pegasus/unrealircd
1
0
Fork 0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-06-26 11:36:37 +02:00
Code Activity

We now refuse to enable SSL/TLS with weak ciphers: DES, 3DES, RC4.

Browse Source
This commit is contained in:
Bram Matthys
2017-09-06 08:21:14 +02:00
parent 959195e7d7
commit 08bc61ec00
2 changed files with 58 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
include/h.h
+1
View File
@@ -794,3 +794,4 @@ extern char *plaintextpolicy_valtostr(PlaintextPolicy policy);
extern char plaintextpolicy_valtochar(PlaintextPolicy policy);
extern int verify_certificate(SSL *ssl, char *hostname, char **errstr);
extern char *certificate_name(SSL *ssl);
extern int cipher_check(SSL_CTX *ctx, char **errstr);
src/ssl.c
+57 -1
View File
@@ -284,6 +284,7 @@ void disable_ssl_protocols(SSL_CTX *ctx, SSLOptions *ssloptions)
SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
{
SSL_CTX *ctx;
char *errstr = NULL;
if (server)
ctx = SSL_CTX_new(SSLv23_server_method());
@@ -355,7 +356,15 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
if (SSL_CTX_set_cipher_list(ctx, ssloptions->ciphers) == 0)
{
config_warn("Failed to set SSL cipher list for clients");
config_warn("Failed to set SSL cipher list");
config_report_ssl_error();
goto fail;
}
if (!cipher_check(ctx, &errstr))
{
config_warn("There is a problem with your SSL/TLS 'ciphers' configuration setting: %s", errstr);
config_warn("Remove the ciphers setting from your configuration file to use safer defaults, or change the cipher setting.");
config_report_ssl_error();
goto fail;
}
@@ -963,3 +972,50 @@ char *certificate_name(SSL *ssl)
return NULL;
}
}
/** Check if any weak ciphers are in use */
int cipher_check(SSL_CTX *ctx, char **errstr)
{
SSL *ssl;
char errbuf[256];
int i;
const char *cipher;
*errbuf = '\0'; // safety
if (errstr)
*errstr = errbuf;
/* there isn't an SSL_CTX_get_cipher_list() unfortunately. */
ssl = SSL_new(ctx);
if (!ssl)
{
snprintf(errbuf, sizeof(errbuf), "Could not create SSL structure");
return 0;
}
/* Very weak */
i = 0;
while ((cipher = SSL_get_cipher_list(ssl, i++)))
{
if (strstr(cipher, "DES-"))
{
snprintf(errbuf, sizeof(errbuf), "DES is enabled but is a weak cipher");
return 0;
}
if (strstr(cipher, "3DES-"))
{
snprintf(errbuf, sizeof(errbuf), "3DES is enabled but is a weak cipher");
return 0;
}
if (strstr(cipher, "RC4-"))
{
snprintf(errbuf, sizeof(errbuf), "RC4 is enabled but is a weak cipher");
return 0;
}
}
SSL_free(ssl);
return 1;
}