ConnSSL_Init_SSL(): correctly set CONN_SSL flag

[ngircd.git] / src / ngircd / conn-ssl.c

diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c
index 595cb615e6e78ed192f154a016c5ea5d3778e2d2..a97896758cc30c2f63724ab5396e797e064763da 100644 (file)
--- a/src/ngircd/conn-ssl.c
+++ b/src/ngircd/conn-ssl.c
@@ -305,6 +305,19 @@ ConnSSL_InitLibrary( void )
        if (!ConnSSL_LoadServerKey_openssl(newctx))
                goto out;
 
+       if(Conf_SSLOptions.CipherList && *Conf_SSLOptions.CipherList) {
+               if(SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0 ) {
+                       Log(LOG_ERR,
+                           "Failed to apply SSL cipher list \"%s\"!",
+                           Conf_SSLOptions.CipherList);
+                       goto out;
+               } else {
+                       Log(LOG_INFO,
+                           "Successfully applied SSL cipher list: \"%s\".",
+                           Conf_SSLOptions.CipherList);
+               }
+       }
+
        SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2);
        SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
        SSL_CTX_set_verify(newctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
@@ -328,6 +341,14 @@ out:
                return false;
        }
 
+       if(Conf_SSLOptions.CipherList != NULL) {
+               Log(LOG_ERR,
+                   "Failed to apply SSL cipher list \"%s\": Not implemented for GnuTLS!",
+                   Conf_SSLOptions.CipherList);
+               array_free(&Conf_SSLOptions.ListenPorts);
+               return false;
+       }
+
        err = gnutls_global_init();
        if (err) {
                Log(LOG_ERR, "Failed to initialize GnuTLS: %s",
@@ -339,6 +360,7 @@ out:
                array_free(&Conf_SSLOptions.ListenPorts);
                return false;
        }
+
        Log(LOG_INFO, "GnuTLS %s initialized.", gnutls_check_version(NULL));
        initialized = true;
        return true;
@@ -368,7 +390,7 @@ ConnSSL_LoadServerKey_gnutls(void)
 
        if (array_bytes(&Conf_SSLOptions.KeyFilePassword))
                Log(LOG_WARNING,
-                   "Ignoring KeyFilePassword: Not supported by GnuTLS.");
+                   "Ignoring SSL \"KeyFilePassword\": Not supported by GnuTLS.");
 
        if (!Load_DH_params())
                return false;
@@ -438,7 +460,10 @@ static bool
 ConnSSL_Init_SSL(CONNECTION *c)
 {
        int ret;
+
+       LogDebug("Initializing SSL ...");
        assert(c != NULL);
+
 #ifdef HAVE_LIBSSL
        if (!ssl_ctx) {
                Log(LOG_ERR,
@@ -453,6 +478,7 @@ ConnSSL_Init_SSL(CONNECTION *c)
                LogOpenSSLError("Failed to create SSL structure", NULL);
                return false;
        }
+       Conn_OPTION_ADD(c, CONN_SSL);
 
        ret = SSL_set_fd(c->ssl_state.ssl, c->sock);
        if (ret != 1) {
@@ -462,8 +488,9 @@ ConnSSL_Init_SSL(CONNECTION *c)
        }
 #endif
 #ifdef HAVE_LIBGNUTLS
+       Conn_OPTION_ADD(c, CONN_SSL);
        ret = gnutls_set_default_priority(c->ssl_state.gnutls_session);
-       if (ret < 0) {
+       if (ret != 0) {
                Log(LOG_ERR, "Failed to set GnuTLS default priority: %s",
                    gnutls_strerror(ret));
                ConnSSL_Free(c);
@@ -475,17 +502,20 @@ ConnSSL_Init_SSL(CONNECTION *c)
         * There doesn't seem to be an alternate GNUTLS API we could use instead, see e.g.
         * http://www.mail-archive.com/help-gnutls@gnu.org/msg00286.html
         */
-       gnutls_transport_set_ptr(c->ssl_state.gnutls_session, (gnutls_transport_ptr_t) (long) c->sock);
-       gnutls_certificate_server_set_request(c->ssl_state.gnutls_session, GNUTLS_CERT_REQUEST);
-       ret = gnutls_credentials_set(c->ssl_state.gnutls_session, GNUTLS_CRD_CERTIFICATE, x509_cred);
-       if (ret < 0) {
-               Log(LOG_ERR, "Failed to set SSL credentials: %s", gnutls_strerror(ret));
+       gnutls_transport_set_ptr(c->ssl_state.gnutls_session,
+                                (gnutls_transport_ptr_t) (long) c->sock);
+       gnutls_certificate_server_set_request(c->ssl_state.gnutls_session,
+                                             GNUTLS_CERT_REQUEST);
+       ret = gnutls_credentials_set(c->ssl_state.gnutls_session,
+                                    GNUTLS_CRD_CERTIFICATE, x509_cred);
+       if (ret != 0) {
+               Log(LOG_ERR, "Failed to set SSL credentials: %s",
+                   gnutls_strerror(ret));
                ConnSSL_Free(c);
                return false;
        }
        gnutls_dh_set_prime_bits(c->ssl_state.gnutls_session, DH_BITS_MIN);
 #endif
-       Conn_OPTION_ADD(c, CONN_SSL);
        return true;
 }
 
@@ -653,7 +683,6 @@ ConnSSL_Accept( CONNECTION *c )
                        return false;
                }
 #endif
-               LogDebug("Initializing SSL data ...");
                if (!ConnSSL_Init_SSL(c))
                        return -1;
        }