albino
/
ngircd-tor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Change cipher defaults 

Switch cipher defaults to HIGH:!aNULL:@STRENGTH (OpenSSL) or
SECURE128 (GnuTLS).
This commit is contained in:
Federico G. Schwindt 2013-09-17 16:16:51 +01:00
parent d0977258ee
commit 0985d69cc6
5 changed files with 34 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
INSTALL
View File

@ -12,11 +12,18 @@
I. Upgrade Information I. Upgrade Information
~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
Differences to previous version
- Starting with ngIRCd 21, the ciphers used by SSL are configurable and
default to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).
Previous version were using the OpenSSL or GnuTLS defaults, DEFAULT
and NORMAL respectively.
Differences to version 19.x Differences to version 19.x
- Starting with ngIRCd 20, users can "cloak" their hostname only when the - Starting with ngIRCd 20, users can "cloak" their hostname only when the
configuration variable "CloakHostModeX" (introduced in 19.2) is set. configuration variable "CloakHostModeX" (introduced in 19.2) is set.
Otherwise, only IRC opertators, other servers, and services are allowed to Otherwise, only IRC operators, other servers, and services are allowed to
set mode +x. This prevents regular users from changing their hostmask to set mode +x. This prevents regular users from changing their hostmask to
the name of the IRC server itself, which confused quite a few people ;-) the name of the IRC server itself, which confused quite a few people ;-)

6
doc/sample-ngircd.conf.tmpl
View File

@ -249,11 +249,9 @@
;CertFile = :ETCDIR:/ssl/server-cert.pem ;CertFile = :ETCDIR:/ssl/server-cert.pem
# Select cipher suites allowed for SSL/TLS connections. This defaults # Select cipher suites allowed for SSL/TLS connections. This defaults
# to the empty string, so all supported ciphers are allowed. Please # to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).
# see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init' # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init'
# (GnuTLS) for details. # (GnuTLS) for details.
# For example, this setting allows only "high strength" cipher suites,
# disables the ones without authentication, and sorts by strength:
# For OpenSSL: # For OpenSSL:
;CipherList = HIGH:!aNULL:@STRENGTH ;CipherList = HIGH:!aNULL:@STRENGTH
# For GnuTLS: # For GnuTLS:

7
man/ngircd.conf.5.tmpl
View File

@ -367,13 +367,10 @@ when it is compiled with support for SSL using OpenSSL or GnuTLS!
SSL Certificate file of the private server key. SSL Certificate file of the private server key.
.TP .TP
\fBCipherList\fR (string) \fBCipherList\fR (string)
Select cipher suites allowed for SSL/TLS connections. This defaults to the Select cipher suites allowed for SSL/TLS connections. This defaults to
empty string, so all supported ciphers are allowed. "HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS).
Please see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init' Please see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init'
(GnuTLS) for details. (GnuTLS) for details.
For example, this setting allows only "high strength" cipher suites, disables
the ones without authentication, and sorts by strength:
"HIGH:!aNULL:@STRENGTH" (OpenSSL), "SECURE128" (GnuTLS).
.TP .TP
\fBDHFile\fR (string) \fBDHFile\fR (string)
Name of the Diffie-Hellman Parameter file. Can be created with GnuTLS Name of the Diffie-Hellman Parameter file. Can be created with GnuTLS

14
src/ngircd/conf.c
View File

@ -93,6 +93,12 @@ static void Init_Server_Struct PARAMS(( CONF_SERVER *Server ));
#define DEFAULT_LISTEN_ADDRSTR "0.0.0.0" #define DEFAULT_LISTEN_ADDRSTR "0.0.0.0"
#endif #endif
#ifdef HAVE_LIBSSL
#define DEFAULT_CIPHERS "HIGH:!aNULL:@STRENGTH"
#endif
#ifdef HAVE_LIBGNUTLS
#define DEFAULT_CIPHERS "SECURE128"
#endif
#ifdef SSL_SUPPORT #ifdef SSL_SUPPORT
@ -435,8 +441,8 @@ Conf_Test( void )
puts("[SSL]"); puts("[SSL]");
printf(" CertFile = %s\n", Conf_SSLOptions.CertFile printf(" CertFile = %s\n", Conf_SSLOptions.CertFile
? Conf_SSLOptions.CertFile : ""); ? Conf_SSLOptions.CertFile : "");
printf(" CipherList = %s\n", Conf_SSLOptions.CipherList printf(" CipherList = %s\n", Conf_SSLOptions.CipherList ?
? Conf_SSLOptions.CipherList : ""); Conf_SSLOptions.CipherList : DEFAULT_CIPHERS);
printf(" DHFile = %s\n", Conf_SSLOptions.DHFile printf(" DHFile = %s\n", Conf_SSLOptions.DHFile
? Conf_SSLOptions.DHFile : ""); ? Conf_SSLOptions.DHFile : "");
printf(" KeyFile = %s\n", Conf_SSLOptions.KeyFile printf(" KeyFile = %s\n", Conf_SSLOptions.KeyFile
@ -1032,6 +1038,10 @@ Read_Config(bool TestOnly, bool IsStarting)
CheckFileReadable("CertFile", Conf_SSLOptions.CertFile); CheckFileReadable("CertFile", Conf_SSLOptions.CertFile);
CheckFileReadable("DHFile", Conf_SSLOptions.DHFile); CheckFileReadable("DHFile", Conf_SSLOptions.DHFile);
CheckFileReadable("KeyFile", Conf_SSLOptions.KeyFile); CheckFileReadable("KeyFile", Conf_SSLOptions.KeyFile);
/* Set the default ciphers if none were configured */
if (!Conf_SSLOptions.CipherList)
Conf_SSLOptions.CipherList = strdup_warn(DEFAULT_CIPHERS);
#endif #endif
return true; return true;

30
src/ngircd/conn-ssl.c
View File

@ -306,17 +306,10 @@ ConnSSL_InitLibrary( void )
if (!ConnSSL_LoadServerKey_openssl(newctx)) if (!ConnSSL_LoadServerKey_openssl(newctx))
goto out; goto out;
if(Conf_SSLOptions.CipherList && *Conf_SSLOptions.CipherList) { if (SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0) {
if(SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0 ) { Log(LOG_ERR, "Failed to apply OpenSSL cipher list \"%s\"!",
Log(LOG_ERR,
"Failed to apply OpenSSL cipher list \"%s\"!",
Conf_SSLOptions.CipherList); Conf_SSLOptions.CipherList);
goto out; goto out;
} else {
Log(LOG_INFO,
"Successfully applied OpenSSL cipher list \"%s\".",
Conf_SSLOptions.CipherList);
}
} }
SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2); SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2);
@ -352,26 +345,13 @@ out:
if (!ConnSSL_LoadServerKey_gnutls()) if (!ConnSSL_LoadServerKey_gnutls())
goto out; goto out;
if(Conf_SSLOptions.CipherList && *Conf_SSLOptions.CipherList) { if (gnutls_priority_init(&priorities_cache, Conf_SSLOptions.CipherList,
err = gnutls_priority_init(&priorities_cache, NULL) != GNUTLS_E_SUCCESS) {
Conf_SSLOptions.CipherList, NULL);
if (err != GNUTLS_E_SUCCESS) {
Log(LOG_ERR, Log(LOG_ERR,
"Failed to apply GnuTLS cipher list \"%s\"!", "Failed to apply GnuTLS cipher list \"%s\"!",
Conf_SSLOptions.CipherList); Conf_SSLOptions.CipherList);
goto out; goto out;
} }
Log(LOG_INFO,
"Successfully applied GnuTLS cipher list \"%s\".",
Conf_SSLOptions.CipherList);
} else {
err = gnutls_priority_init(&priorities_cache, "NORMAL", NULL);
if (err != GNUTLS_E_SUCCESS) {
Log(LOG_ERR,
"Failed to apply GnuTLS cipher list \"NORMAL\"!");
goto out;
}
}
Log(LOG_INFO, "GnuTLS %s initialized.", gnutls_check_version(NULL)); Log(LOG_INFO, "GnuTLS %s initialized.", gnutls_check_version(NULL));
initialized = true; initialized = true;
@ -505,7 +485,7 @@ ConnSSL_Init_SSL(CONNECTION *c)
#ifdef HAVE_LIBGNUTLS #ifdef HAVE_LIBGNUTLS
Conn_OPTION_ADD(c, CONN_SSL); Conn_OPTION_ADD(c, CONN_SSL);
ret = gnutls_priority_set(c->ssl_state.gnutls_session, priorities_cache); ret = gnutls_priority_set(c->ssl_state.gnutls_session, priorities_cache);
if (ret != 0) { if (ret != GNUTLS_E_SUCCESS) {
Log(LOG_ERR, "Failed to set GnuTLS session priorities: %s", Log(LOG_ERR, "Failed to set GnuTLS session priorities: %s",
gnutls_strerror(ret)); gnutls_strerror(ret));
ConnSSL_Free(c); ConnSSL_Free(c);