Module: ngircd.git Branch: master Commit: 84ed46d4c1caaa4ec79a6223c35785afcf1c9d53 URL: http://ngircd.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git&a=commit;h=84ed4...
Author: Alexander Barton alex@barton.de Date: Sun Sep 15 15:09:36 2013 +0200
Cipher list selection for OpenSSL
This patch introduces the possibility to arbitrarily select ciphers which should be promoted resp. declined when establishing a SSL connection with a client by implementing the new configuration option "CipherList".
By default, OpenSSL would accept low and medium strength and RC-4 ciphers, which nowadays are known to be broken.
This patch only implements the feature for OpenSSL. A GnuTLS counterpart has to be implemented in another patch ...
Original patch by Bastian bastian-ngircd@t6l.de.
Closes bug #162.
---
doc/sample-ngircd.conf.tmpl | 7 +++++++ man/ngircd.conf.5.tmpl | 7 +++++++ src/ngircd/conf.c | 10 ++++++++++ src/ngircd/conf.h | 1 + src/ngircd/conn-ssl.c | 24 +++++++++++++++++++++++- 5 files changed, 48 insertions(+), 1 deletion(-)
diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl index ae1b213..a4dbf86 100644 --- a/doc/sample-ngircd.conf.tmpl +++ b/doc/sample-ngircd.conf.tmpl @@ -248,6 +248,13 @@ # SSL Server Key Certificate ;CertFile = :ETCDIR:/ssl/server-cert.pem
+ # Select cipher suites allowed for SSL/TLS connections (OpenSSL only). + # This defaults to the empty string, so all supported ciphers are + # allowed. Please see 'man 1ssl ciphers' for details. + # The example below only allows "high strength" cipher suites, disables + # the ones without authentication, and sorts by strength: + ;CipherList = HIGH:!aNULL:@STRENGTH + # Diffie-Hellman parameters ;DHFile = :ETCDIR:/ssl/dhparams.pem
diff --git a/man/ngircd.conf.5.tmpl b/man/ngircd.conf.5.tmpl index cf926f9..263dec0 100644 --- a/man/ngircd.conf.5.tmpl +++ b/man/ngircd.conf.5.tmpl @@ -366,6 +366,13 @@ when it is compiled with support for SSL using OpenSSL or GnuTLS! \fBCertFile\fR (string) SSL Certificate file of the private server key. .TP +\fBCipherList\fR (string) +OpenSSL only: Select cipher suites allowed for SSL/TLS connections. This +defaults to the empty string, so all supported ciphers are allowed. Please see +'man 1ssl ciphers' for details. This setting allows only "high strength" cipher +suites, disables the ones without authentication, and sorts by strength, for +example: "HIGH:!aNULL:@STRENGTH". +.TP \fBDHFile\fR (string) Name of the Diffie-Hellman Parameter file. Can be created with GnuTLS "certtool --generate-dh-params" or "openssl dhparam". If this file is not diff --git a/src/ngircd/conf.c b/src/ngircd/conf.c index b10f490..9ab66e5 100644 --- a/src/ngircd/conf.c +++ b/src/ngircd/conf.c @@ -117,6 +117,9 @@ ConfSSL_Init(void) array_free_wipe(&Conf_SSLOptions.KeyFilePassword);
array_free(&Conf_SSLOptions.ListenPorts); + + free(Conf_SSLOptions.CipherList); + Conf_SSLOptions.CipherList = NULL; }
/** @@ -432,6 +435,8 @@ Conf_Test( void ) puts("[SSL]"); printf(" CertFile = %s\n", Conf_SSLOptions.CertFile ? Conf_SSLOptions.CertFile : ""); + printf(" CipherList = %s\n", Conf_SSLOptions.CipherList + ? Conf_SSLOptions.CipherList : ""); printf(" DHFile = %s\n", Conf_SSLOptions.DHFile ? Conf_SSLOptions.DHFile : ""); printf(" KeyFile = %s\n", Conf_SSLOptions.KeyFile @@ -1869,6 +1874,11 @@ Handle_SSL(const char *File, int Line, char *Var, char *Arg) ports_parse(&Conf_SSLOptions.ListenPorts, Line, Arg); return; } + if (strcasecmp(Var, "CipherList") == 0) { + assert(Conf_SSLOptions.CipherList == NULL); + Conf_SSLOptions.CipherList = strdup_warn(Arg); + return; + }
Config_Error_Section(File, Line, Var, "SSL"); } diff --git a/src/ngircd/conf.h b/src/ngircd/conf.h index 948749d..02d2331 100644 --- a/src/ngircd/conf.h +++ b/src/ngircd/conf.h @@ -75,6 +75,7 @@ struct SSLOptions { char *DHFile; /**< File containing DH parameters */ array ListenPorts; /**< Array of listening SSL ports */ array KeyFilePassword; /**< Key file password */ + char *CipherList; /**< Set SSL cipher list to use */ }; #endif
diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c index 595cb61..059e871 100644 --- a/src/ngircd/conn-ssl.c +++ b/src/ngircd/conn-ssl.c @@ -305,6 +305,19 @@ ConnSSL_InitLibrary( void ) if (!ConnSSL_LoadServerKey_openssl(newctx)) goto out;
+ if(Conf_SSLOptions.CipherList && *Conf_SSLOptions.CipherList) { + if(SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0 ) { + Log(LOG_ERR, + "Failed to apply SSL cipher list "%s"!", + Conf_SSLOptions.CipherList); + goto out; + } else { + Log(LOG_INFO, + "Successfully applied SSL cipher list: "%s".", + Conf_SSLOptions.CipherList); + } + } + SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2); SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_verify(newctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, @@ -328,6 +341,14 @@ out: return false; }
+ if(Conf_SSLOptions.CipherList != NULL) { + Log(LOG_ERR, + "Failed to apply SSL cipher list "%s": Not implemented for GnuTLS!", + Conf_SSLOptions.CipherList); + array_free(&Conf_SSLOptions.ListenPorts); + return false; + } + err = gnutls_global_init(); if (err) { Log(LOG_ERR, "Failed to initialize GnuTLS: %s", @@ -339,6 +360,7 @@ out: array_free(&Conf_SSLOptions.ListenPorts); return false; } + Log(LOG_INFO, "GnuTLS %s initialized.", gnutls_check_version(NULL)); initialized = true; return true; @@ -368,7 +390,7 @@ ConnSSL_LoadServerKey_gnutls(void)
if (array_bytes(&Conf_SSLOptions.KeyFilePassword)) Log(LOG_WARNING, - "Ignoring KeyFilePassword: Not supported by GnuTLS."); + "Ignoring SSL "KeyFilePassword": Not supported by GnuTLS.");
if (!Load_DH_params()) return false;