From 0985d69cc6c1daa7cdc8f15f93772b12ab3e8271 Mon Sep 17 00:00:00 2001 From: "Federico G. Schwindt" Date: Tue, 17 Sep 2013 16:16:51 +0100 Subject: [PATCH] Change cipher defaults Switch cipher defaults to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS). --- INSTALL | 9 ++++++++- doc/sample-ngircd.conf.tmpl | 6 ++---- man/ngircd.conf.5.tmpl | 7 ++----- src/ngircd/conf.c | 14 +++++++++++-- src/ngircd/conn-ssl.c | 40 ++++++++++--------------------------- 5 files changed, 34 insertions(+), 42 deletions(-) diff --git a/INSTALL b/INSTALL index de60feb8..eec2b37f 100644 --- a/INSTALL +++ b/INSTALL @@ -12,11 +12,18 @@ I. Upgrade Information ~~~~~~~~~~~~~~~~~~~~~~ +Differences to previous version + +- Starting with ngIRCd 21, the ciphers used by SSL are configurable and + default to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS). + Previous version were using the OpenSSL or GnuTLS defaults, DEFAULT + and NORMAL respectively. + Differences to version 19.x - Starting with ngIRCd 20, users can "cloak" their hostname only when the configuration variable "CloakHostModeX" (introduced in 19.2) is set. - Otherwise, only IRC opertators, other servers, and services are allowed to + Otherwise, only IRC operators, other servers, and services are allowed to set mode +x. This prevents regular users from changing their hostmask to the name of the IRC server itself, which confused quite a few people ;-) diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl index 1bdf01ee..65da3601 100644 --- a/doc/sample-ngircd.conf.tmpl +++ b/doc/sample-ngircd.conf.tmpl @@ -249,11 +249,9 @@ ;CertFile = :ETCDIR:/ssl/server-cert.pem # Select cipher suites allowed for SSL/TLS connections. This defaults - # to the empty string, so all supported ciphers are allowed. Please - # see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init' + # to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS). + # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init' # (GnuTLS) for details. - # For example, this setting allows only "high strength" cipher suites, - # disables the ones without authentication, and sorts by strength: # For OpenSSL: ;CipherList = HIGH:!aNULL:@STRENGTH # For GnuTLS: diff --git a/man/ngircd.conf.5.tmpl b/man/ngircd.conf.5.tmpl index 862c1424..b69649ea 100644 --- a/man/ngircd.conf.5.tmpl +++ b/man/ngircd.conf.5.tmpl @@ -367,13 +367,10 @@ when it is compiled with support for SSL using OpenSSL or GnuTLS! SSL Certificate file of the private server key. .TP \fBCipherList\fR (string) -Select cipher suites allowed for SSL/TLS connections. This defaults to the -empty string, so all supported ciphers are allowed. +Select cipher suites allowed for SSL/TLS connections. This defaults to +"HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS). Please see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init' (GnuTLS) for details. -For example, this setting allows only "high strength" cipher suites, disables -the ones without authentication, and sorts by strength: -"HIGH:!aNULL:@STRENGTH" (OpenSSL), "SECURE128" (GnuTLS). .TP \fBDHFile\fR (string) Name of the Diffie-Hellman Parameter file. Can be created with GnuTLS diff --git a/src/ngircd/conf.c b/src/ngircd/conf.c index 9ab66e54..9c2c912f 100644 --- a/src/ngircd/conf.c +++ b/src/ngircd/conf.c @@ -93,6 +93,12 @@ static void Init_Server_Struct PARAMS(( CONF_SERVER *Server )); #define DEFAULT_LISTEN_ADDRSTR "0.0.0.0" #endif +#ifdef HAVE_LIBSSL +#define DEFAULT_CIPHERS "HIGH:!aNULL:@STRENGTH" +#endif +#ifdef HAVE_LIBGNUTLS +#define DEFAULT_CIPHERS "SECURE128" +#endif #ifdef SSL_SUPPORT @@ -435,8 +441,8 @@ Conf_Test( void ) puts("[SSL]"); printf(" CertFile = %s\n", Conf_SSLOptions.CertFile ? Conf_SSLOptions.CertFile : ""); - printf(" CipherList = %s\n", Conf_SSLOptions.CipherList - ? Conf_SSLOptions.CipherList : ""); + printf(" CipherList = %s\n", Conf_SSLOptions.CipherList ? + Conf_SSLOptions.CipherList : DEFAULT_CIPHERS); printf(" DHFile = %s\n", Conf_SSLOptions.DHFile ? Conf_SSLOptions.DHFile : ""); printf(" KeyFile = %s\n", Conf_SSLOptions.KeyFile @@ -1032,6 +1038,10 @@ Read_Config(bool TestOnly, bool IsStarting) CheckFileReadable("CertFile", Conf_SSLOptions.CertFile); CheckFileReadable("DHFile", Conf_SSLOptions.DHFile); CheckFileReadable("KeyFile", Conf_SSLOptions.KeyFile); + + /* Set the default ciphers if none were configured */ + if (!Conf_SSLOptions.CipherList) + Conf_SSLOptions.CipherList = strdup_warn(DEFAULT_CIPHERS); #endif return true; diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c index b16c6b94..a24a62da 100644 --- a/src/ngircd/conn-ssl.c +++ b/src/ngircd/conn-ssl.c @@ -306,17 +306,10 @@ ConnSSL_InitLibrary( void ) if (!ConnSSL_LoadServerKey_openssl(newctx)) goto out; - if(Conf_SSLOptions.CipherList && *Conf_SSLOptions.CipherList) { - if(SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0 ) { - Log(LOG_ERR, - "Failed to apply OpenSSL cipher list \"%s\"!", - Conf_SSLOptions.CipherList); - goto out; - } else { - Log(LOG_INFO, - "Successfully applied OpenSSL cipher list \"%s\".", - Conf_SSLOptions.CipherList); - } + if (SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0) { + Log(LOG_ERR, "Failed to apply OpenSSL cipher list \"%s\"!", + Conf_SSLOptions.CipherList); + goto out; } SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2); @@ -352,25 +345,12 @@ out: if (!ConnSSL_LoadServerKey_gnutls()) goto out; - if(Conf_SSLOptions.CipherList && *Conf_SSLOptions.CipherList) { - err = gnutls_priority_init(&priorities_cache, - Conf_SSLOptions.CipherList, NULL); - if (err != GNUTLS_E_SUCCESS) { - Log(LOG_ERR, - "Failed to apply GnuTLS cipher list \"%s\"!", - Conf_SSLOptions.CipherList); - goto out; - } - Log(LOG_INFO, - "Successfully applied GnuTLS cipher list \"%s\".", + if (gnutls_priority_init(&priorities_cache, Conf_SSLOptions.CipherList, + NULL) != GNUTLS_E_SUCCESS) { + Log(LOG_ERR, + "Failed to apply GnuTLS cipher list \"%s\"!", Conf_SSLOptions.CipherList); - } else { - err = gnutls_priority_init(&priorities_cache, "NORMAL", NULL); - if (err != GNUTLS_E_SUCCESS) { - Log(LOG_ERR, - "Failed to apply GnuTLS cipher list \"NORMAL\"!"); - goto out; - } + goto out; } Log(LOG_INFO, "GnuTLS %s initialized.", gnutls_check_version(NULL)); @@ -505,7 +485,7 @@ ConnSSL_Init_SSL(CONNECTION *c) #ifdef HAVE_LIBGNUTLS Conn_OPTION_ADD(c, CONN_SSL); ret = gnutls_priority_set(c->ssl_state.gnutls_session, priorities_cache); - if (ret != 0) { + if (ret != GNUTLS_E_SUCCESS) { Log(LOG_ERR, "Failed to set GnuTLS session priorities: %s", gnutls_strerror(ret)); ConnSSL_Free(c); -- 2.39.2