Merge branch 'CipherListNoSSL3'

* CipherListNoSSL3: INSTALL: List the changed SSL CipherList default value. Update "CipherList" to not enable SSLv3 by default
2014-10-26 11:58:22 +01:00 · 2014-10-26 11:58:22 +01:00 · 6e4235443e
parent f33a4067a1 cdcf474f15
commit 6e4235443e
4 changed files with 18 additions and 9 deletions
--- a/15
+++ b/15
@ -12,12 +12,21 @@
 I. Upgrade Information
 ~~~~~~~~~~~~~~~~~~~~~~

+Differences to version 22.x
+
+- The default value of the SSL "CipherList" variable has been changed to
+  "HIGH:!aNULL:@STRENGTH:!SSLv3" (OpenSSL) and "SECURE128:-VERS-SSL3.0"
+  (GnuTLS) to disable the old SSLv3 protocol by default.
+  To enable connections of clients still requiring the weak SSLv3 protocol,
+  the "CipherList" must be set to its old value (not recommended!), which
+  was "HIGH:!aNULL:@STRENGTH" (OpenSSL) and "SECURE128" (GnuTLS), see below.
+
 Differences to version 20.x

 - Starting with ngIRCd 21, the ciphers used by SSL are configurable and
-  default to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).
-  Previous version were using the OpenSSL or GnuTLS defaults, DEFAULT
-  and NORMAL respectively.
+  default to "HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS).
+  Previous version were using the OpenSSL or GnuTLS defaults, "DEFAULT"
+  and "NORMAL" respectively.

 - When adding GLINE's or KLINE's to ngIRCd 21 (or newer), all clients matching
  the new mask will be KILL'ed. This was not the case with earlier versions
--- a/doc/sample-ngircd.conf.tmpl
+++ b/doc/sample-ngircd.conf.tmpl
@ -259,9 +259,9 @@
 	# See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init'
 	# (GnuTLS) for details.
 	# For OpenSSL:
-	;CipherList = HIGH:!aNULL:@STRENGTH
+	;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3
 	# For GnuTLS:
-	;CipherList = SECURE128
+	;CipherList = SECURE128:-VERS-SSL3.0

 	# Diffie-Hellman parameters
 	;DHFile = :ETCDIR:/ssl/dhparams.pem
--- a/man/ngircd.conf.5.tmpl
+++ b/man/ngircd.conf.5.tmpl
@ -1,7 +1,7 @@
 .\"
 .\" ngircd.conf(5) manual page template
 .\"
-.TH ngircd.conf 5 "Jan 2014" ngIRCd "ngIRCd Manual"
+.TH ngircd.conf 5 "Oct 2014" ngIRCd "ngIRCd Manual"
 .SH NAME
 ngircd.conf \- configuration file of ngIRCd
 .SH SYNOPSIS
@ -375,7 +375,7 @@ SSL Certificate file of the private server key.
 .TP
 \fBCipherList\fR (string)
 Select cipher suites allowed for SSL/TLS connections.  This defaults to
-"HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS).
+"HIGH:!aNULL:@STRENGTH:!SSLv3" (OpenSSL) or "SECURE128:-VERS-SSL3.0" (GnuTLS).
 Please see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init'
 (GnuTLS) for details.
 .TP
--- a/src/ngircd/conf.c
+++ b/src/ngircd/conf.c
@ -88,10 +88,10 @@ static void Init_Server_Struct PARAMS(( CONF_SERVER *Server ));
 #endif

 #ifdef HAVE_LIBSSL
-#define DEFAULT_CIPHERS		"HIGH:!aNULL:@STRENGTH"
+#define DEFAULT_CIPHERS		"HIGH:!aNULL:@STRENGTH:!SSLv3"
 #endif
 #ifdef HAVE_LIBGNUTLS
-#define DEFAULT_CIPHERS		"SECURE128"
+#define DEFAULT_CIPHERS		"SECURE128:-VERS-SSL3.0"
 #endif

 #ifdef SSL_SUPPORT