ngIRCd Users May 2009

ngircd@lists.barton.de

3 participants
2 discussions

[Announce]: Initial certificate support for openssl backend
by Florian Westphal 18 May '09

18 May '09

Hi all, a patch (mostly untested 8->) that adds initial support for certificates to the openssl backend is located here: http://strlen.de/ngircd/0001-SSL-TLS-add-initial-certificate-support-to-ope… (signature: http://strlen.de/ngircd/0001-SSL-TLS-add-initial-certificate-support-to-ope…) The patch applies to ngircd release 14.1. For those that want to follow up on changes/patches, please consider tracking my repository at git://git.breakpoint.cc/fw/ngircd-tls.git , the certificate changes are in the "tls-master" branch. (gitweb: http://git.breakpoint.cc/cgi-bin/gitweb.cgi?p=fw/ngircd-tls.git;a=summary) By "initial" i mean that the basic functionality appears to work, but has not been tested much; noone has reviewed the code so far, there is no support for things like "accept this cerificate only from ip X", etc. Although I do not know when I can work on this again, I ask that everyone interested in seeing this feature in ngircd and with some spare time and a ngircd test installation to try out this patch and report any bugs/change requests, thanks a lot! The patch adds a few new config options: in GLOBAL section: SSLCAFile = /the/file/with/trusted/ca/certificates Filename pointing to the Trusted CA Certificates. Required for verifying peer certificates. SSLCRLFile = /the/file/with/revoked/certificates (WARNING: not tested AT ALL) SSLRequireClientCert = (yes|no) Do not accept incoming SSL connections from clients that do not have a valid certificate. in [SERVER] section: SSLVerify: (yes|no) Verify Server Peer Certificate. If this is an active connection (i.e. ngircd connects to the peer), the ssl handshake is aborted if the certificate of the remote server cannot be validated. If this is a passive connection (ngircd waits for the remote server to connect) and SSLRequireClientCert is false, the server link will only be established if the password matches and a valid certificate was received. (obvioulsy, because its not possible to know in advance if the incoming connection is from a server or an irc client, the ssl handshake always completes; the connection will be shut down again once the SERVER command is received and the connection was established without /invalid certificate.

1 0

ngIRCd Release 14.1
by Alexander Barton 12 May '09

12 May '09

Hi all! Florian Westphal found a serious bug in ngIRCd release 14 which affects all servers compiled with SSL-support linked in, whereas it is irrelevant whether SSL support is actually in use or not. This bug is remotely triggerable and causes the daemon to crash (DoS). So EVERYBODY using ngIRCd release 13 or 14 with SSL-support linked in SHOULD UPGRADE to nIRCcd release 14.1 as soon as possible! You can use the "ngircd --version" command to check the options your daemon provides: if it lists "SSL", you are affected! (e. g. "ngircd 14.1-SYSLOG+ZLIB+SSL+IRCPLUS+IPv6-i386/apple/darwin9.6" is affected) The full changelog lists (since release 14): - Security: fix remotely triggerable crash in SSL/TLS code. - BSD start script contrib/ngircd.sh has been renamed to ngircd-bsd.sh. - New start/stop script for RedHat-based distributions: contrib/ngircd-redhat.init, thanks to Naoya Nakazawa <naoya(a)sanow.net>. - Doxygen: update source code repository link to GIT. - Debian: build ngircd-full-dbg package. - Allow ping timeout quit messages to show the timeout value. - Fix error handling on compressed links. - Fix server list announcement. - Do not remove hostnames from info text. Direct download links for the source archive: <ftp://ftp.berlios.de/pub/ngircd/ngircd-14.1.tar.gz> <ftp://ngircd.barton.de/pub/ngircd/ngircd-14.1.tar.gz> The ChangeLog can be found here: <http://ngircd.barton.de/doc/ChangeLog> <http://ngircd.berlios.de/doc/ChangeLog> GnuPG signatures and a patches from release 14 are available and can be downloaded from here: <ftp://ngircd.barton.de/pub/ngircd/> <ftp://ftp.berlios.de/pub/ngircd/> The relevant MD5 sums are: MD5 (ngircd-14.1.tar.gz) = eef90855414c35bfb6590d17e24ee06f MD5 (ngircd-14-14.1.patch.gz) = 896814187a7a350272ab5fb4119a381a You can habe a look at the complete history and every single patch using the GIT web-frontend located at: <http://ngircd.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git> Please let us know if you encounter any bugs or need more/better documentation (best is to file bugs using the bug tracker or to mail to this list). Thanks! Regards Alex

3 3

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

ngIRCd Users May 2009