From 74538e77d46037df1f360ca22b07b9d26bfc6f82 Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Wed, 10 Sep 2025 16:43:22 +0200 Subject: [PATCH] Another best practices fix: this one is with listen-nontls-port. It could cause a spurious "Your config has NO errors, but you received some best practices tips above, in summary" even though no best practices were displayed... which was a bit mysterious. Also, ::listen-nontls-port was actually meant to be called ::listen-tls-only so accept both forms from now on. The reason it was supposed to be like that is that all best-practices options are... best practices... hashed passwords, trusted cert, trusted cert with valid hostname, listening on a nontls port... ? NOPE! listen-tls-only! Aaaaa. --- doc/RELEASE-NOTES.md | 2 +- include/dynconf.h | 13 +++++++++---- src/conf.c | 7 ++++--- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/doc/RELEASE-NOTES.md b/doc/RELEASE-NOTES.md index 40f6d9133..2c4a63986 100644 --- a/doc/RELEASE-NOTES.md +++ b/doc/RELEASE-NOTES.md @@ -60,7 +60,7 @@ not been updated to work with 6.2.x) shows how to do a gradual rollout, with warnings and automatic upgrades from plaintext to TLS for IRC clients that support it. * This message can be turned off by setting - [set::best-practices::listen-nontls-port](https://www.unrealircd.org/docs/Set_block#set::best-practices) + [set::best-practices::listen-tls-only](https://www.unrealircd.org/docs/Set_block#set::best-practices) to `no`. But please, read the [Use TLS](https://www.unrealircd.org/docs/Use_TLS) article first. * You won't get this warning if set::plaintext-policy::user is `deny` diff --git a/include/dynconf.h b/include/dynconf.h index 5e2c6eda0..33313b68b 100644 --- a/include/dynconf.h +++ b/include/dynconf.h @@ -194,16 +194,21 @@ extern MODVAR Configuration iConf; extern MODVAR Configuration tempiConf; extern MODVAR int ipv6_disabled; +/** The best practices block. + * Note that the *_hits stuff is dynamically set and used for 'checks'. + * The rest is config... oh except for listen_nontls_port.. sigh. + */ typedef struct BestPractices BestPractices; struct BestPractices { int hashed_passwords; /**< Use hashed passwords */ - int hashed_passwords_hits; /**< How many times advice has been given (like 'warnings' but it is advice) */ + int hashed_passwords_hits; /**< - How many times advice has been given (like 'warnings' but it is advice) */ int trusted_cert; /**< Uses a SSL cert issued by a CA */ - int trusted_cert_hits; /**< .. how many times the above */ + int trusted_cert_hits; /**< - How many times advice has been given (like 'warnings' but it is advice) */ int trusted_cert_valid_hostname; /**< Uses a SSL cert issued by a CA that is valid for me::name */ - int trusted_cert_valid_hostname_hits; /**< .. how many times the above */ + int trusted_cert_valid_hostname_hits; /**< - How many times advice has been given (like 'warnings' but it is advice) */ int listen_tls_only; /**< listen { } blocks only with tls */ - int listen_nontls_port; /**< .. first non-tls port found */ + int listen_nontls_port; /**< first non-tls port found */ + int listen_nontls_port_hits; /**< - How many times advice has been given (like 'warnings' but it is advice) */ }; extern MODVAR BestPractices bestpractices; diff --git a/src/conf.c b/src/conf.c index 2b4a1e49f..bae4a59c6 100644 --- a/src/conf.c +++ b/src/conf.c @@ -1984,6 +1984,7 @@ void postconf(void) "Nowadays, everyone should be using SSL/TLS (on port 6697). " "See https://www.unrealircd.org/docs/Use_TLS.", log_data_integer("port", bestpractices.listen_nontls_port)); + bestpractices.listen_nontls_port_hits++; } } @@ -2265,7 +2266,7 @@ int config_test(void) if (bestpractices.hashed_passwords_hits || bestpractices.trusted_cert_hits || bestpractices.trusted_cert_valid_hostname_hits || - bestpractices.listen_nontls_port) + bestpractices.listen_nontls_port_hits) { unreal_log(ULOG_INFO, "config", "BEST_PRACTICES", NULL, "Your config has NO errors, but you received some best practices tips above, in summary:"); @@ -9791,9 +9792,9 @@ int _test_set(ConfigFile *conf, ConfigEntry *ce) { bestpractices.trusted_cert_valid_hostname = config_checkval(cepp->value, CFG_YESNO); } else - if (!strcmp(cepp->name, "listen-nontls-port")) + if (!strcmp(cepp->name, "listen-nontls-port") || !strcmp(cepp->name, "listen-tls-only")) { - bestpractices.listen_nontls_port = config_checkval(cepp->value, CFG_YESNO); + bestpractices.listen_tls_only = config_checkval(cepp->value, CFG_YESNO); } else { config_error_unknown(cepp->file->filename,