From 6d7be72f2bd224eceebcfb919db7d44c2526d8e0 Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Fri, 1 Sep 2017 08:55:01 +0200 Subject: [PATCH] Remove ssl option 'no-self-signed'. Use 'verify-certificate' instead. Nobody used this option and it only caused the following confusing (and potentially insecure) behavior: Previously if you had 'verify-certificate' enabled then the certificate would be checked, BUT if it was a self-signed certificate (and thus not passing verify-cert) it was STILL allowed unless you also specified the 'no-self-signed' option. This might be correct as per documentation but is way too confusing for the user. Now you simply have to choose whether you verify the certificate or not. No special handling for self-signed certificates. --- src/modules/m_stats.c | 5 ++--- src/s_conf.c | 4 ---- src/ssl.c | 5 ----- 3 files changed, 2 insertions(+), 12 deletions(-) diff --git a/src/modules/m_stats.c b/src/modules/m_stats.c index 0bf26673c..bb56fdfe9 100644 --- a/src/modules/m_stats.c +++ b/src/modules/m_stats.c @@ -1224,10 +1224,9 @@ int stats_set(aClient *sptr, char *para) sptr->name, SafePrint(iConf.ssl_options->key_file)); sendto_one(sptr, ":%s %i %s :ssl::trusted-ca-file: %s", me.name, RPL_TEXT, sptr->name, SafePrint(iConf.ssl_options->trusted_ca_file)); - sendto_one(sptr, ":%s %i %s :ssl::options: %s %s %s", me.name, RPL_TEXT, sptr->name, + sendto_one(sptr, ":%s %i %s :ssl::options: %s %s", me.name, RPL_TEXT, sptr->name, iConf.ssl_options->options & SSLFLAG_FAILIFNOCERT ? "FAILIFNOCERT" : "", - iConf.ssl_options->options & SSLFLAG_VERIFYCERT ? "VERIFYCERT" : "", - iConf.ssl_options->options & SSLFLAG_DONOTACCEPTSELFSIGNED ? "DONOTACCEPTSELFSIGNED" : ""); + iConf.ssl_options->options & SSLFLAG_VERIFYCERT ? "VERIFYCERT" : ""); sendto_one(sptr, ":%s %i %s :options::show-opermotd: %d", me.name, RPL_TEXT, sptr->name, SHOWOPERMOTD); diff --git a/src/s_conf.c b/src/s_conf.c index ec40a1f96..31448eea5 100644 --- a/src/s_conf.c +++ b/src/s_conf.c @@ -209,7 +209,6 @@ static NameValue ExceptTklFlags[] = { static NameValue _SSLFlags[] = { { SSLFLAG_FAILIFNOCERT, "fail-if-no-clientcert" }, { SSLFLAG_DISABLECLIENTCERT, "no-client-certificate" }, - { SSLFLAG_DONOTACCEPTSELFSIGNED, "no-self-signed" }, { SSLFLAG_NOSTARTTLS, "no-starttls" }, { SSLFLAG_VERIFYCERT, "verify-certificate" }, }; @@ -7391,9 +7390,6 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions) if (ofl) /* this should always be true */ ssloptions->options |= ofl->flag; } - if (ssloptions->options & SSLFLAG_DONOTACCEPTSELFSIGNED) - if (!(ssloptions->options & SSLFLAG_VERIFYCERT)) - ssloptions->options |= SSLFLAG_VERIFYCERT; } else if (!strcmp(cepp->ce_varname, "sts-policy")) { diff --git a/src/ssl.c b/src/ssl.c index 098983870..9cc2c23c4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -180,11 +180,6 @@ static int ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) return 1; if (iConf.ssl_options->options & SSLFLAG_VERIFYCERT) { - if (verify_err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) - if (!(iConf.ssl_options->options & SSLFLAG_DONOTACCEPTSELFSIGNED)) - { - return 1; - } return preverify_ok; } else