl-0.9.8x.tar.gz' へ保存完了 [3782486/3782486]

[root@ngircd src]# tar zxvf openssl-0.9.8x.tar.gz
openssl-0.9.8x/ACKNOWLEDGMENTS
(省略)
openssl-0.9.8x/VMS/WISHLIST.TXT

[root@ngircd src]# cd openssl-0.9.8x

[root@ngircd openssl-0.9.8x]# ./config --prefix=/usr/local/ssl -fPIC shared
Operating system: x86_64-whatever-linux2
(省略)
make[1]: ディレクトリ `/usr/local/src/openssl-0.9.8x/tools' から出ます

[root@ngircd openssl-0.9.8x]# make
if [ -n "" ]; then \
(省略)
make[1]: ディレクトリ `/usr/local/src/openssl-0.9.8x/tools' から出ます

[root@ngircd openssl-0.9.8x]# make install
if [ -n "" ]; then \
(省略)
chmod 644 /usr/local/ssl/lib/pkgconfig/openssl.pc

[root@ngircd openssl-0.9.8x]# cd /usr/local/ssl

[root@ngircd ssl]# ls
bin  include  lib  ssl

[root@ngircd ssl]# vi /etc/profile
以下を追記します
# Add openssl Start
export PATH=/usr/local/ssl/bin:$PATH
export LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH
# Add openssl End

[root@ngircd ssl]# source /etc/profile

[root@ngircd ssl]# which openssl
/usr/local/ssl/bin/openssl

[root@ngircd ssl]# openssl version
OpenSSL 0.9.8x 10 May 2012

[root@ngircd ssl]# echo $LD_LIBRARY_PATH
/usr/local/ssl/lib:

[root@ngircd ssl]# vi /etc/ld.so.conf.d/openssl.conf
以下を記述
/usr/local/ssl/lib

[root@ngircd ssl]# cat /etc/ld.so.conf.d/openssl.conf
/usr/local/ssl/lib

[root@ngircd ssl]# ldconfig




④ngircdのコンパイル
[root@ngircd ssl]# cd /usr/local/src

[root@ngircd src]# wget http://ngircd.barton.de/pub/ngircd/ngircd-20.1.tar.gz
--2013-01-13 16:46:35--  http://ngircd.barton.de/pub/ngircd/ngircd-20.1.tar.gz
(省略)
2013-01-13 16:46:41 (151 KB/s) - `ngircd-20.1.tar.gz' へ保存完了 [478712/478712]

[root@ngircd src]# tar zxvf ngircd-20.1.tar.gz
ngircd-20.1/
(省略)
ngircd-20.1/README

[root@ngircd src]# cd ngircd-20.1

[root@ngircd ngircd-20.1]# ./configure --prefix=/usr/local/ngircd --with-openssl=/usr/local/ssl
checking build system type... x86_64-unknown-linux-gnu
(省略)
PAM support: no            SSL support: openssl
libiconv support: no

[root@ngircd ngircd-20.1]# make
Making all in doc
(省略)
make[1]: ディレクトリ `/usr/local/src/ngircd-20.1' から出ます

[root@ngircd ngircd-20.1]# make install
Making install in doc
(省略)
make[1]: ディレクトリ `/usr/local/src/ngircd-20.1' から出ます

[root@ngircd ngircd-20.1]# cd /usr/local/ngircd

[root@ngircd ngircd]# ls
etc  sbin  share




⑤自己認証局の作成
[root@ngircd init.d]# cd /usr/local/ssl/ssl/misc

[root@ngircd misc]# cp -p CA.sh CA.sh.org

[root@ngircd misc]# vi CA.sh
(以下のdiffを参考に編集)

[root@ngircd misc]# diff CA.sh.org CA.sh
64c64
< CADAYS="-days 1095"   # 3 years
---
> CADAYS="-days 3650"   # 10 years
71c71
< if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
---
> if [ -z "$CATOP" ] ; then CATOP=./PrivateCA ; fi
113a114
>       echo 01 > ${CATOP}/serial

[root@ngircd misc]# cd /usr/local/ssl/ssl

[root@ngircd ssl]# cp -p openssl.cnf openssl.cnf.org

[root@ngircd ssl]# vi openssl.cnf
(以下のdiffを参考に編集)

[root@ngircd ssl]# diff openssl.cnf.org openssl.cnf
37c37
< dir           = ./demoCA              # Where everything is kept
---
> dir           = ./PrivateCA           # Where everything is kept
68c68
< default_days  = 365                   # how long to certify for
---
> default_days  = 1095                  # how long to certify for
81c81
< stateOrProvinceName   = match
---
> stateOrProvinceName   = optional
101c101
< default_bits          = 1024
---
> default_bits          = 2048
125c125
< countryName_default           = AU
---
> countryName_default           = JP
130c130
< stateOrProvinceName_default   = Some-State
---
> #stateOrProvinceName_default  = Some-State
135c135
< 0.organizationName_default    = Internet Widgits Pty Ltd
---
> 0.organizationName_default    = Private
172c172
< # nsCertType                  = server
---
> nsCertType                    = server
241c241
< # nsCertType = sslCA, emailCA
---
> nsCertType = sslCA, emailCA

[root@ngircd ssl]# cd /usr/local/ssl/ssl/misc

[root@ngircd misc]# ./CA.sh -newca
CA certificate filename (or enter to create)(Enterキー)
(省略)
writing new private key to './PrivateCA/private/./cakey.pem'
Enter PEM pass phrase: ********
Verifying - Enter PEM pass phrase: ********
(省略)
Country Name (2 letter code) [JP]:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) [Private]:
Organizational Unit Name (eg, section) []:CA
Common Name (e.g. server FQDN or YOUR name) []:rootCA
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/ssl/ssl/openssl.cnf
Enter pass phrase for ./PrivateCA/private/./cakey.pem: ********
Check that the request matches the signature
(省略)
Data Base Updated

[root@ngircd misc]# ./CA.sh -newreq
Generating a 2048 bit RSA private key
(省略)
Enter PEM pass phrase: ********
Verifying - Enter PEM pass phrase: ********
(省略)
Country Name (2 letter code) [JP]:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) [Private]:
Organizational Unit Name (eg, section) []:Server
Common Name (e.g. server FQDN or YOUR name) []:ngircd.local.localdomain.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem

[root@ngircd misc]# ./CA.sh -sign
Using configuration from /usr/local/ssl/ssl/openssl.cnf
Enter pass phrase for ./PrivateCA/private/cakey.pem: ********
Check that the request matches the signature
Signature ok
Certificate Details:
(省略)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
(省略)
Signed certificate is in newcert.pem

[root@ngircd misc]# mkdir ngircd

[root@ngircd misc]# mv newcert.pem ngircd/.

[root@ngircd misc]# mv newkey.pem ngircd/.

[root@ngircd misc]# mv newreq.pem ngircd/.

[root@ngircd misc]# cd ngircd

[root@ngircd ngircd]# cat -n newcert.pem
     1  Certificate:
(省略)
    62  -----BEGIN CERTIFICATE-----
(省略)
    83  -----END CERTIFICATE-----

[root@ngircd ngircd]# sed -n '62,83p' newcert.pem > servercrt.pem

[root@ngircd ngircd]# mv newkey.pem serverkey.pem

[root@ngircd ngircd]# mv servercrt.pem /usr/local/ngircd/etc/.

[root@ngircd ngircd]# mv serverkey.pem /usr/local/ngircd/etc/.

[root@ngircd ngircd]# mv newkey.pem serverkey.pem

[root@ngircd ngircd]# mv servercrt.pem /usr/local/ngircd/etc/.

[root@ngircd ngircd]# mv serverkey.pem /usr/local/ngircd/etc/.




⑥ngircdのSSL設定
[root@ngircd ngircd]# cd /usr/local/src/ngircd-20.1/contrib

[root@ngircd contrib]# cp ngircd-redhat.init /etc/init.d/ngircd

[root@ngircd contrib]# chmod 755 /etc/init.d/ngircd

[root@ngircd contrib]# cd /etc/init.d

[root@ngircd init.d]# vi /etc/profile
以下を追記する
# Add start ngircd
export PATH=/usr/local/ngircd/sbin:$PATH
# Add end ngircd

[root@ngircd init.d]# source /etc/profile

[root@ngircd init.d]# vi ngircd
(以下のdiffを参考に編集)

[root@ngircd init.d]# diff /usr/local/src/ngircd-20.1/contrib/ngircd-redhat.init ngircd
6c6
< # chkconfig: 2345 01
---
> # chkconfig: - 98 02
16c16
< # processname: /usr/sbin/ngircd
---
> # processname: /usr/local/ngircd/sbin/ngircd
21c21
< DAEMON=/usr/sbin/ngircd
---
> DAEMON=/usr/local/ngircd/sbin/ngircd

[root@ngircd init.d]# cp /usr/local/ngircd/etc/ngircd.conf /etc/ngircd.conf

[root@ngircd init.d]# vi /etc/hosts

[root@ngircd init.d]# cat /etc/hosts
127.0.0.1               localhost.localdomain localhost
192.168.0.32            ngircd.local.localdomain.com ngircd

[root@ngircd init.d]# vi /etc/ngircd.conf
(以下のdiffを参考に編集)

[root@ngircd init.d]# diff /usr/local/ngircd/etc/ngircd.conf /etc/ngircd.conf
28c28
<       Name = irc.example.net
---
>       Name = ngircd.local.localdomain.com
34c34
<       ;AdminEMail = admin@irc.server
---
>       AdminEMail = admin@local.localdomain.com
38c38
<       Info = Server Info Text
---
>       Info = IRC Server
44c44
<       ;Listen = 127.0.0.1,192.168.0.1
---
>       Listen = 0.0.0.0
51c51
<       ;MotdPhrase = "Hello world!"
---
>       MotdPhrase = "Hello IRC World!"
55c55
<       ;Password = abc
---
>       Password = TestTest
70c70
<       ;ServerGID = 65534
---
>       ServerGID = ngirc
77c77
<       ;ServerUID = 65534
---
>       ServerUID = ngirc
89c89
<       ;MaxConnections = 0
---
>       MaxConnections = 1000
93c93
<       ;MaxConnectionsIP = 5
---
>       MaxConnectionsIP = 10
149c149
<       ;ConnectIPv4 = yes
---
>       ConnectIPv4 = yes
330c330
<       ;Name = #TheName
---
>       Name = #Test
336c336
<       ;Modes = tnk
---
>       Modes = tnk
339c339
<       ;Key = Secret
---
>       Key = TestTest1
346c346
<       ;MaxUsers = 23
---
>       MaxUsers = 100

[root@ngircd init.d]# ./ngircd start
Starting ngIRCd:                                           [  OK  ]

[root@ngircd init.d]# ./ngircd stop
Stopping ngIRCd:                                           [  OK  ]

[root@ngircd init.d]# vi /etc/ngircd.conf
(以下のdiffを参考に編集)

[root@ngircd init.d]# diff /usr/local/ngircd/etc/ngircd.conf /etc/ngircd.conf
28c28
<       Name = irc.example.net
---
>       Name = ngircd.local.localdomain.com
34c34
<       ;AdminEMail = admin@irc.server
---
>       AdminEMail = admin@local.localdomain.com
38c38
<       Info = Server Info Text
---
>       Info = IRC Server
44c44
<       ;Listen = 127.0.0.1,192.168.0.1
---
>       Listen = 0.0.0.0
51c51
<       ;MotdPhrase = "Hello world!"
---
>       MotdPhrase = "Hello IRC World!"
55c55
<       ;Password = abc
---
>       Password = TestTest
70c70
<       ;ServerGID = 65534
---
>       ServerGID = ngirc
77c77
<       ;ServerUID = 65534
---
>       ServerUID = ngirc
89c89
<       ;MaxConnections = 0
---
>       MaxConnections = 1000
93c93
<       ;MaxConnectionsIP = 5
---
>       MaxConnectionsIP = 10
149c149
<       ;ConnectIPv4 = yes
---
>       ConnectIPv4 = yes
220c220
< ;[SSL]
---
> [SSL]
226c226
<       ;CertFile = /usr/local/ngircd/etc/ssl/server-cert.pem
---
>       CertFile = /usr/local/ngircd/etc/servercrt.pem
232c232
<       ;KeyFile = /usr/local/ngircd/etc/ssl/server-key.pem
---
>       KeyFile = /usr/local/ngircd/etc/serverkey.pem
235c235
<       ;KeyFilePassword = secret
---
>       KeyFilePassword = password  [証明書を作成したときの秘密鍵のパスワード]
238c238
<       ;Ports = 6697, 9999
---
>       Ports = 6697
330c330
<       ;Name = #TheName
---
>       Name = #Test
336c336
<       ;Modes = tnk
---
>       Modes = tnk
339c339
<       ;Key = Secret
---
>       Key = TestTest1
346c346
<       ;MaxUsers = 23
---
>       MaxUsers = 100

[root@ngircd init.d]# /etc/init.d/ngircd start
Starting ngIRCd:                                           [  OK  ]

[root@ngircd init.d]# netstat -a |grep 6697
tcp        0      0 *:6697                      *:*                         LISTEN




⑦LimeChat2から接続
 LimeChat2のサーバメニューのサーバーを追加で設定を追加します。
 ポート番号は6697でSSL接続にチェック入れる。
 接続を実施して、接続できればOKです。

次回もお楽しみに!!