lists@packetmail.net wrote...
Hello, some time ago I had created some patches for a specific cipher list with ngircd. In reference to the SSLv3 issue (POODLE) the below patch also addresses this issue. The key is just adding "SSL_OP_NO_SSLv3" to the SSL_CTX_set_options function.
Besides the fact the counterpart for GnuTLS appears to be missing: I'd suggest to do a simple configuration change for the time being, since both this is way easier to deploy and it allows administrators to run ngircd in an unsecure mode if they really want to. If they do that against the hostile internet, they'll soon receive a lot of e-mail from some port scanners about their dangerous configuration anyway.
So, the following should do the trick, I was about to propose it anyway but your message came earlier. It's lightly tested for openssl and not yet for gnutls, will do in the next minutes.
diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl index 1d07822..b5db1d9 100644 --- a/doc/sample-ngircd.conf.tmpl +++ b/doc/sample-ngircd.conf.tmpl @@ -259,9 +259,9 @@ # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init' # (GnuTLS) for details. # For OpenSSL: - ;CipherList = HIGH:!aNULL:@STRENGTH + ;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3 # For GnuTLS: - ;CipherList = SECURE128 + ;CipherList = SECURE128:-VERS-SSL3.0
# Diffie-Hellman parameters ;DHFile = :ETCDIR:/ssl/dhparams.pem