From 369f55063a3e083caadc387cec59f32f6d7eff4e Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Sun, 13 Jul 2025 09:44:33 +0200 Subject: [PATCH] For bestpractices::trusted-cert add some crude heuristics so hubs and such are not (always) affected by this. We now check if there is any client port exposed (to non-localhost). So if you have a hub with no client ports or only at localhost then you won't get this bestpractices advice. And also fix compile error on OpenSSL < 1.1.0 (undeclared var, duh) --- src/conf.c | 12 +++++++++++- src/tls.c | 2 +- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/src/conf.c b/src/conf.c index 0be08aff1..eb2867de9 100644 --- a/src/conf.c +++ b/src/conf.c @@ -255,6 +255,7 @@ int need_operclass_permissions_upgrade = 0; int invalid_snomasks_encountered = 0; int have_tls_listeners = 0; char *port_6667_ip = NULL; +int has_client_port = 0; long long central_spamfilter_last_download = 0; @@ -1945,7 +1946,7 @@ void postconf(void) if (loop.rehashing) reinit_tls(); #endif - if (bestpractices.trusted_cert && !has_any_trusted_cert()) + if (bestpractices.trusted_cert && has_client_port && !has_any_trusted_cert()) { unreal_log(ULOG_INFO, "config", "BEST_PRACTICES_TRUSTED_CERT", NULL, "Your SSL/TLS certificate is not issued by a trusted Certificate Authority.\n" @@ -2140,6 +2141,7 @@ int config_test(void) config_setdefaultsettings(&tempiConf); clicap_pre_rehash(); log_pre_rehash(); + has_client_port = 0; if (!config_loadmodules()) { @@ -5574,6 +5576,7 @@ int _test_listen(ConfigFile *conf, ConfigEntry *ce) ConfigEntry *cepp; int errors = 0; char has_file = 0, has_ip = 0, has_port = 0, has_options = 0, port_6667 = 0, has_spoof_ip = 0; + char clientport = 1; char *file = NULL; char *ip = NULL; Hook *h; @@ -5629,6 +5632,9 @@ int _test_listen(ConfigFile *conf, ConfigEntry *ce) has_options = 1; for (cepp = cep->items; cepp; cepp = cepp->next) { + if (!strcmp(cepp->name, "serversonly") || + !strcmp(cepp->name, "rpc")) + clientport = 0; if (!nv_find_by_name(_ListenerFlags, cepp->name)) { /* Check if a module knows about this listen::options::something */ @@ -5692,6 +5698,7 @@ int _test_listen(ConfigFile *conf, ConfigEntry *ce) if (!strcmp(cep->name, "file")) { has_file = 1; + clientport = 0; file = cep->value; } else if (!strcmp(cep->name, "spoof-ip")) @@ -5837,6 +5844,9 @@ int _test_listen(ConfigFile *conf, ConfigEntry *ce) if (port_6667) safe_strdup(port_6667_ip, ip); + if (clientport && (!ip || (strcmp(ip, "127.0.0.1") && strcmp(ip, "::1")))) + has_client_port = 1; + requiredstuff.conf_listen = 1; return errors; } diff --git a/src/tls.c b/src/tls.c index 57a219e69..73876240d 100644 --- a/src/tls.c +++ b/src/tls.c @@ -524,8 +524,8 @@ MODVAR EVP_MD *md5_function; /**< MD5 function for EVP_DigestInit_ex() call */ */ int is_trusted_cert(SSL_CTX *ctx) { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L int ok = 0; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L X509 *cert = NULL; STACK_OF(X509) *chain = NULL; X509_STORE *store = NULL;