From 100de3e4ccaab10524821d4262f6a8c3342224f8 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Thu, 16 Oct 2014 13:42:24 +0200 Subject: [PATCH 1/2] Update "CipherList" to not enable SSLv3 by default Idea, initial patch, and testing by Christoph Biedl --- doc/sample-ngircd.conf.tmpl | 4 ++-- man/ngircd.conf.5.tmpl | 4 ++-- src/ngircd/conf.c | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl index 1d07822c..b5db1d9e 100644 --- a/doc/sample-ngircd.conf.tmpl +++ b/doc/sample-ngircd.conf.tmpl @@ -259,9 +259,9 @@ # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init' # (GnuTLS) for details. # For OpenSSL: - ;CipherList = HIGH:!aNULL:@STRENGTH + ;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3 # For GnuTLS: - ;CipherList = SECURE128 + ;CipherList = SECURE128:-VERS-SSL3.0 # Diffie-Hellman parameters ;DHFile = :ETCDIR:/ssl/dhparams.pem diff --git a/man/ngircd.conf.5.tmpl b/man/ngircd.conf.5.tmpl index 9b2ed082..0d57f902 100644 --- a/man/ngircd.conf.5.tmpl +++ b/man/ngircd.conf.5.tmpl @@ -1,7 +1,7 @@ .\" .\" ngircd.conf(5) manual page template .\" -.TH ngircd.conf 5 "Jan 2014" ngIRCd "ngIRCd Manual" +.TH ngircd.conf 5 "Oct 2014" ngIRCd "ngIRCd Manual" .SH NAME ngircd.conf \- configuration file of ngIRCd .SH SYNOPSIS @@ -375,7 +375,7 @@ SSL Certificate file of the private server key. .TP \fBCipherList\fR (string) Select cipher suites allowed for SSL/TLS connections. This defaults to -"HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS). +"HIGH:!aNULL:@STRENGTH:!SSLv3" (OpenSSL) or "SECURE128:-VERS-SSL3.0" (GnuTLS). Please see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init' (GnuTLS) for details. .TP diff --git a/src/ngircd/conf.c b/src/ngircd/conf.c index 6692ecbb..5f8c3929 100644 --- a/src/ngircd/conf.c +++ b/src/ngircd/conf.c @@ -88,10 +88,10 @@ static void Init_Server_Struct PARAMS(( CONF_SERVER *Server )); #endif #ifdef HAVE_LIBSSL -#define DEFAULT_CIPHERS "HIGH:!aNULL:@STRENGTH" +#define DEFAULT_CIPHERS "HIGH:!aNULL:@STRENGTH:!SSLv3" #endif #ifdef HAVE_LIBGNUTLS -#define DEFAULT_CIPHERS "SECURE128" +#define DEFAULT_CIPHERS "SECURE128:-VERS-SSL3.0" #endif #ifdef SSL_SUPPORT From cdcf474f159ad0c3c2a652cdbfa5e7f09171667c Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Sun, 26 Oct 2014 11:55:28 +0100 Subject: [PATCH 2/2] INSTALL: List the changed SSL CipherList default value. --- INSTALL | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/INSTALL b/INSTALL index cf33fa34..0aa853c1 100644 --- a/INSTALL +++ b/INSTALL @@ -12,12 +12,21 @@ I. Upgrade Information ~~~~~~~~~~~~~~~~~~~~~~ +Differences to version 22.x + +- The default value of the SSL "CipherList" variable has been changed to + "HIGH:!aNULL:@STRENGTH:!SSLv3" (OpenSSL) and "SECURE128:-VERS-SSL3.0" + (GnuTLS) to disable the old SSLv3 protocol by default. + To enable connections of clients still requiring the weak SSLv3 protocol, + the "CipherList" must be set to its old value (not recommended!), which + was "HIGH:!aNULL:@STRENGTH" (OpenSSL) and "SECURE128" (GnuTLS), see below. + Differences to version 20.x - Starting with ngIRCd 21, the ciphers used by SSL are configurable and - default to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS). - Previous version were using the OpenSSL or GnuTLS defaults, DEFAULT - and NORMAL respectively. + default to "HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS). + Previous version were using the OpenSSL or GnuTLS defaults, "DEFAULT" + and "NORMAL" respectively. - When adding GLINE's or KLINE's to ngIRCd 21 (or newer), all clients matching the new mask will be KILL'ed. This was not the case with earlier versions