[ something ate my message, second try ]
Hello,
there's a longstanding issue in ngircd, at least on (Debian) Linux
using glibc: Some tests in src/festsuite rely on a certain order of
the entries in /etc/hosts.
Appearently the first entry that points to 127.0.0.1 is returned
when getnameinfo, same for gethostbyaddr, is called for that IP
address. Up to three tests (misc, who, whois) assume the result is
or begins with "localhost", and will fail otherwise.
This usually happens if the administrator of the site where ngircd is
built has decided to have an entry about the host name at the first
place in /etc/hosts. Now I'm not aware whether there's a rule about
this at all. And even if, it is violated that often I'd call it a bad
idea to try educating users. Instead, ngircd should work around it.
Two ways I can think of:
Before running the tests, call getnameinfo on 127.0.0.1 and patch
any non-"localhost*" result into the expect files. This looks
kludgy, especially since some tests use pattern matching like in
'send "who ??cal*ho*\r"'. So after a few hours of trying, a second
idea:
Enhance ngircd's resolver to resolve 127.0.0.1 into "localhost" no
matter what. To avoid surprises, this should be controllable by
another command line option. Using LD_PRELOAD during the tests was a
variant.
Thoughts?
Christoph
Hello, some time ago I had created some patches for a specific cipher list with
ngircd. In reference to the SSLv3 issue (POODLE) the below patch also addresses
this issue. The key is just adding "SSL_OP_NO_SSLv3" to the SSL_CTX_set_options
function.
--- /backup/archives/system_101514/root/src/ngircd-22/src/ngircd/conn-ssl.c
2014-10-13 09:57:54.000000000 -0500
+++ ./src/ngircd/conn-ssl.c 2014-10-15 09:35:23.000000000 -0500
@@ -324,7 +324,8 @@
Log(LOG_INFO, "Successfully applied SSL CipherList=%s",
"EDH+aRSA:!SSLv2:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS");
}
- SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2);
+ /* NCF, Oct 15 2014, Disable SSLv3 (POODLE) */
+ SSL_CTX_set_options(newctx,
SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_set_verify(newctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
Verify_openssl);
Cheers,
Nathan
Hello again!
I tagged the first release candidate for our upcoming next „feature release“
of ngIRCd today: ngIRCd Release 22~rc1.
There have been more than 100 individual commits since ngIRCd 21, the NEWS
file lists 20 new „features“, please pick your favorite yourself:
• Sync "except lists" between servers: Up to now, ban, invite, and G-Line
lists have been synced between servers while linking -- but obviously
nobody noticed that except list have been missing ever since. Until now.
Thanks to "j4jackj", who reported this issue in #ngircd.
• Allow longer user names (up to 63 characters) for authentication.
• Increase MAX_SERVERS from 16 to 64: There are installations out there
that would like to configure more than 16 links per server, so increase
this limit. Best would be to get rid of MAX_SERVERS altogether and make
if fully dynamic, but start with this quick and dirty hack ...
• Test suite/platformtest.sh: Detect when tests have been skipped.
• Allow "DefaultUserModes" to set all possible modes, including modes only
settable by IRC Operators.
• Implement user mode "F": "relaxed flood protection". Clients with mode
"F" set are allowed to rapidly send data to the daemon. This mode is only
settable by IRC Operators and can cause problems in the network -- so be
careful and only set it on "trusted" clients!
User mode "F" is used by Bahamut for this purpose, for example.
• Use server password when PAM is compiled in but disabled.
• Streamline punctuation of log messages.
• Return ISUPPORT(005) numerics on "VERSION". This is how ircd-seven,
Charybdis, Hybrid, and InspIRCd behave, for example.
• configure: Only link "contrib/Debian" if it exists, which isn't the case
on "VPATH builds", for example.
• Show the account name in WHOIS. This uses the same numeric as Charybdis
and ircu families: WHOISLOGGEDIN(330).
• Pattern matching: Remove "range matching" in our pattern matching code
using the "[...]" syntax, because [ and ] are valid characters in nick
names and one has to quote them currently using the "\" character, which
is quite unexpected for users.
• platformtest.sh: New option "-x", don't regenerate build system and
allow using separate source and build trees.
• Test suite: explicitly enable glibc memory checking.
• Make "MODE -k" handling more robust and compatible, send "fake '*' key"
in all replies.
• portabtest: Actually test the functions snprintf(), strlcpy(), strlcat(),
and vsnprintf() for correctness, not only existence (which was quite
useless, because if they weren't available, the program could not have
been linked at all ...).
• Implement new configuration option "Network": it is used to set the
(completely optional) "network name", to which this instance of the
daemon belongs. When set, this name is used in the ISUPPORT(005) numeric
which is sent to all clients connecting to the server after logging in.
• Update doc/Platforms.txt.
• Various code cleanups, remove unused code, streamline error handling.
Remove all imp.h and exp.h header files, support non-standard vsnprintf()
return codes, and fix some K&R C portability issues. Streamline
DEBUG_ARRAY, DEBUG_BUFFER, DEBUG_IO, DEBUG_ZIP definitions.
• Increase penalty time to 10 seconds when handling OPER commands with
an invalid password.
Please test this release candidate thoroughly and report all glitches,
problems, errors, and regressions you encounter! Best is to file bugs and
feature requests here:
ngIRCd Bug Tracker: <http://ngircd.barton.de/bugzilla/>
You can find more information on our homepage at <http://ngircd.barton.de/>
and its mirror <http://http://ngircd.mirror.3rz.org/>.
The primary download locations is:
• <http://ngircd.barton.de/pub/ngircd/>
And as usual: a big THANKS to all users, bug reporters, contributors,
packagers, and supporters!
Have fun!
Alex
Am 04.10.2014 um 19:07 schrieb Götz Hoffart:
> Am 04.10.2014 um 18:32 schrieb Max Rieger <root(a)dynamic-port.net>:
>
>> When i write in an new line "CloakUserToNick = secret", save the file and reload/restart the IRC-Server, i can not see an change at field "Benutzername" (for english: Username. But not Nickname!) at my User-Entry in IRC-Client and at every another Users.
> The setting for that is 'yes' or 'no', not 'secret'. After setting this you must HUP or restart ngIRCd.
>
> Did you see/read that the setting of the username is done by the IRC client? You can change it there.
>
>> Before i check for change, i have me logout from my IRC-Channel and login again. And value-set "yes" is that self, why "no".
> I don’t understand these two sentences, sorry.
>
> Regards
> Götz
Before i write to this ML, i have it check with "CloakUserToNick = yes"
and "CloakUserToNick = no". To this time i have not see an change but
now can sea an change. Thanks!
rfnddh4imk2rst7w.onion
Hallo!
Ich wusste nicht, dass es bei IRC üblich ist den echten Benutzernamen,
mit dem man sich beim eigenen Betriebssystem angemeldet hat, mit zu
übertragen und gar für Besucher anzuzeigen. Für mich und die Besucher
stellt das ein Sicherheitsproblem dar. Mit "CloakHost" kann ich das
Problem nicht beheben - dass wurde mir als Lösung aus dem IRC-Raum
"ngircd" des Servers "irc.barton.de" genannt, vermeintliche Lösung also.
Der Wert zu "Benutzername" wird sicherlich nicht zur Identifikation vom
IRC-Server gebraucht, weder noch unter einander oder liege ich da
falsch? Weil selbst wenn, könnte man ja wenigstens dafür sorgen, dass
jeder sich anmeldende Besucher stattdessen einen zufälligen Zeichensalat
für "Benutzername" bekommt, der nur bis zum wieder abmelden und Time-out
gilt.
Ich bitte um eine schnelle Lösung.
Danke!