a patch (mostly untested 8->) that adds initial support for certificates
to the openssl backend is located here:
The patch applies to ngircd release 14.1.
For those that want to follow up on changes/patches, please consider
tracking my repository at
git://git.breakpoint.cc/fw/ngircd-tls.git , the certificate changes are
in the "tls-master" branch.
By "initial" i mean that the basic functionality appears to work, but
has not been tested much; noone has reviewed the code so far, there is
no support for things like "accept this cerificate only from ip X", etc.
Although I do not know when I can work on this again, I ask that
everyone interested in seeing this feature in ngircd and with some spare
time and a ngircd test installation to try out this patch and report
any bugs/change requests, thanks a lot!
The patch adds a few new config options:
in GLOBAL section:
SSLCAFile = /the/file/with/trusted/ca/certificates
Filename pointing to the Trusted CA Certificates. Required for
verifying peer certificates.
SSLCRLFile = /the/file/with/revoked/certificates (WARNING: not tested AT ALL)
SSLRequireClientCert = (yes|no)
Do not accept incoming SSL connections from clients that do not
have a valid certificate.
in [SERVER] section:
Verify Server Peer Certificate. If this is an active connection
(i.e. ngircd connects to the peer), the ssl handshake
is aborted if the certificate of the remote server cannot be
If this is a passive connection (ngircd waits for the remote server to
connect) and SSLRequireClientCert is false, the server link will only
be established if the password matches and a valid certificate
was received. (obvioulsy, because its not possible to know in advance if the
incoming connection is from a server or an irc client, the ssl handshake
always completes; the connection will be shut down again once the
SERVER command is received and the connection was established without
Florian Westphal found a serious bug in ngIRCd release 14 which
affects all servers compiled with SSL-support linked in, whereas it is
irrelevant whether SSL support is actually in use or not. This bug is
remotely triggerable and causes the daemon to crash (DoS).
So EVERYBODY using ngIRCd release 13 or 14 with SSL-support linked in
SHOULD UPGRADE to nIRCcd release 14.1 as soon as possible!
You can use the "ngircd --version" command to check the options your
daemon provides: if it lists "SSL", you are affected! (e. g. "ngircd
14.1-SYSLOG+ZLIB+SSL+IRCPLUS+IPv6-i386/apple/darwin9.6" is affected)
The full changelog lists (since release 14):
- Security: fix remotely triggerable crash in SSL/TLS code.
- BSD start script contrib/ngircd.sh has been renamed to ngircd-bsd.sh.
- New start/stop script for RedHat-based distributions:
contrib/ngircd-redhat.init, thanks to Naoya Nakazawa
- Doxygen: update source code repository link to GIT.
- Debian: build ngircd-full-dbg package.
- Allow ping timeout quit messages to show the timeout value.
- Fix error handling on compressed links.
- Fix server list announcement.
- Do not remove hostnames from info text.
Direct download links for the source archive:
The ChangeLog can be found here:
GnuPG signatures and a patches from release 14 are available and can
be downloaded from here:
The relevant MD5 sums are:
MD5 (ngircd-14.1.tar.gz) = eef90855414c35bfb6590d17e24ee06f
MD5 (ngircd-14-14.1.patch.gz) = 896814187a7a350272ab5fb4119a381a
You can habe a look at the complete history and every single patch
using the GIT web-frontend located at:
Please let us know if you encounter any bugs or need more/better
documentation (best is to file bugs using the bug tracker or to mail
to this list). Thanks!