I. Upgrade Information
~~~~~~~~~~~~~~~~~~~~~~
+Differences to version 22.x
+
+- The default value of the SSL "CipherList" variable has been changed to
+ "HIGH:!aNULL:@STRENGTH:!SSLv3" (OpenSSL) and "SECURE128:-VERS-SSL3.0"
+ (GnuTLS) to disable the old SSLv3 protocol by default.
+ To enable connections of clients still requiring the weak SSLv3 protocol,
+ the "CipherList" must be set to its old value (not recommended!), which
+ was "HIGH:!aNULL:@STRENGTH" (OpenSSL) and "SECURE128" (GnuTLS), see below.
+
Differences to version 20.x
- Starting with ngIRCd 21, the ciphers used by SSL are configurable and
- default to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).
- Previous version were using the OpenSSL or GnuTLS defaults, DEFAULT
- and NORMAL respectively.
+ default to "HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS).
+ Previous version were using the OpenSSL or GnuTLS defaults, "DEFAULT"
+ and "NORMAL" respectively.
- When adding GLINE's or KLINE's to ngIRCd 21 (or newer), all clients matching
the new mask will be KILL'ed. This was not the case with earlier versions
# See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init'
# (GnuTLS) for details.
# For OpenSSL:
- ;CipherList = HIGH:!aNULL:@STRENGTH
+ ;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3
# For GnuTLS:
- ;CipherList = SECURE128
+ ;CipherList = SECURE128:-VERS-SSL3.0
# Diffie-Hellman parameters
;DHFile = :ETCDIR:/ssl/dhparams.pem
.\"
.\" ngircd.conf(5) manual page template
.\"
-.TH ngircd.conf 5 "Jan 2014" ngIRCd "ngIRCd Manual"
+.TH ngircd.conf 5 "Oct 2014" ngIRCd "ngIRCd Manual"
.SH NAME
ngircd.conf \- configuration file of ngIRCd
.SH SYNOPSIS
.TP
\fBCipherList\fR (string)
Select cipher suites allowed for SSL/TLS connections. This defaults to
-"HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS).
+"HIGH:!aNULL:@STRENGTH:!SSLv3" (OpenSSL) or "SECURE128:-VERS-SSL3.0" (GnuTLS).
Please see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init'
(GnuTLS) for details.
.TP
#endif
#ifdef HAVE_LIBSSL
-#define DEFAULT_CIPHERS "HIGH:!aNULL:@STRENGTH"
+#define DEFAULT_CIPHERS "HIGH:!aNULL:@STRENGTH:!SSLv3"
#endif
#ifdef HAVE_LIBGNUTLS
-#define DEFAULT_CIPHERS "SECURE128"
+#define DEFAULT_CIPHERS "SECURE128:-VERS-SSL3.0"
#endif
#ifdef SSL_SUPPORT