Change cipher defaults

Switch cipher defaults to HIGH:!aNULL:@STRENGTH (OpenSSL) or
SECURE128 (GnuTLS).
This commit is contained in:
Federico G. Schwindt 2013-09-17 16:16:51 +01:00
parent d0977258ee
commit 0985d69cc6
5 changed files with 34 additions and 42 deletions

View File

@ -12,11 +12,18 @@
I. Upgrade Information
~~~~~~~~~~~~~~~~~~~~~~
Differences to previous version
- Starting with ngIRCd 21, the ciphers used by SSL are configurable and
default to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).
Previous version were using the OpenSSL or GnuTLS defaults, DEFAULT
and NORMAL respectively.
Differences to version 19.x
- Starting with ngIRCd 20, users can "cloak" their hostname only when the
configuration variable "CloakHostModeX" (introduced in 19.2) is set.
Otherwise, only IRC opertators, other servers, and services are allowed to
Otherwise, only IRC operators, other servers, and services are allowed to
set mode +x. This prevents regular users from changing their hostmask to
the name of the IRC server itself, which confused quite a few people ;-)

View File

@ -249,11 +249,9 @@
;CertFile = :ETCDIR:/ssl/server-cert.pem
# Select cipher suites allowed for SSL/TLS connections. This defaults
# to the empty string, so all supported ciphers are allowed. Please
# see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init'
# to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).
# See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init'
# (GnuTLS) for details.
# For example, this setting allows only "high strength" cipher suites,
# disables the ones without authentication, and sorts by strength:
# For OpenSSL:
;CipherList = HIGH:!aNULL:@STRENGTH
# For GnuTLS:

View File

@ -367,13 +367,10 @@ when it is compiled with support for SSL using OpenSSL or GnuTLS!
SSL Certificate file of the private server key.
.TP
\fBCipherList\fR (string)
Select cipher suites allowed for SSL/TLS connections. This defaults to the
empty string, so all supported ciphers are allowed.
Select cipher suites allowed for SSL/TLS connections. This defaults to
"HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS).
Please see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init'
(GnuTLS) for details.
For example, this setting allows only "high strength" cipher suites, disables
the ones without authentication, and sorts by strength:
"HIGH:!aNULL:@STRENGTH" (OpenSSL), "SECURE128" (GnuTLS).
.TP
\fBDHFile\fR (string)
Name of the Diffie-Hellman Parameter file. Can be created with GnuTLS

View File

@ -93,6 +93,12 @@ static void Init_Server_Struct PARAMS(( CONF_SERVER *Server ));
#define DEFAULT_LISTEN_ADDRSTR "0.0.0.0"
#endif
#ifdef HAVE_LIBSSL
#define DEFAULT_CIPHERS "HIGH:!aNULL:@STRENGTH"
#endif
#ifdef HAVE_LIBGNUTLS
#define DEFAULT_CIPHERS "SECURE128"
#endif
#ifdef SSL_SUPPORT
@ -435,8 +441,8 @@ Conf_Test( void )
puts("[SSL]");
printf(" CertFile = %s\n", Conf_SSLOptions.CertFile
? Conf_SSLOptions.CertFile : "");
printf(" CipherList = %s\n", Conf_SSLOptions.CipherList
? Conf_SSLOptions.CipherList : "");
printf(" CipherList = %s\n", Conf_SSLOptions.CipherList ?
Conf_SSLOptions.CipherList : DEFAULT_CIPHERS);
printf(" DHFile = %s\n", Conf_SSLOptions.DHFile
? Conf_SSLOptions.DHFile : "");
printf(" KeyFile = %s\n", Conf_SSLOptions.KeyFile
@ -1032,6 +1038,10 @@ Read_Config(bool TestOnly, bool IsStarting)
CheckFileReadable("CertFile", Conf_SSLOptions.CertFile);
CheckFileReadable("DHFile", Conf_SSLOptions.DHFile);
CheckFileReadable("KeyFile", Conf_SSLOptions.KeyFile);
/* Set the default ciphers if none were configured */
if (!Conf_SSLOptions.CipherList)
Conf_SSLOptions.CipherList = strdup_warn(DEFAULT_CIPHERS);
#endif
return true;

View File

@ -306,17 +306,10 @@ ConnSSL_InitLibrary( void )
if (!ConnSSL_LoadServerKey_openssl(newctx))
goto out;
if(Conf_SSLOptions.CipherList && *Conf_SSLOptions.CipherList) {
if(SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0 ) {
Log(LOG_ERR,
"Failed to apply OpenSSL cipher list \"%s\"!",
Conf_SSLOptions.CipherList);
goto out;
} else {
Log(LOG_INFO,
"Successfully applied OpenSSL cipher list \"%s\".",
Conf_SSLOptions.CipherList);
}
if (SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0) {
Log(LOG_ERR, "Failed to apply OpenSSL cipher list \"%s\"!",
Conf_SSLOptions.CipherList);
goto out;
}
SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2);
@ -352,25 +345,12 @@ out:
if (!ConnSSL_LoadServerKey_gnutls())
goto out;
if(Conf_SSLOptions.CipherList && *Conf_SSLOptions.CipherList) {
err = gnutls_priority_init(&priorities_cache,
Conf_SSLOptions.CipherList, NULL);
if (err != GNUTLS_E_SUCCESS) {
Log(LOG_ERR,
"Failed to apply GnuTLS cipher list \"%s\"!",
Conf_SSLOptions.CipherList);
goto out;
}
Log(LOG_INFO,
"Successfully applied GnuTLS cipher list \"%s\".",
if (gnutls_priority_init(&priorities_cache, Conf_SSLOptions.CipherList,
NULL) != GNUTLS_E_SUCCESS) {
Log(LOG_ERR,
"Failed to apply GnuTLS cipher list \"%s\"!",
Conf_SSLOptions.CipherList);
} else {
err = gnutls_priority_init(&priorities_cache, "NORMAL", NULL);
if (err != GNUTLS_E_SUCCESS) {
Log(LOG_ERR,
"Failed to apply GnuTLS cipher list \"NORMAL\"!");
goto out;
}
goto out;
}
Log(LOG_INFO, "GnuTLS %s initialized.", gnutls_check_version(NULL));
@ -505,7 +485,7 @@ ConnSSL_Init_SSL(CONNECTION *c)
#ifdef HAVE_LIBGNUTLS
Conn_OPTION_ADD(c, CONN_SSL);
ret = gnutls_priority_set(c->ssl_state.gnutls_session, priorities_cache);
if (ret != 0) {
if (ret != GNUTLS_E_SUCCESS) {
Log(LOG_ERR, "Failed to set GnuTLS session priorities: %s",
gnutls_strerror(ret));
ConnSSL_Free(c);