mirror of
https://github.com/unrealircd/unrealircd.git
synced 2026-07-08 06:03:12 +02:00
Remove ssl option 'no-self-signed'. Use 'verify-certificate' instead.
Nobody used this option and it only caused the following confusing (and potentially insecure) behavior: Previously if you had 'verify-certificate' enabled then the certificate would be checked, BUT if it was a self-signed certificate (and thus not passing verify-cert) it was STILL allowed unless you also specified the 'no-self-signed' option. This might be correct as per documentation but is way too confusing for the user. Now you simply have to choose whether you verify the certificate or not. No special handling for self-signed certificates.
This commit is contained in:
@@ -1224,10 +1224,9 @@ int stats_set(aClient *sptr, char *para)
|
||||
sptr->name, SafePrint(iConf.ssl_options->key_file));
|
||||
sendto_one(sptr, ":%s %i %s :ssl::trusted-ca-file: %s", me.name, RPL_TEXT,
|
||||
sptr->name, SafePrint(iConf.ssl_options->trusted_ca_file));
|
||||
sendto_one(sptr, ":%s %i %s :ssl::options: %s %s %s", me.name, RPL_TEXT, sptr->name,
|
||||
sendto_one(sptr, ":%s %i %s :ssl::options: %s %s", me.name, RPL_TEXT, sptr->name,
|
||||
iConf.ssl_options->options & SSLFLAG_FAILIFNOCERT ? "FAILIFNOCERT" : "",
|
||||
iConf.ssl_options->options & SSLFLAG_VERIFYCERT ? "VERIFYCERT" : "",
|
||||
iConf.ssl_options->options & SSLFLAG_DONOTACCEPTSELFSIGNED ? "DONOTACCEPTSELFSIGNED" : "");
|
||||
iConf.ssl_options->options & SSLFLAG_VERIFYCERT ? "VERIFYCERT" : "");
|
||||
|
||||
sendto_one(sptr, ":%s %i %s :options::show-opermotd: %d", me.name, RPL_TEXT,
|
||||
sptr->name, SHOWOPERMOTD);
|
||||
|
||||
@@ -209,7 +209,6 @@ static NameValue ExceptTklFlags[] = {
|
||||
static NameValue _SSLFlags[] = {
|
||||
{ SSLFLAG_FAILIFNOCERT, "fail-if-no-clientcert" },
|
||||
{ SSLFLAG_DISABLECLIENTCERT, "no-client-certificate" },
|
||||
{ SSLFLAG_DONOTACCEPTSELFSIGNED, "no-self-signed" },
|
||||
{ SSLFLAG_NOSTARTTLS, "no-starttls" },
|
||||
{ SSLFLAG_VERIFYCERT, "verify-certificate" },
|
||||
};
|
||||
@@ -7391,9 +7390,6 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions)
|
||||
if (ofl) /* this should always be true */
|
||||
ssloptions->options |= ofl->flag;
|
||||
}
|
||||
if (ssloptions->options & SSLFLAG_DONOTACCEPTSELFSIGNED)
|
||||
if (!(ssloptions->options & SSLFLAG_VERIFYCERT))
|
||||
ssloptions->options |= SSLFLAG_VERIFYCERT;
|
||||
}
|
||||
else if (!strcmp(cepp->ce_varname, "sts-policy"))
|
||||
{
|
||||
|
||||
@@ -180,11 +180,6 @@ static int ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
|
||||
return 1;
|
||||
if (iConf.ssl_options->options & SSLFLAG_VERIFYCERT)
|
||||
{
|
||||
if (verify_err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
|
||||
if (!(iConf.ssl_options->options & SSLFLAG_DONOTACCEPTSELFSIGNED))
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
return preverify_ok;
|
||||
}
|
||||
else
|
||||
|
||||
Reference in New Issue
Block a user