Change cipher defaults

Switch cipher defaults to HIGH:!aNULL:@STRENGTH (OpenSSL) or
SECURE128 (GnuTLS).

diff --git a/INSTALL b/INSTALL
index de60feb8c45549b8da99a1932c7e5bc55d944dd5..eec2b37f6c9c7cfbf21963bcf9f7b2d65d3f5bf7 100644 (file)
--- a/INSTALL
+++ b/INSTALL
@@ -12,11 +12,18 @@
 I. Upgrade Information
 ~~~~~~~~~~~~~~~~~~~~~~
 
+Differences to previous version 
+
+- Starting with ngIRCd 21, the ciphers used by SSL are configurable and
+  default to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).
+  Previous version were using the OpenSSL or GnuTLS defaults, DEFAULT
+  and NORMAL respectively.
+
 Differences to version 19.x
 
 - Starting with ngIRCd 20, users can "cloak" their hostname only when the
   configuration variable "CloakHostModeX" (introduced in 19.2) is set.
-  Otherwise, only IRC opertators, other servers, and services are allowed to
+  Otherwise, only IRC operators, other servers, and services are allowed to
   set mode +x. This prevents regular users from changing their hostmask to
   the name of the IRC server itself, which confused quite a few people ;-)
 

diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl
index 1bdf01ee4f2b7309ec864ea75a389694b368e352..65da36016c7f44016fa6e0d18b6aaf0b3270c2e5 100644 (file)
--- a/doc/sample-ngircd.conf.tmpl
+++ b/doc/sample-ngircd.conf.tmpl
@@ -249,11 +249,9 @@
        ;CertFile = :ETCDIR:/ssl/server-cert.pem
 
        # Select cipher suites allowed for SSL/TLS connections. This defaults
-       # to the empty string, so all supported ciphers are allowed. Please
-       # see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init'
+       # to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).
+       # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init'
        # (GnuTLS) for details.
-       # For example, this setting allows only "high strength" cipher suites,
-       # disables the ones without authentication, and sorts by strength:
        # For OpenSSL:
        ;CipherList = HIGH:!aNULL:@STRENGTH
        # For GnuTLS:

diff --git a/man/ngircd.conf.5.tmpl b/man/ngircd.conf.5.tmpl
index 862c142403327a0560161e586ec6de8fe854e22a..b69649ea7a658878f87ceefd5f4edcacb68e3721 100644 (file)
--- a/man/ngircd.conf.5.tmpl
+++ b/man/ngircd.conf.5.tmpl
@@ -367,13 +367,10 @@ when it is compiled with support for SSL using OpenSSL or GnuTLS!
 SSL Certificate file of the private server key.
 .TP
 \fBCipherList\fR (string)
-Select cipher suites allowed for SSL/TLS connections. This defaults to the
-empty string, so all supported ciphers are allowed.
+Select cipher suites allowed for SSL/TLS connections.  This defaults to
+"HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS).
 Please see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init'
 (GnuTLS) for details.
-For example, this setting allows only "high strength" cipher suites, disables
-the ones without authentication, and sorts by strength:
-"HIGH:!aNULL:@STRENGTH" (OpenSSL), "SECURE128" (GnuTLS).
 .TP
 \fBDHFile\fR (string)
 Name of the Diffie-Hellman Parameter file. Can be created with GnuTLS

diff --git a/src/ngircd/conf.c b/src/ngircd/conf.c
index 9ab66e54cf194b3c7afe68c90104d62e309e8ae1..9c2c912f1d126ee2282653c7ad85d9b2e9f1f91c 100644 (file)
--- a/src/ngircd/conf.c
+++ b/src/ngircd/conf.c
@@ -93,6 +93,12 @@ static void Init_Server_Struct PARAMS(( CONF_SERVER *Server ));
 #define DEFAULT_LISTEN_ADDRSTR "0.0.0.0"
 #endif
 
+#ifdef HAVE_LIBSSL
+#define DEFAULT_CIPHERS                "HIGH:!aNULL:@STRENGTH"
+#endif
+#ifdef HAVE_LIBGNUTLS
+#define DEFAULT_CIPHERS                "SECURE128"
+#endif
 
 #ifdef SSL_SUPPORT
 
@@ -435,8 +441,8 @@ Conf_Test( void )
        puts("[SSL]");
        printf("  CertFile = %s\n", Conf_SSLOptions.CertFile
                                        ? Conf_SSLOptions.CertFile : "");
-       printf("  CipherList = %s\n", Conf_SSLOptions.CipherList
-                                       ? Conf_SSLOptions.CipherList : "");
+       printf("  CipherList = %s\n", Conf_SSLOptions.CipherList ?
+              Conf_SSLOptions.CipherList : DEFAULT_CIPHERS);
        printf("  DHFile = %s\n", Conf_SSLOptions.DHFile
                                        ? Conf_SSLOptions.DHFile : "");
        printf("  KeyFile = %s\n", Conf_SSLOptions.KeyFile
@@ -1032,6 +1038,10 @@ Read_Config(bool TestOnly, bool IsStarting)
        CheckFileReadable("CertFile", Conf_SSLOptions.CertFile);
        CheckFileReadable("DHFile", Conf_SSLOptions.DHFile);
        CheckFileReadable("KeyFile", Conf_SSLOptions.KeyFile);
+
+       /* Set the default ciphers if none were configured */
+       if (!Conf_SSLOptions.CipherList)
+               Conf_SSLOptions.CipherList = strdup_warn(DEFAULT_CIPHERS);
 #endif
 
        return true;

diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c
index b16c6b94e35299a54091ae9bb60dba9e1880c174..a24a62dac7254daf339a3d5191753470a0bf6c11 100644 (file)
--- a/src/ngircd/conn-ssl.c
+++ b/src/ngircd/conn-ssl.c
@@ -306,17 +306,10 @@ ConnSSL_InitLibrary( void )
        if (!ConnSSL_LoadServerKey_openssl(newctx))
                goto out;
 
-       if(Conf_SSLOptions.CipherList && *Conf_SSLOptions.CipherList) {
-               if(SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0 ) {
-                       Log(LOG_ERR,
-                           "Failed to apply OpenSSL cipher list \"%s\"!",
-                           Conf_SSLOptions.CipherList);
-                       goto out;
-               } else {
-                       Log(LOG_INFO,
-                           "Successfully applied OpenSSL cipher list \"%s\".",
-                           Conf_SSLOptions.CipherList);
-               }
+       if (SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0) {
+               Log(LOG_ERR, "Failed to apply OpenSSL cipher list \"%s\"!",
+                   Conf_SSLOptions.CipherList);
+               goto out;
        }
 
        SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2);
@@ -352,25 +345,12 @@ out:
        if (!ConnSSL_LoadServerKey_gnutls())
                goto out;
 
-       if(Conf_SSLOptions.CipherList && *Conf_SSLOptions.CipherList) {
-               err = gnutls_priority_init(&priorities_cache,
-                                          Conf_SSLOptions.CipherList, NULL);
-               if (err != GNUTLS_E_SUCCESS) {
-                       Log(LOG_ERR,
-                           "Failed to apply GnuTLS cipher list \"%s\"!",
-                           Conf_SSLOptions.CipherList);
-                       goto out;
-               }
-               Log(LOG_INFO,
-                   "Successfully applied GnuTLS cipher list \"%s\".",
+       if (gnutls_priority_init(&priorities_cache, Conf_SSLOptions.CipherList,
+                                NULL) != GNUTLS_E_SUCCESS) {
+               Log(LOG_ERR,
+                   "Failed to apply GnuTLS cipher list \"%s\"!",
                    Conf_SSLOptions.CipherList);
-       } else {
-               err = gnutls_priority_init(&priorities_cache, "NORMAL", NULL);
-               if (err != GNUTLS_E_SUCCESS) {
-                       Log(LOG_ERR,
-                           "Failed to apply GnuTLS cipher list \"NORMAL\"!");
-                       goto out;
-               }
+               goto out;
        }
 
        Log(LOG_INFO, "GnuTLS %s initialized.", gnutls_check_version(NULL));
@@ -505,7 +485,7 @@ ConnSSL_Init_SSL(CONNECTION *c)
 #ifdef HAVE_LIBGNUTLS
        Conn_OPTION_ADD(c, CONN_SSL);
        ret = gnutls_priority_set(c->ssl_state.gnutls_session, priorities_cache);
-       if (ret != 0) {
+       if (ret != GNUTLS_E_SUCCESS) {
                Log(LOG_ERR, "Failed to set GnuTLS session priorities: %s",
                    gnutls_strerror(ret));
                ConnSSL_Free(c);