ngIRCd Users September 2013

ngircd@lists.barton.de

7 participants
6 discussions

TLS and authentication patches
by Matt Pepe 19 Sep '13

19 Sep '13

Hello, On a related note, I have patches for the GNUTLS side of things that allows for client certificate support (including CRLs). I also have ngircd connected to a an OTP solution, which obviously causes issues with the numerous client re-connects. I ended up implementing an authentication cache to solve that problem as well. Any interest in both/either? - Matt

2 1

Re: [ngIRCd-ML] Support fir OpenSSL CipherList
by lists＠packetmail.net 07 Sep '13

07 Sep '13

On 09/07/2013 05:00 AM, ngircd-ml-request(a)arthur.barton.de wrote: > Hi, > > I attached a fix for the last patch. > - important: verifying CipherLists are applied successfully > - if SSL initialization failes, daemon should exit and not run without SSL > > Q: Is it welcome to provide patches on the ML? I certainly appreciate you taking the time to write the patch, correct it, and share it again. This is a feature that I am very happy to see implemented and I thank you for taking the time to do this and share with the community. It seems I still have the same issue with the latest patch on ngircd-20.3 -- # patch -p0 < ../ngircd_ssl_cipherlist.patch patching file ./doc/sample-ngircd.conf.tmpl Hunk #1 succeeded at 237 (offset -23 lines). patching file ./src/ngircd/conf.c Hunk #1 succeeded at 106 (offset -11 lines). Hunk #2 succeeded at 431 (offset -15 lines). Hunk #3 succeeded at 1842 with fuzz 2 (offset -32 lines). patching file ./src/ngircd/conf.h patching file ./src/ngircd/conn-ssl.c Hunk #1 succeeded at 275 with fuzz 1 (offset -28 lines). patching file ./src/ngircd/ngircd.c Hunk #1 succeeded at 671 (offset -2 lines). # Log Sep 7 11:15:47 localhost ngircd[27467]: /usr/local/etc/ngircd.conf, line 166 (section "SSL"): Unknown variable "CipherList"! Sep 7 11:15:47 localhost ngircd[27467]: ngIRCd 20.3-IPv6+IRCPLUS+SSL+SYSLOG+ZLIB-i686/pc/linux-gnu started. Sep 7 11:15:47 localhost ngircd[27467]: Using configuration file "/usr/local/etc/ngircd.conf" ... Sep 7 11:15:47 localhost ngircd[27467]: Configuration option "DHFile" not set! Sep 7 11:15:47 localhost ngircd[27467]: SSL using default CipherList Sep 7 11:15:47 localhost ngircd[27467]: OpenSSL 1.0.1 14 Mar 2012 initialized. # grep -B 10 "CipherList" /usr/local/etc/ngircd.conf # password to decrypt SSLKeyFile (OpenSSL only) ;KeyFilePassword = secret # SSL Server Key Certificate CertFile = /etc/apache2/ssl/ssl.crt # Diffie-Hellman parameters ;DHFile = /usr/local/etc/ngircd/ssl/dhparams.pem # SSL_CipherList.patch, Sep 06 2013 CipherList = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM Thanks, Nathan Fowler

3 2

Re: [ngIRCd-ML] Support fir OpenSSL CipherList
by lists＠packetmail.net 06 Sep '13

06 Sep '13

On 09/06/2013 05:00 AM, ngircd-ml-request(a)arthur.barton.de wrote: > The patch attached is now in proper order. Question -- I'm very happy to see this patch but it doesn't appear to work against ngircd 20.3 -- am I doing something incorrectly? Apologies if I'm doing something stupid/obvious, I've reviewed the patch/code and it looks sound, including conf.c but based on the log message it looks like it's an issue with conf.c # gpg --verify ngircd-20.3.tar.gz.sig ngircd-20.3.tar.gz gpg: Signature made Fri 23 Aug 2013 03:25:37 PM CDT using RSA key ID EAA15A24 gpg: Good signature from "Alexander Barton <alex(a)barton.de>" gpg: aka "Alexander Barton <alex(a)barton-it.de>" gpg: aka "Alexander Barton <alex(a)arthur.ath.cx>" gpg: aka "[jpeg image of size 1488]" gpg: aka "[jpeg image of size 1718]" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: F5B9 F52E D909 20D2 5203 76A2 C24A 0F63 7E36 4856 Subkey fingerprint: 47EC B2F6 D427 3737 30E9 0113 8A45 9AD2 EAA1 5A24 # patch -p0 < SSL_Ciphers.patch patching file ./doc/sample-ngircd.conf.tmpl Hunk #1 succeeded at 237 (offset -23 lines). patching file ./src/ngircd/conf.c Hunk #1 succeeded at 106 (offset -11 lines). Hunk #2 succeeded at 431 (offset -15 lines). Hunk #3 succeeded at 1842 with fuzz 2 (offset -32 lines). patching file ./src/ngircd/conf.h patching file ./src/ngircd/conn-ssl.c Hunk #1 succeeded at 275 with fuzz 1 (offset -28 lines). # ./configure --enable-ipv6 --with-openssl CFLAGS='-Wall -D_FORTIFY_SOURCE=2 -O2 -fPIE -pie -fstack-protector' checking build system type... i686-pc-linux-gnu .... ngIRCd 20.3 has been configured with the following options: Host: i686-pc-linux-gnu Compiler: gcc -std=gnu99 Compiler flags: -Wall -D_FORTIFY_SOURCE=2 -O2 -fPIE -pie -fstack-protector -pipe -W -Wall -Wpointer-arith -Wstrict-prototypes -fstack-protector -DSYSCONFDIR='"$(sysconfdir)"' Libraries: -lssl -lcrypto -lz 'ngircd' binary: /usr/local/sbin Configuration file: /usr/local/etc Manual pages: /usr/local/share/man Documentation: /usr/local/share/doc/ngircd Syslog support: yes Enable debug code: no zlib compression: yes IRC sniffer: no Use TCP Wrappers: no Strict RFC mode: no IDENT support: no IRC+ protocol: yes IPv6 protocol: yes I/O backend: "epoll(), select()" PAM support: no SSL support: openssl libiconv support: no # grep CipherList /etc/ngircd.conf -B 12 # SSL Server Key KeyFile = /etc/apache2/ssl/ssl.key # password to decrypt SSLKeyFile (OpenSSL only) ;KeyFilePassword = secret # SSL Server Key Certificate CertFile = /etc/apache2/ssl/ssl.crt # Diffie-Hellman parameters ;DHFile = /usr/local/etc/ngircd/ssl/dhparams.pem # SSL_CipherList.patch, Sep 06 2013 CipherList = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM # grep/tail log Sep 6 15:39:24 localhost ngircd[4153]: /usr/local/etc/ngircd.conf, line 166 (section "SSL"): Unknown variable "CipherList"! Sep 6 15:39:24 localhost ngircd[4153]: ngIRCd 20.3-IPv6+IRCPLUS+SSL+SYSLOG+ZLIB-i686/pc/linux-gnu started. Sep 6 15:39:24 localhost ngircd[4153]: Using configuration file "/usr/local/etc/ngircd.conf" ... Sep 6 15:39:24 localhost ngircd[4153]: Configuration option "DHFile" not set! Sep 6 15:39:24 localhost ngircd[4153]: SSL using default CipherList Sep 6 15:39:24 localhost ngircd[4153]: OpenSSL 1.0.1 14 Mar 2012 initialized. # diff -u conf.c conf.c.orig --- conf.c 2013-09-06 15:36:00.000000000 -0500 +++ conf.c.orig 2013-08-23 14:43:02.000000000 -0500 @@ -106,9 +106,6 @@ array_free_wipe(&Conf_SSLOptions.KeyFilePassword); array_free(&Conf_SSLOptions.ListenPorts); - - free(Conf_SSLOptions.CipherList); - Conf_SSLOptions.CipherList = NULL; } /** @@ -431,8 +428,6 @@ array_free_wipe(&Conf_SSLOptions.KeyFilePassword); printf(" Ports = "); ports_puts(&Conf_SSLOptions.ListenPorts); - printf(" CipherList = %s\n", Conf_SSLOptions.CipherList - ? Conf_SSLOptions.CipherList : ""); puts(""); #endif @@ -1842,11 +1837,6 @@ Config_Error_TooLong(Line, Var); return; } - if (strcasecmp(Var, "CipherList") == 0) { - assert(Conf_SSLOptions.CipherList == NULL); - Conf_SSLOptions.CipherList = strdup_warn(Arg); - return; - } Config_Error_Section(Line, Var, "Server"); } Thanks, Nathan Fowler

1 0

Support fir OpenSSL CipherList
by Bastian 06 Sep '13

06 Sep '13

Hi all, find attached a patch which enables a configuration option CipherList. This can be used to select/deselect ciphers used for tls/ssl connections. This became significant to me, because my network ops detected my ngIRCd would allow low and already known to be broken ciphers. Sorry, this is only for OpenSSL, gnutls is not included. Please also mind, that this was the first time for me looking into ngIRCd code. I hope I got all the meanings about config reading and checking properly. Hope this helps. Bastian

2 3

Re: [ngIRCd-ML] ngIRCd-ML Digest, Vol 95, Issue 1
by lists＠packetmail.net 02 Sep '13

02 Sep '13

On 09/02/2013 05:00 AM, ngircd-ml-request(a)arthur.barton.de wrote: > I am using OpenSSL (1.*) with Ngircd to enforce SSL connections. > Is there a possibility that I can enforce certain ciphers or disable > certain weak ciphers? Perhaps use the 'stunnel' method for serving ngircd over SSL and disable weak ciphers through stunnel's configuration, see http://ngircd.barton.de/doc/SSL.txt options = NO_SSLv2 ciphers = ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP If you're using RHEL-derived distribution, perhaps enable FIPS mode to disable weak ciphers system-wide see section 7.2.1 in the below URL: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux… Cheers, Nathan

2 1

question about strong ciphers
by Michiel van Es 01 Sep '13

01 Sep '13

Hello, I am using OpenSSL (1.*) with Ngircd to enforce SSL connections. Is there a possibility that I can enforce certain ciphers or disable certain weak ciphers? The default config allow 56 bits ciphers: SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits SSLv3:DES-CBC3-SHA - ENABLED - STRONG 168 bits SSLv3:CAMELLIA128-SHA - ENABLED - STRONG 128 bits SSLv3:RC4-SHA - ENABLED - STRONG 128 bits SSLv3:SEED-SHA - ENABLED - STRONG 128 bits SSLv3:CAMELLIA256-SHA - ENABLED - STRONG 256 bits ** SSLv3:DES-CBC-SHA - ENABLED - WEAK 56 bits ** SSLv3:AES128-SHA - ENABLED - STRONG 128 bits SSLv3:AES256-SHA - ENABLED - STRONG 256 bits Error 20: unable to get local issuer certificate TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits TLSv1:DES-CBC3-SHA - ENABLED - STRONG 168 bits TLSv1:CAMELLIA128-SHA - ENABLED - STRONG 128 bits TLSv1:RC4-SHA - ENABLED - STRONG 128 bits TLSv1:SEED-SHA - ENABLED - STRONG 128 bits TLSv1:CAMELLIA256-SHA - ENABLED - STRONG 256 bits ** TLSv1:DES-CBC-SHA - ENABLED - WEAK 56 bits ** TLSv1:AES128-SHA - ENABLED - STRONG 128 bits TLSv1:AES256-SHA - ENABLED - STRONG 256 bits Regards, Michiel

1 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

ngIRCd Users September 2013