albino
/
ngircd-tor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Initialize SSL when needed only, and disable SSL on errors 

With this patch, the SSL subsystem will only be initialized if at least
one SSL ports is configured; so you won't get "SSL initialization failed"
messages if you didn't configured it at all.

And if SSL initialization fails, no SSL listen ports will be enabled
later which never could establish a working SSL connection at all ...
This commit is contained in:
Alexander Barton 2012-09-21 10:36:09 +02:00
parent 1413a4886f
commit bb20aeb9bc
2 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/ngircd/conn-ssl.c
View File

@ -241,6 +241,9 @@ void ConnSSL_Free(CONNECTION *c)
bool bool
ConnSSL_InitLibrary( void ) ConnSSL_InitLibrary( void )
{ {
if (!array_bytes(&Conf_SSLOptions.ListenPorts))
return true;
#ifdef HAVE_LIBSSL #ifdef HAVE_LIBSSL
SSL_CTX *newctx; SSL_CTX *newctx;
@ -256,12 +259,14 @@ ConnSSL_InitLibrary( void )
* According to OpenSSL RAND_egd(3): "The automatic query of /var/run/egd-pool et al was added in OpenSSL 0.9.7"; * According to OpenSSL RAND_egd(3): "The automatic query of /var/run/egd-pool et al was added in OpenSSL 0.9.7";
* so it makes little sense to deal with PRNGD seeding ourselves. * so it makes little sense to deal with PRNGD seeding ourselves.
*/ */
array_free(&Conf_SSLOptions.ListenPorts);
return false; return false;
} }
newctx = SSL_CTX_new(SSLv23_method()); newctx = SSL_CTX_new(SSLv23_method());
if (!newctx) { if (!newctx) {
LogOpenSSLError("SSL_CTX_new()", NULL); LogOpenSSLError("SSL_CTX_new()", NULL);
array_free(&Conf_SSLOptions.ListenPorts);
return false; return false;
} }
@ -276,6 +281,7 @@ ConnSSL_InitLibrary( void )
return true; return true;
out: out:
SSL_CTX_free(newctx); SSL_CTX_free(newctx);
array_free(&Conf_SSLOptions.ListenPorts);
return false; return false;
#endif #endif
#ifdef HAVE_LIBGNUTLS #ifdef HAVE_LIBGNUTLS
@ -287,10 +293,13 @@ out:
err = gnutls_global_init(); err = gnutls_global_init();
if (err) { if (err) {
Log(LOG_ERR, "gnutls_global_init(): %s", gnutls_strerror(err)); Log(LOG_ERR, "gnutls_global_init(): %s", gnutls_strerror(err));
array_free(&Conf_SSLOptions.ListenPorts);
return false; return false;
} }
if (!ConnSSL_LoadServerKey_gnutls()) if (!ConnSSL_LoadServerKey_gnutls()) {
array_free(&Conf_SSLOptions.ListenPorts);
return false; return false;
}
Log(LOG_INFO, "gnutls %s initialized.", gnutls_check_version(NULL)); Log(LOG_INFO, "gnutls %s initialized.", gnutls_check_version(NULL));
initialized = true; initialized = true;
return true; return true;
@ -313,7 +322,7 @@ ConnSSL_LoadServerKey_gnutls(void)
cert_file = Conf_SSLOptions.CertFile ? Conf_SSLOptions.CertFile:Conf_SSLOptions.KeyFile; cert_file = Conf_SSLOptions.CertFile ? Conf_SSLOptions.CertFile:Conf_SSLOptions.KeyFile;
if (!cert_file) { if (!cert_file) {
Log(LOG_NOTICE, "No SSL server key configured, SSL disabled."); Log(LOG_ERR, "No SSL server key configured!");
return false; return false;
} }
@ -344,7 +353,7 @@ ConnSSL_LoadServerKey_openssl(SSL_CTX *ctx)
assert(ctx); assert(ctx);
if (!Conf_SSLOptions.KeyFile) { if (!Conf_SSLOptions.KeyFile) {
Log(LOG_NOTICE, "No SSL server key configured, SSL disabled."); Log(LOG_ERR, "No SSL server key configured!");
return false; return false;
} }

2
src/ngircd/ngircd.c
View File

@ -662,7 +662,7 @@ NGIRCd_Init(bool NGIRCd_NoDaemon)
/* SSL initialization */ /* SSL initialization */
if (!ConnSSL_InitLibrary()) if (!ConnSSL_InitLibrary())
Log(LOG_WARNING, Log(LOG_WARNING,
"Warning: Error during SSL initialization, continuing ..."); "Error during SSL initialization, continuing without SSL ...");
/* Change root */ /* Change root */
if (Conf_Chroot[0]) { if (Conf_Chroot[0]) {