1
0
mirror of https://github.com/anope/anope.git synced 2026-07-06 19:23:15 +02:00

Merge pull request #113 from attilamolnar/2.0+openssl

m_ssl_openssl: SSL context option changes
This commit is contained in:
Adam
2015-03-12 17:53:52 -04:00
2 changed files with 26 additions and 0 deletions
+8
View File
@@ -622,6 +622,14 @@ module { name = "help" }
*/
cert = "data/anope.crt"
key = "data/anope.key"
/*
* As of 2014 SSL 3.0 is considered insecure, but it might be enabled
* on some systems by default for compatibility reasons.
* You can use the following option to enable or disable it explicitly.
* Leaving this option not set defaults to the default system behavior.
*/
#sslv3 = no
}
/*
+18
View File
@@ -103,6 +103,10 @@ class SSLModule : public Module
if (!client_ctx || !server_ctx)
throw ModuleException("Error initializing SSL CTX");
long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE;
SSL_CTX_set_options(client_ctx, opts);
SSL_CTX_set_options(server_ctx, opts);
SSL_CTX_set_mode(client_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
SSL_CTX_set_mode(server_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
@@ -158,6 +162,20 @@ class SSLModule : public Module
Log() << "Unable to open private key " << this->keyfile;
}
// Allow disabling SSLv3
if (!config->Get<Anope::string>("sslv3").empty())
{
if (config->Get<bool>("sslv3"))
{
SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
}
else
{
SSL_CTX_set_options(client_ctx, SSL_OP_NO_SSLv3);
SSL_CTX_set_options(server_ctx, SSL_OP_NO_SSLv3);
}
}
}
void OnPreServerConnect() anope_override