albino
/
ngircd-tor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'CipherListNoSSL3' 

* CipherListNoSSL3:
  INSTALL: List the changed SSL CipherList default value.
  Update "CipherList" to not enable SSLv3 by default
This commit is contained in:
Alexander Barton 2014-10-26 11:58:22 +01:00
parent f33a4067a1 cdcf474f15
commit 6e4235443e
4 changed files with 18 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
INSTALL
View File

@ -12,12 +12,21 @@
I. Upgrade Information I. Upgrade Information
~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
Differences to version 22.x
- The default value of the SSL "CipherList" variable has been changed to
"HIGH:!aNULL:@STRENGTH:!SSLv3" (OpenSSL) and "SECURE128:-VERS-SSL3.0"
(GnuTLS) to disable the old SSLv3 protocol by default.
To enable connections of clients still requiring the weak SSLv3 protocol,
the "CipherList" must be set to its old value (not recommended!), which
was "HIGH:!aNULL:@STRENGTH" (OpenSSL) and "SECURE128" (GnuTLS), see below.
Differences to version 20.x Differences to version 20.x
- Starting with ngIRCd 21, the ciphers used by SSL are configurable and - Starting with ngIRCd 21, the ciphers used by SSL are configurable and
default to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS). default to "HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS).
Previous version were using the OpenSSL or GnuTLS defaults, DEFAULT Previous version were using the OpenSSL or GnuTLS defaults, "DEFAULT"
and NORMAL respectively. and "NORMAL" respectively.
- When adding GLINE's or KLINE's to ngIRCd 21 (or newer), all clients matching - When adding GLINE's or KLINE's to ngIRCd 21 (or newer), all clients matching
the new mask will be KILL'ed. This was not the case with earlier versions the new mask will be KILL'ed. This was not the case with earlier versions

4
doc/sample-ngircd.conf.tmpl
View File

@ -259,9 +259,9 @@
# See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init' # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init'
# (GnuTLS) for details. # (GnuTLS) for details.
# For OpenSSL: # For OpenSSL:
;CipherList = HIGH:!aNULL:@STRENGTH ;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3
# For GnuTLS: # For GnuTLS:
;CipherList = SECURE128 ;CipherList = SECURE128:-VERS-SSL3.0
# Diffie-Hellman parameters # Diffie-Hellman parameters
;DHFile = :ETCDIR:/ssl/dhparams.pem ;DHFile = :ETCDIR:/ssl/dhparams.pem

4
man/ngircd.conf.5.tmpl
View File

@ -1,7 +1,7 @@
.\" .\"
.\" ngircd.conf(5) manual page template .\" ngircd.conf(5) manual page template
.\" .\"
.TH ngircd.conf 5 "Jan 2014" ngIRCd "ngIRCd Manual" .TH ngircd.conf 5 "Oct 2014" ngIRCd "ngIRCd Manual"
.SH NAME .SH NAME
ngircd.conf \- configuration file of ngIRCd ngircd.conf \- configuration file of ngIRCd
.SH SYNOPSIS .SH SYNOPSIS
@ -375,7 +375,7 @@ SSL Certificate file of the private server key.
.TP .TP
\fBCipherList\fR (string) \fBCipherList\fR (string)
Select cipher suites allowed for SSL/TLS connections. This defaults to Select cipher suites allowed for SSL/TLS connections. This defaults to
"HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS). "HIGH:!aNULL:@STRENGTH:!SSLv3" (OpenSSL) or "SECURE128:-VERS-SSL3.0" (GnuTLS).
Please see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init' Please see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init'
(GnuTLS) for details. (GnuTLS) for details.
.TP .TP

4
src/ngircd/conf.c
View File

@ -88,10 +88,10 @@ static void Init_Server_Struct PARAMS(( CONF_SERVER *Server ));
#endif #endif
#ifdef HAVE_LIBSSL #ifdef HAVE_LIBSSL
#define DEFAULT_CIPHERS "HIGH:!aNULL:@STRENGTH" #define DEFAULT_CIPHERS "HIGH:!aNULL:@STRENGTH:!SSLv3"
#endif #endif
#ifdef HAVE_LIBGNUTLS #ifdef HAVE_LIBGNUTLS
#define DEFAULT_CIPHERS "SECURE128" #define DEFAULT_CIPHERS "SECURE128:-VERS-SSL3.0"
#endif #endif
#ifdef SSL_SUPPORT #ifdef SSL_SUPPORT