Hello,
On a related note, I have patches for the GNUTLS side of things that allows
for client certificate support (including CRLs). I also have ngircd
connected to a an OTP solution, which obviously causes issues with the
numerous client re-connects. I ended up implementing an authentication
cache to solve that problem as well. Any interest in both/either?
- Matt
On 09/07/2013 05:00 AM, ngircd-ml-request(a)arthur.barton.de wrote:
> Hi,
>
> I attached a fix for the last patch.
> - important: verifying CipherLists are applied successfully
> - if SSL initialization failes, daemon should exit and not run without SSL
>
> Q: Is it welcome to provide patches on the ML?
I certainly appreciate you taking the time to write the patch, correct it, and
share it again. This is a feature that I am very happy to see implemented and I
thank you for taking the time to do this and share with the community.
It seems I still have the same issue with the latest patch on ngircd-20.3 --
# patch -p0 < ../ngircd_ssl_cipherlist.patch
patching file ./doc/sample-ngircd.conf.tmpl
Hunk #1 succeeded at 237 (offset -23 lines).
patching file ./src/ngircd/conf.c
Hunk #1 succeeded at 106 (offset -11 lines).
Hunk #2 succeeded at 431 (offset -15 lines).
Hunk #3 succeeded at 1842 with fuzz 2 (offset -32 lines).
patching file ./src/ngircd/conf.h
patching file ./src/ngircd/conn-ssl.c
Hunk #1 succeeded at 275 with fuzz 1 (offset -28 lines).
patching file ./src/ngircd/ngircd.c
Hunk #1 succeeded at 671 (offset -2 lines).
# Log
Sep 7 11:15:47 localhost ngircd[27467]: /usr/local/etc/ngircd.conf, line 166
(section "SSL"): Unknown variable "CipherList"!
Sep 7 11:15:47 localhost ngircd[27467]: ngIRCd
20.3-IPv6+IRCPLUS+SSL+SYSLOG+ZLIB-i686/pc/linux-gnu started.
Sep 7 11:15:47 localhost ngircd[27467]: Using configuration file
"/usr/local/etc/ngircd.conf" ...
Sep 7 11:15:47 localhost ngircd[27467]: Configuration option "DHFile" not set!
Sep 7 11:15:47 localhost ngircd[27467]: SSL using default CipherList
Sep 7 11:15:47 localhost ngircd[27467]: OpenSSL 1.0.1 14 Mar 2012 initialized.
# grep -B 10 "CipherList" /usr/local/etc/ngircd.conf
# password to decrypt SSLKeyFile (OpenSSL only)
;KeyFilePassword = secret
# SSL Server Key Certificate
CertFile = /etc/apache2/ssl/ssl.crt
# Diffie-Hellman parameters
;DHFile = /usr/local/etc/ngircd/ssl/dhparams.pem
# SSL_CipherList.patch, Sep 06 2013
CipherList = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Thanks,
Nathan Fowler
Hi all,
find attached a patch which enables a configuration option CipherList.
This can be used to select/deselect ciphers used for tls/ssl
connections.
This became significant to me, because my network ops detected my
ngIRCd would allow low and already known to be broken ciphers.
Sorry, this is only for OpenSSL, gnutls is not included.
Please also mind, that this was the first time for me looking into
ngIRCd code. I hope I got all the meanings about config reading and
checking properly.
Hope this helps.
Bastian
On 09/02/2013 05:00 AM, ngircd-ml-request(a)arthur.barton.de wrote:
> I am using OpenSSL (1.*) with Ngircd to enforce SSL connections.
> Is there a possibility that I can enforce certain ciphers or disable
> certain weak ciphers?
Perhaps use the 'stunnel' method for serving ngircd over SSL and disable weak
ciphers through stunnel's configuration, see http://ngircd.barton.de/doc/SSL.txt
options = NO_SSLv2
ciphers = ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
If you're using RHEL-derived distribution, perhaps enable FIPS mode to disable
weak ciphers system-wide see section 7.2.1 in the below URL:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux…
Cheers,
Nathan
