1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-08 06:03:12 +02:00

Remove ssl option 'no-self-signed'. Use 'verify-certificate' instead.

Nobody used this option and it only caused the following confusing
(and potentially insecure) behavior:
Previously if you had 'verify-certificate' enabled then the certificate
would be checked, BUT if it was a self-signed certificate (and thus
not passing verify-cert) it was STILL allowed unless you also
specified the 'no-self-signed' option. This might be correct as per
documentation but is way too confusing for the user.
Now you simply have to choose whether you verify the certificate or
not. No special handling for self-signed certificates.
This commit is contained in:
Bram Matthys
2017-09-01 08:55:01 +02:00
parent 08b621aa08
commit 6d7be72f2b
3 changed files with 2 additions and 12 deletions
+2 -3
View File
@@ -1224,10 +1224,9 @@ int stats_set(aClient *sptr, char *para)
sptr->name, SafePrint(iConf.ssl_options->key_file));
sendto_one(sptr, ":%s %i %s :ssl::trusted-ca-file: %s", me.name, RPL_TEXT,
sptr->name, SafePrint(iConf.ssl_options->trusted_ca_file));
sendto_one(sptr, ":%s %i %s :ssl::options: %s %s %s", me.name, RPL_TEXT, sptr->name,
sendto_one(sptr, ":%s %i %s :ssl::options: %s %s", me.name, RPL_TEXT, sptr->name,
iConf.ssl_options->options & SSLFLAG_FAILIFNOCERT ? "FAILIFNOCERT" : "",
iConf.ssl_options->options & SSLFLAG_VERIFYCERT ? "VERIFYCERT" : "",
iConf.ssl_options->options & SSLFLAG_DONOTACCEPTSELFSIGNED ? "DONOTACCEPTSELFSIGNED" : "");
iConf.ssl_options->options & SSLFLAG_VERIFYCERT ? "VERIFYCERT" : "");
sendto_one(sptr, ":%s %i %s :options::show-opermotd: %d", me.name, RPL_TEXT,
sptr->name, SHOWOPERMOTD);
-4
View File
@@ -209,7 +209,6 @@ static NameValue ExceptTklFlags[] = {
static NameValue _SSLFlags[] = {
{ SSLFLAG_FAILIFNOCERT, "fail-if-no-clientcert" },
{ SSLFLAG_DISABLECLIENTCERT, "no-client-certificate" },
{ SSLFLAG_DONOTACCEPTSELFSIGNED, "no-self-signed" },
{ SSLFLAG_NOSTARTTLS, "no-starttls" },
{ SSLFLAG_VERIFYCERT, "verify-certificate" },
};
@@ -7391,9 +7390,6 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions)
if (ofl) /* this should always be true */
ssloptions->options |= ofl->flag;
}
if (ssloptions->options & SSLFLAG_DONOTACCEPTSELFSIGNED)
if (!(ssloptions->options & SSLFLAG_VERIFYCERT))
ssloptions->options |= SSLFLAG_VERIFYCERT;
}
else if (!strcmp(cepp->ce_varname, "sts-policy"))
{
-5
View File
@@ -180,11 +180,6 @@ static int ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
return 1;
if (iConf.ssl_options->options & SSLFLAG_VERIFYCERT)
{
if (verify_err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
if (!(iConf.ssl_options->options & SSLFLAG_DONOTACCEPTSELFSIGNED))
{
return 1;
}
return preverify_ok;
}
else