TLS and authentication patches
by Matt Pepe
Hello,
On a related note, I have patches for the GNUTLS side of things that allows
for client certificate support (including CRLs). I also have ngircd
connected to a an OTP solution, which obviously causes issues with the
numerous client re-connects. I ended up implementing an authentication
cache to solve that problem as well. Any interest in both/either?
- Matt
8 years, 11 months
Re: [ngIRCd-ML] Support fir OpenSSL CipherList
by lists@packetmail.net
On 09/07/2013 05:00 AM, ngircd-ml-request(a)arthur.barton.de wrote:
> Hi,
>
> I attached a fix for the last patch.
> - important: verifying CipherLists are applied successfully
> - if SSL initialization failes, daemon should exit and not run without SSL
>
> Q: Is it welcome to provide patches on the ML?
I certainly appreciate you taking the time to write the patch, correct it, and
share it again. This is a feature that I am very happy to see implemented and I
thank you for taking the time to do this and share with the community.
It seems I still have the same issue with the latest patch on ngircd-20.3 --
# patch -p0 < ../ngircd_ssl_cipherlist.patch
patching file ./doc/sample-ngircd.conf.tmpl
Hunk #1 succeeded at 237 (offset -23 lines).
patching file ./src/ngircd/conf.c
Hunk #1 succeeded at 106 (offset -11 lines).
Hunk #2 succeeded at 431 (offset -15 lines).
Hunk #3 succeeded at 1842 with fuzz 2 (offset -32 lines).
patching file ./src/ngircd/conf.h
patching file ./src/ngircd/conn-ssl.c
Hunk #1 succeeded at 275 with fuzz 1 (offset -28 lines).
patching file ./src/ngircd/ngircd.c
Hunk #1 succeeded at 671 (offset -2 lines).
# Log
Sep 7 11:15:47 localhost ngircd[27467]: /usr/local/etc/ngircd.conf, line 166
(section "SSL"): Unknown variable "CipherList"!
Sep 7 11:15:47 localhost ngircd[27467]: ngIRCd
20.3-IPv6+IRCPLUS+SSL+SYSLOG+ZLIB-i686/pc/linux-gnu started.
Sep 7 11:15:47 localhost ngircd[27467]: Using configuration file
"/usr/local/etc/ngircd.conf" ...
Sep 7 11:15:47 localhost ngircd[27467]: Configuration option "DHFile" not set!
Sep 7 11:15:47 localhost ngircd[27467]: SSL using default CipherList
Sep 7 11:15:47 localhost ngircd[27467]: OpenSSL 1.0.1 14 Mar 2012 initialized.
# grep -B 10 "CipherList" /usr/local/etc/ngircd.conf
# password to decrypt SSLKeyFile (OpenSSL only)
;KeyFilePassword = secret
# SSL Server Key Certificate
CertFile = /etc/apache2/ssl/ssl.crt
# Diffie-Hellman parameters
;DHFile = /usr/local/etc/ngircd/ssl/dhparams.pem
# SSL_CipherList.patch, Sep 06 2013
CipherList = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Thanks,
Nathan Fowler
8 years, 11 months
Re: [ngIRCd-ML] Support fir OpenSSL CipherList
by lists@packetmail.net
On 09/06/2013 05:00 AM, ngircd-ml-request(a)arthur.barton.de wrote:
> The patch attached is now in proper order.
Question -- I'm very happy to see this patch but it doesn't appear to work
against ngircd 20.3 -- am I doing something incorrectly?
Apologies if I'm doing something stupid/obvious, I've reviewed the patch/code
and it looks sound, including conf.c but based on the log message it looks
like it's an issue with conf.c
# gpg --verify ngircd-20.3.tar.gz.sig ngircd-20.3.tar.gz
gpg: Signature made Fri 23 Aug 2013 03:25:37 PM CDT using RSA key ID EAA15A24
gpg: Good signature from "Alexander Barton <alex(a)barton.de>"
gpg: aka "Alexander Barton <alex(a)barton-it.de>"
gpg: aka "Alexander Barton <alex(a)arthur.ath.cx>"
gpg: aka "[jpeg image of size 1488]"
gpg: aka "[jpeg image of size 1718]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F5B9 F52E D909 20D2 5203 76A2 C24A 0F63 7E36 4856
Subkey fingerprint: 47EC B2F6 D427 3737 30E9 0113 8A45 9AD2 EAA1 5A24
# patch -p0 < SSL_Ciphers.patch
patching file ./doc/sample-ngircd.conf.tmpl
Hunk #1 succeeded at 237 (offset -23 lines).
patching file ./src/ngircd/conf.c
Hunk #1 succeeded at 106 (offset -11 lines).
Hunk #2 succeeded at 431 (offset -15 lines).
Hunk #3 succeeded at 1842 with fuzz 2 (offset -32 lines).
patching file ./src/ngircd/conf.h
patching file ./src/ngircd/conn-ssl.c
Hunk #1 succeeded at 275 with fuzz 1 (offset -28 lines).
# ./configure --enable-ipv6 --with-openssl CFLAGS='-Wall -D_FORTIFY_SOURCE=2
-O2 -fPIE -pie -fstack-protector'
checking build system type... i686-pc-linux-gnu
....
ngIRCd 20.3 has been configured with the following options:
Host: i686-pc-linux-gnu
Compiler: gcc -std=gnu99
Compiler flags: -Wall -D_FORTIFY_SOURCE=2 -O2 -fPIE -pie
-fstack-protector -pipe -W -Wall -Wpointer-arith -Wstrict-prototypes
-fstack-protector -DSYSCONFDIR='"$(sysconfdir)"'
Libraries: -lssl -lcrypto -lz
'ngircd' binary: /usr/local/sbin
Configuration file: /usr/local/etc
Manual pages: /usr/local/share/man
Documentation: /usr/local/share/doc/ngircd
Syslog support: yes Enable debug code: no
zlib compression: yes IRC sniffer: no
Use TCP Wrappers: no Strict RFC mode: no
IDENT support: no IRC+ protocol: yes
IPv6 protocol: yes I/O backend: "epoll(), select()"
PAM support: no SSL support: openssl
libiconv support: no
# grep CipherList /etc/ngircd.conf -B 12
# SSL Server Key
KeyFile = /etc/apache2/ssl/ssl.key
# password to decrypt SSLKeyFile (OpenSSL only)
;KeyFilePassword = secret
# SSL Server Key Certificate
CertFile = /etc/apache2/ssl/ssl.crt
# Diffie-Hellman parameters
;DHFile = /usr/local/etc/ngircd/ssl/dhparams.pem
# SSL_CipherList.patch, Sep 06 2013
CipherList = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
# grep/tail log
Sep 6 15:39:24 localhost ngircd[4153]: /usr/local/etc/ngircd.conf, line 166
(section "SSL"): Unknown variable "CipherList"!
Sep 6 15:39:24 localhost ngircd[4153]: ngIRCd
20.3-IPv6+IRCPLUS+SSL+SYSLOG+ZLIB-i686/pc/linux-gnu started.
Sep 6 15:39:24 localhost ngircd[4153]: Using configuration file
"/usr/local/etc/ngircd.conf" ...
Sep 6 15:39:24 localhost ngircd[4153]: Configuration option "DHFile" not set!
Sep 6 15:39:24 localhost ngircd[4153]: SSL using default CipherList
Sep 6 15:39:24 localhost ngircd[4153]: OpenSSL 1.0.1 14 Mar 2012 initialized.
# diff -u conf.c conf.c.orig
--- conf.c 2013-09-06 15:36:00.000000000 -0500
+++ conf.c.orig 2013-08-23 14:43:02.000000000 -0500
@@ -106,9 +106,6 @@
array_free_wipe(&Conf_SSLOptions.KeyFilePassword);
array_free(&Conf_SSLOptions.ListenPorts);
-
- free(Conf_SSLOptions.CipherList);
- Conf_SSLOptions.CipherList = NULL;
}
/**
@@ -431,8 +428,6 @@
array_free_wipe(&Conf_SSLOptions.KeyFilePassword);
printf(" Ports = ");
ports_puts(&Conf_SSLOptions.ListenPorts);
- printf(" CipherList = %s\n", Conf_SSLOptions.CipherList
- ? Conf_SSLOptions.CipherList : "");
puts("");
#endif
@@ -1842,11 +1837,6 @@
Config_Error_TooLong(Line, Var);
return;
}
- if (strcasecmp(Var, "CipherList") == 0) {
- assert(Conf_SSLOptions.CipherList == NULL);
- Conf_SSLOptions.CipherList = strdup_warn(Arg);
- return;
- }
Config_Error_Section(Line, Var, "Server");
}
Thanks,
Nathan Fowler
8 years, 11 months
Support fir OpenSSL CipherList
by Bastian
Hi all,
find attached a patch which enables a configuration option CipherList.
This can be used to select/deselect ciphers used for tls/ssl
connections.
This became significant to me, because my network ops detected my
ngIRCd would allow low and already known to be broken ciphers.
Sorry, this is only for OpenSSL, gnutls is not included.
Please also mind, that this was the first time for me looking into
ngIRCd code. I hope I got all the meanings about config reading and
checking properly.
Hope this helps.
Bastian
8 years, 11 months
question about strong ciphers
by Michiel van Es
Hello,
I am using OpenSSL (1.*) with Ngircd to enforce SSL connections.
Is there a possibility that I can enforce certain ciphers or disable
certain weak ciphers?
The default config allow 56 bits ciphers:
SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits
SSLv3:DES-CBC3-SHA - ENABLED - STRONG 168 bits
SSLv3:CAMELLIA128-SHA - ENABLED - STRONG 128 bits
SSLv3:RC4-SHA - ENABLED - STRONG 128 bits
SSLv3:SEED-SHA - ENABLED - STRONG 128 bits
SSLv3:CAMELLIA256-SHA - ENABLED - STRONG 256 bits
** SSLv3:DES-CBC-SHA - ENABLED - WEAK 56 bits **
SSLv3:AES128-SHA - ENABLED - STRONG 128 bits
SSLv3:AES256-SHA - ENABLED - STRONG 256 bits
Error 20: unable to get local issuer certificate
TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits
TLSv1:DES-CBC3-SHA - ENABLED - STRONG 168 bits
TLSv1:CAMELLIA128-SHA - ENABLED - STRONG 128 bits
TLSv1:RC4-SHA - ENABLED - STRONG 128 bits
TLSv1:SEED-SHA - ENABLED - STRONG 128 bits
TLSv1:CAMELLIA256-SHA - ENABLED - STRONG 256 bits
** TLSv1:DES-CBC-SHA - ENABLED - WEAK 56 bits **
TLSv1:AES128-SHA - ENABLED - STRONG 128 bits
TLSv1:AES256-SHA - ENABLED - STRONG 256 bits
Regards,
Michiel
8 years, 11 months