Hello, some time ago I had created some patches for a specific cipher list with ngircd. In reference to the SSLv3 issue (POODLE) the below patch also addresses this issue. The key is just adding "SSL_OP_NO_SSLv3" to the SSL_CTX_set_options function.
--- /backup/archives/system_101514/root/src/ngircd-22/src/ngircd/conn-ssl.c 2014-10-13 09:57:54.000000000 -0500 +++ ./src/ngircd/conn-ssl.c 2014-10-15 09:35:23.000000000 -0500 @@ -324,7 +324,8 @@ Log(LOG_INFO, "Successfully applied SSL CipherList=%s", "EDH+aRSA:!SSLv2:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"); }
- SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2); + /* NCF, Oct 15 2014, Disable SSLv3 (POODLE) */ + SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_verify(newctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, Verify_openssl);
Cheers, Nathan
lists@packetmail.net wrote...
Hello, some time ago I had created some patches for a specific cipher list with ngircd. In reference to the SSLv3 issue (POODLE) the below patch also addresses this issue. The key is just adding "SSL_OP_NO_SSLv3" to the SSL_CTX_set_options function.
Besides the fact the counterpart for GnuTLS appears to be missing: I'd suggest to do a simple configuration change for the time being, since both this is way easier to deploy and it allows administrators to run ngircd in an unsecure mode if they really want to. If they do that against the hostile internet, they'll soon receive a lot of e-mail from some port scanners about their dangerous configuration anyway.
So, the following should do the trick, I was about to propose it anyway but your message came earlier. It's lightly tested for openssl and not yet for gnutls, will do in the next minutes.
diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl index 1d07822..b5db1d9 100644 --- a/doc/sample-ngircd.conf.tmpl +++ b/doc/sample-ngircd.conf.tmpl @@ -259,9 +259,9 @@ # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init' # (GnuTLS) for details. # For OpenSSL: - ;CipherList = HIGH:!aNULL:@STRENGTH + ;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3 # For GnuTLS: - ;CipherList = SECURE128 + ;CipherList = SECURE128:-VERS-SSL3.0
# Diffie-Hellman parameters ;DHFile = :ETCDIR:/ssl/dhparams.pem
On 10/15/2014 10:47 AM, Christoph Biedl wrote:
- ;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3
Thank you Cristoph for your response. Are you certain this syntax is valid/working, Apache2 failed to negotiate TLS when I did some very light testing with ngircd using this syntax. You other comments are appreciated, thanks you.
Cheers, Nathan
lists@packetmail.net wrote...
On 10/15/2014 10:47 AM, Christoph Biedl wrote:
- ;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3
Thank you Cristoph for your response. Are you certain this syntax is valid/working,
Well, it worked for me. But I wouldn't mind if more people could test this, and report back.
My check is to run
openssl s_client -connect 127.0.0.1:6697 -ssl3 -no_ssl2 -no_tls1
If s_client drops the connection, an SSLv3 connection was not possible. On the contrary a message like "Connection 11: initialized SSLv3 using (...)" in the server log indicates a situation that must not happen any longer.
Apache2 failed to negotiate TLS when I did some very light testing with ngircd using this syntax.
Wild guessing, you run an HTTP/IRC gateway, and the web server process can no longer connect to ngircd?
Christoph
On 10/15/2014 11:43 AM, Christoph Biedl wrote:
Wild guessing, you run an HTTP/IRC gateway, and the web server process can no longer connect to ngircd?
Apologies for the confusion, I meant applying the CipherList style construct to a similar one I am using in Apache 2.2.22; it doesn't apply to ngircd. I may give yours a try but I've already patched and complied ngircd-22 with it. What's unique is that in ./src/ngircd/conn-ssl.c SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2); was initially used to disable SSLv2 so my thoughts were that this was a logical place for SSL_OP_NO_SSLv3 as well. That being said your approach seems completely reasonable as well and likely the least intrusive.
Thanks for the dialog, it's been highly educational, and I appreciate your replies.
Cheers, Nathan
Am 15.10.2014 um 17:47 schrieb Christoph Biedl ngircd.anoy@manchmal.in-ulm.de:
Besides the fact the counterpart for GnuTLS appears to be missing: I'd suggest to do a simple configuration change for the time being,
[…]
diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl index 1d07822..b5db1d9 100644 --- a/doc/sample-ngircd.conf.tmpl +++ b/doc/sample-ngircd.conf.tmpl @@ -259,9 +259,9 @@ # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init' # (GnuTLS) for details. # For OpenSSL:
- ;CipherList = HIGH:!aNULL:@STRENGTH
- ;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3 # For GnuTLS:
- ;CipherList = SECURE128
;CipherList = SECURE128:-VERS-SSL3.0
# Diffie-Hellman parameters ;DHFile = :ETCDIR:/ssl/dhparams.pem
Please note that you have to REMOVE THE LEADING „;“ character to actually set the „CipherList“ variable! The above only changes the commented example values!
For OpenSSL:
—————> cut here <————— [SSL] CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3 —————> cut here <—————
For GnuTLS:
—————> cut here <————— [SSL] CipherList = SECURE128:-VERS-SSL3.0 —————> cut here <—————
And don’t forget to 1. use „ngircd --configtest“ to make sure ngIRCd parses your configuration as expected and 2. restart ngIRCd (reloading/rehashing is not enough, at least with GnuTLS …)!
Thanks Alex
-
Alexander Barton -
Christoph Biedl -
lists@packetmail.net