Branch: refs/heads/master Home: https://github.com/ngircd/ngircd Commit: 817937b218c4b57515f54216ebc936cd69df0aae https://github.com/ngircd/ngircd/commit/817937b218c4b57515f54216ebc936cd69df... Author: Christoph Biedl ngircd.anoy@manchmal.in-ulm.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M doc/sample-ngircd.conf.tmpl M man/ngircd.conf.5.tmpl M src/ngircd/conf.c M src/ngircd/conf.h M src/ngircd/conn-ssl.c M src/ngircd/conn.c M src/ngircd/conn.h
Log Message: ----------- Support for server certificate validation on server links [S2S-TLS]
This patch provides code to validate the server certificate in server links, defeating nasty man-in-the-middle attacks on server links.
Features:
- Check whether the certificate is signed by a trusted certificate authority (CA). - Check the host name, including wildcard certificates and Subject Alternative Names. - Optionally check against a certificate revocation list (CRL). - Implementation for both OpenSSL and GnuTLS linkage.
Left for another day:
- Parameterize the TLS parameter of an outbound connection. Currently, it's hardcoded to disable all versions before TLSv1.1. - Using certificate as CA-certificate. They work for GnuTLS only but perhaps this should rather raise an error there, too. - Optional OCSP checking. - Checking client certificates. Code is there but this first needs some consideration about the use cases. This could replace all other authentication methods, for both client-server and server-server connections.
This patch is based on a patch by Florian Westphal from 2009, which implemented this for OpenSSL only:
From: Florian Westphal fw@strlen.de Date: Mon, 18 May 2009 00:29:02 +0200 Subject: SSL/TLS: Add initial certificate support to OpenSSL backend
Commit message modified by Alex Barton.
Closes #120, "Server links using TLS/SSL need certificate validation". Supersedes PR #8, "Options for verifying and requiring SSL client certificates", which had (incomplete?) code for OpenSSL, no GnuTLS.
Commit: 5ca567a18caf699f93495ba2bc3749fb5f65383b https://github.com/ngircd/ngircd/commit/5ca567a18caf699f93495ba2bc3749fb5f65... Author: Alexander Barton alex@barton.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M src/ngircd/conf.c
Log Message: ----------- S2S-TLS: Add missing CAFile and CRLFile options to "configtest" output
Commit: 8f8bef9faee96a6033e8719fd38167017299847a https://github.com/ngircd/ngircd/commit/8f8bef9faee96a6033e8719fd38167017299... Author: Alexander Barton alex@barton.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M src/ngircd/conn-ssl.c
Log Message: ----------- S2S-TLS: Remove leftover debug messages
Commit: 84b019b11f761b71c8239d60e7f8db0b82a55df3 https://github.com/ngircd/ngircd/commit/84b019b11f761b71c8239d60e7f8db0b82a5... Author: Alexander Barton alex@barton.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M src/ngircd/conn-ssl.c
Log Message: ----------- S2S-TLS/OpenSSL: Always setup host name verification
Setup host name verification even when the "SSLVerify" option is disabled, because even then the peer can present a valid certificate and validation would always(!) fail because of the missing host name verification setup.
Commit: 08647ab1e7cf0d034f2d8987a3cac3201af84e02 https://github.com/ngircd/ngircd/commit/08647ab1e7cf0d034f2d8987a3cac3201af8... Author: Alexander Barton alex@barton.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M src/ngircd/conn-ssl.c
Log Message: ----------- S2S-TLS/OpenSSL: Set the verification flags only once
Set the verification flags in the ConnSSL_SetVerifyProperties_openssl function only, don't override them in ConnSSL_InitLibrary() afterwards.
No functional changes, now ConnSSL_SetVerifyProperties_openssl() sets exactly the parameters which ConnSSL_InitLibrary() always overwrote ...
Commit: 679505aab9fea21b27a3d4bbf99cf2a16cf3d3d5 https://github.com/ngircd/ngircd/commit/679505aab9fea21b27a3d4bbf99cf2a16cf3... Author: Alexander Barton alex@barton.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M src/ngircd/conn-ssl.c
Log Message: ----------- S2S-TLS/OpenSSL: Fix handling of certificate information for incoming connections
Show proper certificate information for incoming connections, too, and not "peer did not present a certificate", regardless if the client sent a certificate or not.
And free the client certificate structure "peer_cert" on incoming connections as well!
Commit: 3db3b47fc7172a69b7d99d66eddb07a323dc6e74 https://github.com/ngircd/ngircd/commit/3db3b47fc7172a69b7d99d66eddb07a323dc... Author: Alexander Barton alex@barton.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M src/ngircd/conn-ssl.c M src/ngircd/conn.c
Log Message: ----------- S2S-TLS/OpenSSL: Postpone verification of TLS session right before server handshake
The verify callback in OpenSSL is called pretty early, and at that time it is not possible yet to check which connection it belongs to, and some connections may have relaxed requirements.
So always return success in the Verify_openssl() callback, and postpone validation of the TLS session until starting the server handshake in cb_connserver_login_ssl(), when we know which server this connection belongs to and which options (like "SSLVerify") are in effect.
The code doing this was already present in cb_connserver_login_ssl(), but this patch adds a more prominent comment to the function.
Commit: 02bb99b0242ade8af78f957aa1657561374ef1d6 https://github.com/ngircd/ngircd/commit/02bb99b0242ade8af78f957aa1657561374e... Author: Alexander Barton alex@barton.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M src/ngircd/conn-ssl.c M src/ngircd/conn.c
Log Message: ----------- S2S-TLS/OpenSSL: Streamline logging
This includes simplifying cb_connserver_login_ssl() a bit, we do not have to code for invalid state which was ruled out by an assert() and therefore can get rid of the goto altogether (and don't log the same error twice with different messages).
Commit: 58ee4df2ae2e4e59ae8909b69670825229158da8 https://github.com/ngircd/ngircd/commit/58ee4df2ae2e4e59ae8909b6967082522915... Author: Alexander Barton alex@barton.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M man/ngircd.conf.5.tmpl
Log Message: ----------- S2S-TLS: Fix formatting and sort new SSL options in ngircd.conf manual page
Commit: c8589e9890742c377c78595131ef1cdc8d784c66 https://github.com/ngircd/ngircd/commit/c8589e9890742c377c78595131ef1cdc8d78... Author: Alexander Barton alex@barton.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M src/ngircd/conn-ssl.c
Log Message: ----------- S2S-TLS: MAX_CERT_CHAIN_LENGTH is only used by OpenSSL
Commit: 0e176b557037b583f408229b518646804b33d745 https://github.com/ngircd/ngircd/commit/0e176b557037b583f408229b518646804b33... Author: Alexander Barton alex@barton.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M src/ngircd/conn-ssl.c
Log Message: ----------- S2S-TLS/GnuTLS: Update SSL code for GnuTLS certificate reloading
Without this, the S2S-TLS-Patch not even compiles with GnuTLS because of the "new" GnuTLS certificate reload support implemented in commit eead4a63 ("x509_cred_slot").
Commit: 509ff6032686662328f4ecb0c5c287a34e929c53 https://github.com/ngircd/ngircd/commit/509ff6032686662328f4ecb0c5c287a34e92... Author: Alexander Barton alex@barton.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M src/ngircd/conn-ssl.c
Log Message: ----------- S2S-TLS/GnuTLS: Fix handling of certificate information for incoming connections
Show proper certificate information for incoming connections, too, and not "peer did not present a certificate", regardless if the client sent a certificate or not.
This change is for GnuTLS and similar to what was implemented in commit for OpenSSL in "S2S-TLS/OpenSSL: Fix handling of certificate information for incoming connections".
Commit: 663972c88d3ae3e3226fe6f95ca1113694ce0618 https://github.com/ngircd/ngircd/commit/663972c88d3ae3e3226fe6f95ca1113694ce... Author: Alexander Barton alex@barton.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M src/ngircd/conn-ssl.c
Log Message: ----------- S2S-TLS/GnuTLS: Streamline logging
Commit: 180e2ec1359378172135472148c99a2d14e873cc https://github.com/ngircd/ngircd/commit/180e2ec1359378172135472148c99a2d14e8... Author: Alexander Barton alex@barton.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M src/ngircd/conf.c
Log Message: ----------- S2S-TLS: Verify the TLS certificates by default
This is already mentioned as the default in the manual page and the sample configuration file, but was actually not enabled in the code!
Commit: 8cef3ce42cd645a3ffb0e1eded52b8b77bb8caff https://github.com/ngircd/ngircd/commit/8cef3ce42cd645a3ffb0e1eded52b8b77bb8... Author: Alexander Barton alex@barton.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M src/ngircd/conn-ssl.c
Log Message: ----------- S2S-TLS/GnuTLS: Fix handling of connections without peer certificates
Commit: b826fad15871f73435328b1d77fd364838389adb https://github.com/ngircd/ngircd/commit/b826fad15871f73435328b1d77fd36483838... Author: Alexander Barton alex@barton.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M INSTALL.md M doc/Makefile.am M doc/QuickStart.md A doc/SSL.md R doc/SSL.txt
Log Message: ----------- S2S-TLS: Convert SSL.txt to Markdown and update information given
No longer describe creating self-signed certificates or using "stunnel", as both is not recommended.
Commit: 6b27eabf5bdbc6bf6f71d7b1e7d059dfeab6849b https://github.com/ngircd/ngircd/commit/6b27eabf5bdbc6bf6f71d7b1e7d059dfeab6... Author: Alexander Barton alex@barton.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M INSTALL.md
Log Message: ----------- S2S-TLS: Add notice to INSTALL.md
Commit: b9d6a2f49c4b3607c69b298cc770c0c945f627f6 https://github.com/ngircd/ngircd/commit/b9d6a2f49c4b3607c69b298cc770c0c945f6... Author: Alexander Barton alex@barton.de Date: 2024-03-23 (Sat, 23 Mar 2024)
Changed paths: M src/testsuite/prep-server3 M src/testsuite/switch-server3
Log Message: ----------- S2S-TLS: Fix "make check" in separate build directory
Commit: b2c9049af20b12f2fde08f4af0a35968404effdb https://github.com/ngircd/ngircd/commit/b2c9049af20b12f2fde08f4af0a35968404e... Author: Christoph Biedl ngircd.anoy@manchmal.in-ulm.de Date: 2024-03-31 (Sun, 31 Mar 2024)
Changed paths: M src/ngircd/conn-ssl.c
Log Message: ----------- S2S-SSL/GnuTLS: Enable CRL verification
Commit: 71a2fe1895d087f7420d017c0fcd5b42039f3e10 https://github.com/ngircd/ngircd/commit/71a2fe1895d087f7420d017c0fcd5b42039f... Author: Alexander Barton alex@barton.de Date: 2024-03-31 (Sun, 31 Mar 2024)
Changed paths: M contrib/ngircd.logcheck
Log Message: ----------- Update and fix logcheck(8) rules
Commit: 24e822cff2d0a33c9bfa26fe31d52939bdd3fac7 https://github.com/ngircd/ngircd/commit/24e822cff2d0a33c9bfa26fe31d52939bdd3... Author: Alexander Barton alex@barton.de Date: 2024-03-31 (Sun, 31 Mar 2024)
Changed paths: M man/ngircd.8.tmpl
Log Message: ----------- ngircd.8: Update for the now always available debug-mode
Commit: 34979250004fb2785ed68c9714a42ddef6523a90 https://github.com/ngircd/ngircd/commit/34979250004fb2785ed68c9714a42ddef652... Author: Alexander Barton alex@barton.de Date: 2024-03-31 (Sun, 31 Mar 2024)
Changed paths: M configure.ng M contrib/ngircd.logcheck M src/ngircd/conf.c M src/ngircd/defines.h
Log Message: ----------- Try to set file descriptor limit to its maximum and show info on startup
The number of possible parallel connections is limited by the process file descriptor limit (among other things). Therefore try to upgrade the current "soft" limit to its "hard" maximum (but limit it to 100000), and show an information or even warning, wenn still less than the configured "MaxConnections" setting.
Please note that ngIRCd and its linked libraries (like PAM) need file descriptors not only for incoming and outgoing IRC connections, but for reading files and inter-process communication, too! Therefore the actual connection limit is _less_ than the file descriptor limit!
This introduces the new MAX_FD_LIMIT (100000) #define.
Commit: a0d491a09fc1ee64b1ce203524adfc2f0910ef3c https://github.com/ngircd/ngircd/commit/a0d491a09fc1ee64b1ce203524adfc2f0910... Author: Alexander Barton alex@barton.de Date: 2024-03-31 (Sun, 31 Mar 2024)
Changed paths: M contrib/Debian/control
Log Message: ----------- Add feature info to Debian package description
Commit: bbcaf628f4a325110a333b9f20a23bbfa6ca0de4 https://github.com/ngircd/ngircd/commit/bbcaf628f4a325110a333b9f20a23bbfa6ca... Author: Alexander Barton alex@barton.de Date: 2024-03-31 (Sun, 31 Mar 2024)
Changed paths: M contrib/ngircd.logcheck M src/ngircd/conn-ssl.c
Log Message: ----------- Change leftover GnuTLS "slot handling" messages to debug level
This completes commit f96966a6.
Commit: ddba1263073e27059ba5346d6665612524454531 https://github.com/ngircd/ngircd/commit/ddba1263073e27059ba5346d666561252445... Author: Alexander Barton alex@barton.de Date: 2024-03-31 (Sun, 31 Mar 2024)
Changed paths: M doc/Container.md
Log Message: ----------- Fix quoting in code examples in doc/Container.md
Commit: 8d6f2c2820567a350c57dd15cee06e13535471c2 https://github.com/ngircd/ngircd/commit/8d6f2c2820567a350c57dd15cee06e135354... Author: Alexander Barton alex@barton.de Date: 2024-04-02 (Tue, 02 Apr 2024)
Changed paths: M src/testsuite/connect-ssl-cert1-test.e M src/testsuite/connect-ssl-cert2-test.e
Log Message: ----------- Revert "testsuite: Pass -nameopt to openssl s_client."
Although this is a nice looking solution, it is not that portable: for example, the "openssl s_client" command of LibreSSL 3.8.2 on OpenBSD 7.4 does not support it.
So let's revert back to the "uglier" but working variant ...
This reverts commit bdb55fb4b322b2c84530855a3b5148a0e387f5b4.
Commit: 7e78c293a97239f895b862836c65c4b755abdc52 https://github.com/ngircd/ngircd/commit/7e78c293a97239f895b862836c65c4b755ab... Author: Alexander Barton alex@barton.de Date: 2024-04-05 (Fri, 05 Apr 2024)
Changed paths: M src/testsuite/getpid.sh M src/testsuite/prep-server3 M src/testsuite/reload-server.sh M src/testsuite/start-server.sh M src/testsuite/start-server1 M src/testsuite/start-server2 M src/testsuite/start-server3 M src/testsuite/stop-server.sh M src/testsuite/stop-server1 M src/testsuite/stop-server2 M src/testsuite/stop-server3 M src/testsuite/stress-server.sh M src/testsuite/test-loop.sh M src/testsuite/tests.sh M src/testsuite/wait-tests.sh
Log Message: ----------- Test suite: clean up scripts
- Reformat code. - Cleanup some glitches, streamline scripts ... - Enable "set -u": Error on unset variables. - Detect "$srcdir" in prep-server3 script, too.
Commit: 22a8744476dff7763cd94954bd8f96fbdfc0d251 https://github.com/ngircd/ngircd/commit/22a8744476dff7763cd94954bd8f96fbdfc0... Author: Alexander Barton alex@barton.de Date: 2024-04-05 (Fri, 05 Apr 2024)
Changed paths: M src/testsuite/getpid.sh
Log Message: ----------- Test suite: simplify and enhance getpid.sh
- Try to only search for processes of the current user. - Prefer using pgrep (in addition to pidof) when available. - Streamline system overrides. - Get rid of HEAD_FLAGS: all systems so far support "-1". - Use "ps -o pid,comm" as the default, which is POSIX.1. - Use "sort -r" to hopefully get the newest (=highest) PID, which is the case on older systems not using randomized PIDs at least.
Commit: a8a37b681e54cb236f0547961d87bf271db8d536 https://github.com/ngircd/ngircd/commit/a8a37b681e54cb236f0547961d87bf271db8... Author: Alexander Barton alex@barton.de Date: 2024-04-05 (Fri, 05 Apr 2024)
Changed paths: M src/testsuite/channel-test.e M src/testsuite/check-idle.e M src/testsuite/connect-ssl-cert1-test.e M src/testsuite/connect-ssl-cert2-test.e M src/testsuite/connect-test.e M src/testsuite/invite-test.e M src/testsuite/join-test.e M src/testsuite/kick-test.e M src/testsuite/message-test.e M src/testsuite/misc-test.e M src/testsuite/mode-test.e M src/testsuite/opless-channel-test.e M src/testsuite/server-link-test.e M src/testsuite/stress-B.e M src/testsuite/who-test.e M src/testsuite/whois-test.e
Log Message: ----------- Test suite: wait for ERROR message on QUIT
Wait for the "ERROR :Closing connection" message sent by ngIRCd when handling the QUIT command, do not wait for "Connection closed" which is actually output by the telnet(1) command and is implementation dependant! For example, on Haiku OS, this is not always(!) echoed (the command seems to hang sometimes?) which results in unpredictable failures in the test suite ...
Commit: 3e535a295523853963438eb94f9cfa24c998b52f https://github.com/ngircd/ngircd/commit/3e535a295523853963438eb94f9cfa24c998... Author: Alexander Barton alex@barton.de Date: 2024-04-05 (Fri, 05 Apr 2024)
Changed paths: M .gitignore
Log Message: ----------- Add ".trunk" to .gitignore file
Commit: e4873b4d63d0bcd4914a1cee82599a13cfd77e47 https://github.com/ngircd/ngircd/commit/e4873b4d63d0bcd4914a1cee82599a13cfd7... Author: Alexander Barton alex@barton.de Date: 2024-04-06 (Sat, 06 Apr 2024)
Changed paths: M configure.ng M contrib/ngircd.service M src/ngircd/conn.c M src/ngircd/sighandlers.c M src/ngircd/sighandlers.h
Log Message: ----------- Add support for the "sd_notify" protocol
This allows the "ngircd.service" systemd(8) unit to use the "notify" service type, which allows for better status tracking by the service manager.
Commit: 791778d7b6e2f0e92c67e6812f85445171c24572 https://github.com/ngircd/ngircd/commit/791778d7b6e2f0e92c67e6812f85445171c2... Author: Alexander Barton alex@barton.de Date: 2024-04-06 (Sat, 06 Apr 2024)
Changed paths: M contrib/ngircd.service M src/ngircd/conn.c M src/ngircd/sighandlers.c M src/ngircd/sighandlers.h
Log Message: ----------- Ping the service manager and set a status message
Periodically "ping" the service manager (every 3 seconds) and set a status message showing connection statistics.
This enables using the systemd(8) watchdog functionality for the "ngircd.service" unit.
Commit: ff0a9b9c2a4312a37ca115e8d72d7a7a3b9ce26e https://github.com/ngircd/ngircd/commit/ff0a9b9c2a4312a37ca115e8d72d7a7a3b9c... Author: Alexander Barton alex@barton.de Date: 2024-04-06 (Sat, 06 Apr 2024)
Changed paths: M AUTHORS.md M ChangeLog M NEWS M contrib/Debian/changelog
Log Message: ----------- Prepare documentation for ngIRCd 27~rc1
Commit: 4b1eb0e3ee203819b0d8c5d890f7edd55e50eac0 https://github.com/ngircd/ngircd/commit/4b1eb0e3ee203819b0d8c5d890f7edd55e50... Author: Alexander Barton alex@barton.de Date: 2024-04-11 (Thu, 11 Apr 2024)
Changed paths: M contrib/ngircd.service
Log Message: ----------- ngircd.service: Redirect stdout and stderr to the journal
Commit: 0d42ea7709c786cd9c405cf04395afd0091e580e https://github.com/ngircd/ngircd/commit/0d42ea7709c786cd9c405cf04395afd0091e... Author: Alexander Barton alex@barton.de Date: 2024-04-11 (Thu, 11 Apr 2024)
Changed paths: M doc/Platforms.txt
Log Message: ----------- Update doc/Platforms.txt
Commit: e3f96d446dd88241a94de51b676fd118d47ab7d7 https://github.com/ngircd/ngircd/commit/e3f96d446dd88241a94de51b676fd118d47a... Author: Alexander Barton alex@barton.de Date: 2024-04-13 (Sat, 13 Apr 2024)
Changed paths: M src/testsuite/getpid.sh M src/testsuite/start-server.sh
Log Message: ----------- Test suite: Use $USER in getpid.sh when $LOGNAME is not set
The LOGNAME environment variable is not set in GitHub "actions", for example ...
Commit: b362b5a94554a3f4818c90bf54f8715b58ab923b https://github.com/ngircd/ngircd/commit/b362b5a94554a3f4818c90bf54f8715b58ab... Author: Alexander Barton alex@barton.de Date: 2024-04-13 (Sat, 13 Apr 2024)
Changed paths: M ChangeLog M NEWS M contrib/Debian/changelog M contrib/de.barton.ngircd.metainfo.xml M contrib/ngircd.spec
Log Message: ----------- ngIRCd Release 27~rc1
Compare: https://github.com/ngircd/ngircd/compare/339ad77b621b...b362b5a94554
To unsubscribe from these emails, change your notification settings at https://github.com/ngircd/ngircd/settings/notifications
ngircd-commits@lists.barton.de