Re: [ngIRCd-ML] Support fir OpenSSL CipherList
On 09/07/2013 05:00 AM, ngircd-ml-request@arthur.barton.de wrote:
Hi,
I attached a fix for the last patch. - important: verifying CipherLists are applied successfully - if SSL initialization failes, daemon should exit and not run without SSL
Q: Is it welcome to provide patches on the ML?
I certainly appreciate you taking the time to write the patch, correct it, and share it again. This is a feature that I am very happy to see implemented and I thank you for taking the time to do this and share with the community. It seems I still have the same issue with the latest patch on ngircd-20.3 -- # patch -p0 < ../ngircd_ssl_cipherlist.patch patching file ./doc/sample-ngircd.conf.tmpl Hunk #1 succeeded at 237 (offset -23 lines). patching file ./src/ngircd/conf.c Hunk #1 succeeded at 106 (offset -11 lines). Hunk #2 succeeded at 431 (offset -15 lines). Hunk #3 succeeded at 1842 with fuzz 2 (offset -32 lines). patching file ./src/ngircd/conf.h patching file ./src/ngircd/conn-ssl.c Hunk #1 succeeded at 275 with fuzz 1 (offset -28 lines). patching file ./src/ngircd/ngircd.c Hunk #1 succeeded at 671 (offset -2 lines). # Log Sep 7 11:15:47 localhost ngircd[27467]: /usr/local/etc/ngircd.conf, line 166 (section "SSL"): Unknown variable "CipherList"! Sep 7 11:15:47 localhost ngircd[27467]: ngIRCd 20.3-IPv6+IRCPLUS+SSL+SYSLOG+ZLIB-i686/pc/linux-gnu started. Sep 7 11:15:47 localhost ngircd[27467]: Using configuration file "/usr/local/etc/ngircd.conf" ... Sep 7 11:15:47 localhost ngircd[27467]: Configuration option "DHFile" not set! Sep 7 11:15:47 localhost ngircd[27467]: SSL using default CipherList Sep 7 11:15:47 localhost ngircd[27467]: OpenSSL 1.0.1 14 Mar 2012 initialized. # grep -B 10 "CipherList" /usr/local/etc/ngircd.conf # password to decrypt SSLKeyFile (OpenSSL only) ;KeyFilePassword = secret # SSL Server Key Certificate CertFile = /etc/apache2/ssl/ssl.crt # Diffie-Hellman parameters ;DHFile = /usr/local/etc/ngircd/ssl/dhparams.pem # SSL_CipherList.patch, Sep 06 2013 CipherList = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM Thanks, Nathan Fowler
On 09/07/2013 11:19 AM, lists@packetmail.net wrote:
It seems I still have the same issue with the latest patch on ngircd-20.3 --
Using Bastian's patch as a template, I modified it to suite my CiperList needs directly, and it worked. I've attached it for others, it's probably less graceful than Bastian's approach, but it worked great for my needs. Thanks again Bastian! Logfile: Sep 7 11:42:38 localhost ngircd[5273]: ngIRCd 20.3-IPv6+IRCPLUS+SSL+SYSLOG+ZLIB-i686/pc/linux-gnu started. Sep 7 11:42:38 localhost ngircd[5273]: Using configuration file "/usr/local/etc/ngircd.conf" ... Sep 7 11:42:38 localhost ngircd[5273]: Configuration option "DHFile" not set! Sep 7 11:42:38 localhost ngircd[5273]: Successfully applied SSL CipherList=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM Sep 7 11:42:38 localhost ngircd[5273]: OpenSSL 1.0.1 14 Mar 2012 initialized. Enabled Ciphers: TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits TLSv1:DES-CBC3-SHA - ENABLED - STRONG 168 bits TLSv1:CAMELLIA128-SHA - ENABLED - STRONG 128 bits TLSv1:RC4-SHA - ENABLED - STRONG 128 bits TLSv1:SEED-SHA - ENABLED - STRONG 128 bits TLSv1:CAMELLIA256-SHA - ENABLED - STRONG 256 bits TLSv1:AES128-SHA - ENABLED - STRONG 128 bits TLSv1:AES256-SHA - ENABLED - STRONG 256 bits SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits SSLv3:DES-CBC3-SHA - ENABLED - STRONG 168 bits SSLv3:CAMELLIA128-SHA - ENABLED - STRONG 128 bits SSLv3:RC4-SHA - ENABLED - STRONG 128 bits SSLv3:SEED-SHA - ENABLED - STRONG 128 bits SSLv3:CAMELLIA256-SHA - ENABLED - STRONG 256 bits SSLv3:AES128-SHA - ENABLED - STRONG 128 bits SSLv3:AES256-SHA - ENABLED - STRONG 256 bits
Perhaps this change/improvement can be part of the new release? Regards Michiel Op Sep 7, 2013 om 6:19 PM heeft "lists@packetmail.net" <lists@packetmail.net> het volgende geschreven:
On 09/07/2013 05:00 AM, ngircd-ml-request@arthur.barton.de wrote:
Hi,
I attached a fix for the last patch. - important: verifying CipherLists are applied successfully - if SSL initialization failes, daemon should exit and not run without SSL
Q: Is it welcome to provide patches on the ML?
I certainly appreciate you taking the time to write the patch, correct it, and share it again. This is a feature that I am very happy to see implemented and I thank you for taking the time to do this and share with the community.
It seems I still have the same issue with the latest patch on ngircd-20.3 --
# patch -p0 < ../ngircd_ssl_cipherlist.patc patching file ./doc/sample-ngircd.conf.tmpl Hunk #1 succeeded at 237 (offset -23 lines). patching file ./src/ngircd/conf.c Hunk #1 succeeded at 106 (offset -11 lines). Hunk #2 succeeded at 431 (offset -15 lines). Hunk #3 succeeded at 1842 with fuzz 2 (offset -32 lines). patching file ./src/ngircd/conf.h patching file ./src/ngircd/conn-ssl.c Hunk #1 succeeded at 275 with fuzz 1 (offset -28 lines). patching file ./src/ngircd/ngircd.c Hunk #1 succeeded at 671 (offset -2 lines).
# Log Sep 7 11:15:47 localhost ngircd[27467]: /usr/local/etc/ngircd.conf, line 166 (section "SSL"): Unknown variable "CipherList"! Sep 7 11:15:47 localhost ngircd[27467]: ngIRCd 20.3-IPv6+IRCPLUS+SSL+SYSLOG+ZLIB-i686/pc/linux-gnu started. Sep 7 11:15:47 localhost ngircd[27467]: Using configuration file "/usr/local/etc/ngircd.conf" ... Sep 7 11:15:47 localhost ngircd[27467]: Configuration option "DHFile" not set! Sep 7 11:15:47 localhost ngircd[27467]: SSL using default CipherList Sep 7 11:15:47 localhost ngircd[27467]: OpenSSL 1.0.1 14 Mar 2012 initialized.
# grep -B 10 "CipherList" /usr/local/etc/ngircd.conf
# password to decrypt SSLKeyFile (OpenSSL only) ;KeyFilePassword = secret
# SSL Server Key Certificate CertFile = /etc/apache2/ssl/ssl.crt
# Diffie-Hellman parameters ;DHFile = /usr/local/etc/ngircd/ssl/dhparams.pem
# SSL_CipherList.patch, Sep 06 2013 CipherList = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Thanks, Nathan Fowler
_______________________________________________
ngIRCd Mailing List: ngIRCd-ML@arthur.barton.de http://arthur.barton.de/mailman/listinfo/ngircd-ml
Teilnehmer (3)
-
lists@packetmail.net -
Michiel van Es -
Nathan