Hi all,
find attached a patch which enables a configuration option CipherList. This can be used to select/deselect ciphers used for tls/ssl connections.
This became significant to me, because my network ops detected my ngIRCd would allow low and already known to be broken ciphers.
Sorry, this is only for OpenSSL, gnutls is not included. Please also mind, that this was the first time for me looking into ngIRCd code. I hope I got all the meanings about config reading and checking properly.
Hope this helps.
Bastian
Bastian bastian-ngircd@t6l.de wrote:
diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl index 10f2189..ae1b213 100644 --- a/doc/sample-ngircd.conf.tmpl +++ b/doc/sample-ngircd.conf.tmpl @@ -260,12 +260,6 @@ # Additional Listen Ports that expect SSL/TLS encrypted connections ;Ports = 6697, 9999
- # OpenSSL: Select cipher suites used for ssl/tls connections
- # more info at 'man 1ssl ciphers'
- # Example below disallows besides LowStrength, the Medium Strength Cipher Suites, SSLv2
- # RC-4, which tend to be broken
- ;CipherList = !aNULL:!eNULL:!LOW:!SSLv2:!EXPORT:!EXPORT56:!RC4:!MEDIUM:HIGH:@STRENGTH
This patch seems to be inverted...
- if (strcasecmp(Var, "CipherList") == 0) {
assert(array_bytes(&Conf_SSLOptions.CipherList) == 0);if (!array_copys(&Conf_SSLOptions.CipherList, Arg))Config_Error(LOG_ERR,
This won't work, and the compiler should scream at this. Either CipherList needs to be array type, or this should be something like
if (Conf_SSLOptions.CipherList == NULL) Conf_SSLOptions.CipherList = strdup(Arg);
[ since the cipher list isn't altered i'd recommend to go with strdup ]
On 05Sep13 15:28 +0200, Florian Westphal wrote:
- # OpenSSL: Select cipher suites used for ssl/tls connections
- # more info at 'man 1ssl ciphers'
- # Example below disallows besides LowStrength, the Medium Strength Cipher Suites, SSLv2
- # RC-4, which tend to be broken
- ;CipherList = !aNULL:!eNULL:!LOW:!SSLv2:!EXPORT:!EXPORT56:!RC4:!MEDIUM:HIGH:@STRENGTH
This patch seems to be inverted...
Florian, thanks for watching at this. The patch attached is now in proper order.
- if (strcasecmp(Var, "CipherList") == 0) {
assert(array_bytes(&Conf_SSLOptions.CipherList) == 0);if (!array_copys(&Conf_SSLOptions.CipherList, Arg))Config_Error(LOG_ERR,This won't work, and the compiler should scream at this. Either CipherList needs to be array type, or this should be something like
if (Conf_SSLOptions.CipherList == NULL) Conf_SSLOptions.CipherList = strdup(Arg);
Right, I changed this, too.
Bastian
Hi,
I attached a fix for the last patch. - important: verifying CipherLists are applied successfully - if SSL initialization failes, daemon should exit and not run without SSL
Q: Is it welcome to provide patches on the ML?
Cheers,
-
Bastian -
Florian Westphal