Re: [ngIRCd-ML] Support fir OpenSSL CipherList - ngIRCd Users

6 Sep 2013

On 09/06/2013 05:00 AM, ngircd-ml-request@arthur.barton.de wrote:
...
The patch attached is now in proper order.
Question -- I'm very happy to see this patch but it doesn't appear to work
against ngircd 20.3 -- am I doing something incorrectly?
Apologies if I'm doing something stupid/obvious, I've reviewed the patch/code
and it looks sound, including conf.c but based on the log message it looks
like it's an issue with conf.c
# gpg --verify ngircd-20.3.tar.gz.sig ngircd-20.3.tar.gz
gpg: Signature made Fri 23 Aug 2013 03:25:37 PM CDT using RSA key ID EAA15A24
gpg: Good signature from "Alexander Barton alex@barton.de"
gpg:                 aka "Alexander Barton alex@barton-it.de"
gpg:                 aka "Alexander Barton alex@arthur.ath.cx"
gpg:                 aka "[jpeg image of size 1488]"
gpg:                 aka "[jpeg image of size 1718]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F5B9 F52E D909 20D2 5203  76A2 C24A 0F63 7E36 4856
     Subkey fingerprint: 47EC B2F6 D427 3737 30E9  0113 8A45 9AD2 EAA1 5A24
# patch -p0 < SSL_Ciphers.patch
patching file ./doc/sample-ngircd.conf.tmpl
Hunk #1 succeeded at 237 (offset -23 lines).
patching file ./src/ngircd/conf.c
Hunk #1 succeeded at 106 (offset -11 lines).
Hunk #2 succeeded at 431 (offset -15 lines).
Hunk #3 succeeded at 1842 with fuzz 2 (offset -32 lines).
patching file ./src/ngircd/conf.h
patching file ./src/ngircd/conn-ssl.c
Hunk #1 succeeded at 275 with fuzz 1 (offset -28 lines).
# ./configure --enable-ipv6 --with-openssl CFLAGS='-Wall -D_FORTIFY_SOURCE=2
-O2 -fPIE -pie -fstack-protector'
checking build system type... i686-pc-linux-gnu
....
ngIRCd 20.3 has been configured with the following options:
Host: i686-pc-linux-gnu
           Compiler: gcc -std=gnu99
     Compiler flags: -Wall -D_FORTIFY_SOURCE=2 -O2 -fPIE -pie
-fstack-protector -pipe -W -Wall -Wpointer-arith -Wstrict-prototypes
-fstack-protector -DSYSCONFDIR='"$(sysconfdir)"'
          Libraries: -lssl -lcrypto -lz
'ngircd' binary: /usr/local/sbin
 Configuration file: /usr/local/etc
       Manual pages: /usr/local/share/man
      Documentation: /usr/local/share/doc/ngircd
Syslog support: yes     Enable debug code: no
   zlib compression: yes           IRC sniffer: no
   Use TCP Wrappers: no        Strict RFC mode: no
      IDENT support: no          IRC+ protocol: yes
      IPv6 protocol: yes           I/O backend: "epoll(), select()"
        PAM support: no            SSL support: openssl
   libiconv support: no
# grep CipherList /etc/ngircd.conf -B 12
        # SSL Server Key
        KeyFile = /etc/apache2/ssl/ssl.key
# password to decrypt SSLKeyFile (OpenSSL only)
        ;KeyFilePassword = secret
# SSL Server Key Certificate
        CertFile = /etc/apache2/ssl/ssl.crt
# Diffie-Hellman parameters
        ;DHFile = /usr/local/etc/ngircd/ssl/dhparams.pem
# SSL_CipherList.patch, Sep 06 2013
        CipherList = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
# grep/tail log
Sep  6 15:39:24 localhost ngircd[4153]: /usr/local/etc/ngircd.conf, line 166
(section "SSL"): Unknown variable "CipherList"!
Sep  6 15:39:24 localhost ngircd[4153]: ngIRCd
20.3-IPv6+IRCPLUS+SSL+SYSLOG+ZLIB-i686/pc/linux-gnu started.
Sep  6 15:39:24 localhost ngircd[4153]: Using configuration file
"/usr/local/etc/ngircd.conf" ...
Sep  6 15:39:24 localhost ngircd[4153]: Configuration option "DHFile" not set!
Sep  6 15:39:24 localhost ngircd[4153]: SSL using default CipherList
Sep  6 15:39:24 localhost ngircd[4153]: OpenSSL 1.0.1 14 Mar 2012 initialized.
# diff -u conf.c conf.c.orig

--- conf.c      2013-09-06 15:36:00.000000000 -0500
+++ conf.c.orig 2013-08-23 14:43:02.000000000 -0500
@@ -106,9 +106,6 @@
        array_free_wipe(&Conf_SSLOptions.KeyFilePassword);
array_free(&Conf_SSLOptions.ListenPorts);
-
-       free(Conf_SSLOptions.CipherList);
-       Conf_SSLOptions.CipherList = NULL;
 }
/**
@@ -431,8 +428,6 @@
        array_free_wipe(&Conf_SSLOptions.KeyFilePassword);
        printf("  Ports = ");
        ports_puts(&Conf_SSLOptions.ListenPorts);
-  printf("  CipherList = %s\n", Conf_SSLOptions.CipherList
-          ? Conf_SSLOptions.CipherList : "");
        puts("");
 #endif
@@ -1842,11 +1837,6 @@
                        Config_Error_TooLong(Line, Var);
                return;
        }
-       if (strcasecmp(Var, "CipherList") == 0) {
-               assert(Conf_SSLOptions.CipherList == NULL);
-               Conf_SSLOptions.CipherList = strdup_warn(Arg);
-               return;
-       }
Config_Error_Section(Line, Var, "Server");
 }
Thanks,
Nathan Fowler

    