Change cipher defaults

Switch cipher defaults to HIGH:!aNULL:@STRENGTH (OpenSSL) or
SECURE128 (GnuTLS).

diff --git a/INSTALL b/INSTALL
index de60feb8c45549b8da99a1932c7e5bc55d944dd5..eec2b37f6c9c7cfbf21963bcf9f7b2d65d3f5bf7 100644 (file)
--- a/INSTALL
+++ b/INSTALL
@@ -12,11 +12,18 @@
 I. Upgrade Information
 ~~~~~~~~~~~~~~~~~~~~~~
 
 I. Upgrade Information
 ~~~~~~~~~~~~~~~~~~~~~~
 

+Differences to previous version 
+
+- Starting with ngIRCd 21, the ciphers used by SSL are configurable and
+  default to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).
+  Previous version were using the OpenSSL or GnuTLS defaults, DEFAULT
+  and NORMAL respectively.
+

 Differences to version 19.x
 
 - Starting with ngIRCd 20, users can "cloak" their hostname only when the
   configuration variable "CloakHostModeX" (introduced in 19.2) is set.
 Differences to version 19.x
 
 - Starting with ngIRCd 20, users can "cloak" their hostname only when the
   configuration variable "CloakHostModeX" (introduced in 19.2) is set.

-  Otherwise, only IRC opertators, other servers, and services are allowed to
+  Otherwise, only IRC operators, other servers, and services are allowed to

   set mode +x. This prevents regular users from changing their hostmask to
   the name of the IRC server itself, which confused quite a few people ;-)
 
   set mode +x. This prevents regular users from changing their hostmask to
   the name of the IRC server itself, which confused quite a few people ;-)
 

diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl
index 1bdf01ee4f2b7309ec864ea75a389694b368e352..65da36016c7f44016fa6e0d18b6aaf0b3270c2e5 100644 (file)
--- a/doc/sample-ngircd.conf.tmpl
+++ b/doc/sample-ngircd.conf.tmpl
@@ -249,11 +249,9 @@
        ;CertFile = :ETCDIR:/ssl/server-cert.pem
 
        # Select cipher suites allowed for SSL/TLS connections. This defaults
        ;CertFile = :ETCDIR:/ssl/server-cert.pem
 
        # Select cipher suites allowed for SSL/TLS connections. This defaults

-       # to the empty string, so all supported ciphers are allowed. Please
-       # see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init'
+       # to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).
+       # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init'

        # (GnuTLS) for details.
        # (GnuTLS) for details.

-       # For example, this setting allows only "high strength" cipher suites,
-       # disables the ones without authentication, and sorts by strength:

        # For OpenSSL:
        ;CipherList = HIGH:!aNULL:@STRENGTH
        # For GnuTLS:
        # For OpenSSL:
        ;CipherList = HIGH:!aNULL:@STRENGTH
        # For GnuTLS:

diff --git a/man/ngircd.conf.5.tmpl b/man/ngircd.conf.5.tmpl
index 862c142403327a0560161e586ec6de8fe854e22a..b69649ea7a658878f87ceefd5f4edcacb68e3721 100644 (file)
--- a/man/ngircd.conf.5.tmpl
+++ b/man/ngircd.conf.5.tmpl
@@ -367,13 +367,10 @@ when it is compiled with support for SSL using OpenSSL or GnuTLS!
 SSL Certificate file of the private server key.
 .TP
 \fBCipherList\fR (string)
 SSL Certificate file of the private server key.
 .TP
 \fBCipherList\fR (string)

-Select cipher suites allowed for SSL/TLS connections. This defaults to the
-empty string, so all supported ciphers are allowed.
+Select cipher suites allowed for SSL/TLS connections.  This defaults to
+"HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS).

 Please see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init'
 (GnuTLS) for details.
 Please see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init'
 (GnuTLS) for details.

-For example, this setting allows only "high strength" cipher suites, disables
-the ones without authentication, and sorts by strength:
-"HIGH:!aNULL:@STRENGTH" (OpenSSL), "SECURE128" (GnuTLS).

 .TP
 \fBDHFile\fR (string)
 Name of the Diffie-Hellman Parameter file. Can be created with GnuTLS
 .TP
 \fBDHFile\fR (string)
 Name of the Diffie-Hellman Parameter file. Can be created with GnuTLS

diff --git a/src/ngircd/conf.c b/src/ngircd/conf.c
index 9ab66e54cf194b3c7afe68c90104d62e309e8ae1..9c2c912f1d126ee2282653c7ad85d9b2e9f1f91c 100644 (file)
--- a/src/ngircd/conf.c
+++ b/src/ngircd/conf.c
@@ -93,6 +93,12 @@ static void Init_Server_Struct PARAMS(( CONF_SERVER *Server ));
 #define DEFAULT_LISTEN_ADDRSTR "0.0.0.0"
 #endif
 
 #define DEFAULT_LISTEN_ADDRSTR "0.0.0.0"
 #endif
 

+#ifdef HAVE_LIBSSL
+#define DEFAULT_CIPHERS                "HIGH:!aNULL:@STRENGTH"
+#endif
+#ifdef HAVE_LIBGNUTLS
+#define DEFAULT_CIPHERS                "SECURE128"
+#endif

 
 #ifdef SSL_SUPPORT
 
 
 #ifdef SSL_SUPPORT
 


@@ -435,8 +441,8 @@ Conf_Test( void )
        puts("[SSL]");
        printf("  CertFile = %s\n", Conf_SSLOptions.CertFile
                                        ? Conf_SSLOptions.CertFile : "");
        puts("[SSL]");
        printf("  CertFile = %s\n", Conf_SSLOptions.CertFile
                                        ? Conf_SSLOptions.CertFile : "");

-       printf("  CipherList = %s\n", Conf_SSLOptions.CipherList
-                                       ? Conf_SSLOptions.CipherList : "");
+       printf("  CipherList = %s\n", Conf_SSLOptions.CipherList ?
+              Conf_SSLOptions.CipherList : DEFAULT_CIPHERS);

        printf("  DHFile = %s\n", Conf_SSLOptions.DHFile
                                        ? Conf_SSLOptions.DHFile : "");
        printf("  KeyFile = %s\n", Conf_SSLOptions.KeyFile
        printf("  DHFile = %s\n", Conf_SSLOptions.DHFile
                                        ? Conf_SSLOptions.DHFile : "");
        printf("  KeyFile = %s\n", Conf_SSLOptions.KeyFile


@@ -1032,6 +1038,10 @@ Read_Config(bool TestOnly, bool IsStarting)
        CheckFileReadable("CertFile", Conf_SSLOptions.CertFile);
        CheckFileReadable("DHFile", Conf_SSLOptions.DHFile);
        CheckFileReadable("KeyFile", Conf_SSLOptions.KeyFile);
        CheckFileReadable("CertFile", Conf_SSLOptions.CertFile);
        CheckFileReadable("DHFile", Conf_SSLOptions.DHFile);
        CheckFileReadable("KeyFile", Conf_SSLOptions.KeyFile);

+
+       /* Set the default ciphers if none were configured */
+       if (!Conf_SSLOptions.CipherList)
+               Conf_SSLOptions.CipherList = strdup_warn(DEFAULT_CIPHERS);

 #endif
 
        return true;
 #endif
 
        return true;

diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c
index b16c6b94e35299a54091ae9bb60dba9e1880c174..a24a62dac7254daf339a3d5191753470a0bf6c11 100644 (file)
--- a/src/ngircd/conn-ssl.c
+++ b/src/ngircd/conn-ssl.c
@@ -306,17 +306,10 @@ ConnSSL_InitLibrary( void )
        if (!ConnSSL_LoadServerKey_openssl(newctx))
                goto out;
 
        if (!ConnSSL_LoadServerKey_openssl(newctx))
                goto out;
 

-       if(Conf_SSLOptions.CipherList && *Conf_SSLOptions.CipherList) {
-               if(SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0 ) {
-                       Log(LOG_ERR,
-                           "Failed to apply OpenSSL cipher list \"%s\"!",
-                           Conf_SSLOptions.CipherList);
-                       goto out;
-               } else {
-                       Log(LOG_INFO,
-                           "Successfully applied OpenSSL cipher list \"%s\".",
-                           Conf_SSLOptions.CipherList);
-               }
+       if (SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0) {
+               Log(LOG_ERR, "Failed to apply OpenSSL cipher list \"%s\"!",
+                   Conf_SSLOptions.CipherList);
+               goto out;

        }
 
        SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2);
        }
 
        SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2);


@@ -352,25 +345,12 @@ out:
        if (!ConnSSL_LoadServerKey_gnutls())
                goto out;
 
        if (!ConnSSL_LoadServerKey_gnutls())
                goto out;
 

-       if(Conf_SSLOptions.CipherList && *Conf_SSLOptions.CipherList) {
-               err = gnutls_priority_init(&priorities_cache,
-                                          Conf_SSLOptions.CipherList, NULL);
-               if (err != GNUTLS_E_SUCCESS) {
-                       Log(LOG_ERR,
-                           "Failed to apply GnuTLS cipher list \"%s\"!",
-                           Conf_SSLOptions.CipherList);
-                       goto out;
-               }
-               Log(LOG_INFO,
-                   "Successfully applied GnuTLS cipher list \"%s\".",
+       if (gnutls_priority_init(&priorities_cache, Conf_SSLOptions.CipherList,
+                                NULL) != GNUTLS_E_SUCCESS) {
+               Log(LOG_ERR,
+                   "Failed to apply GnuTLS cipher list \"%s\"!",

                    Conf_SSLOptions.CipherList);
                    Conf_SSLOptions.CipherList);

-       } else {
-               err = gnutls_priority_init(&priorities_cache, "NORMAL", NULL);
-               if (err != GNUTLS_E_SUCCESS) {
-                       Log(LOG_ERR,
-                           "Failed to apply GnuTLS cipher list \"NORMAL\"!");
-                       goto out;
-               }
+               goto out;

        }
 
        Log(LOG_INFO, "GnuTLS %s initialized.", gnutls_check_version(NULL));
        }
 
        Log(LOG_INFO, "GnuTLS %s initialized.", gnutls_check_version(NULL));


@@ -505,7 +485,7 @@ ConnSSL_Init_SSL(CONNECTION *c)
 #ifdef HAVE_LIBGNUTLS
        Conn_OPTION_ADD(c, CONN_SSL);
        ret = gnutls_priority_set(c->ssl_state.gnutls_session, priorities_cache);
 #ifdef HAVE_LIBGNUTLS
        Conn_OPTION_ADD(c, CONN_SSL);
        ret = gnutls_priority_set(c->ssl_state.gnutls_session, priorities_cache);

-       if (ret != 0) {
+       if (ret != GNUTLS_E_SUCCESS) {

                Log(LOG_ERR, "Failed to set GnuTLS session priorities: %s",
                    gnutls_strerror(ret));
                ConnSSL_Free(c);
                Log(LOG_ERR, "Failed to set GnuTLS session priorities: %s",
                    gnutls_strerror(ret));
                ConnSSL_Free(c);