diff --git a/autoconf/m4/unreal.m4 b/autoconf/m4/unreal.m4 index 076470482..36b27c7e9 100644 --- a/autoconf/m4/unreal.m4 +++ b/autoconf/m4/unreal.m4 @@ -192,14 +192,34 @@ SAVE_LIBS="$LIBS" LIBS="$LIBS $CRYPTOLIB" AC_TRY_LINK([#include ], [SSL_CTX *ctx = NULL; SSL_CTX_set1_curves_list(ctx, "test");], - has_curves=1, - has_curves=0) + has_function=1, + has_function=0) LIBS="$SAVE_LIBS" AC_LANG_POP(C) -if test $has_curves = 1; then +if test $has_function = 1; then AC_MSG_RESULT([yes]) AC_DEFINE([HAS_SSL_CTX_SET1_CURVES_LIST], [], [Define if ssl library has SSL_CTX_set1_curves_list]) else AC_MSG_RESULT([no]) fi ]) + +AC_DEFUN([CHECK_SSL_CTX_SET_MIN_PROTO_VERSION], +[ +AC_MSG_CHECKING([for SSL_CTX_set_min_proto_version in SSL library]) +AC_LANG_PUSH(C) +SAVE_LIBS="$LIBS" +LIBS="$LIBS $CRYPTOLIB" +AC_TRY_LINK([#include ], + [SSL_CTX *ctx = NULL; SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);], + has_function=1, + has_function=0) +LIBS="$SAVE_LIBS" +AC_LANG_POP(C) +if test $has_function = 1; then + AC_MSG_RESULT([yes]) + AC_DEFINE([HAS_SSL_CTX_SET_MIN_PROTO_VERSION], [], [Define if ssl library has SSL_CTX_set_min_proto_version]) +else + AC_MSG_RESULT([no]) +fi +]) diff --git a/configure b/configure index a39e6de75..8e02749e3 100755 --- a/configure +++ b/configure @@ -8582,9 +8582,9 @@ SSL_CTX *ctx = NULL; SSL_CTX_set1_curves_list(ctx, "test"); } _ACEOF if ac_fn_c_try_link "$LINENO"; then : - has_curves=1 + has_function=1 else - has_curves=0 + has_function=0 fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext @@ -8595,7 +8595,7 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu -if test $has_curves = 1; then +if test $has_function = 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } @@ -8606,6 +8606,53 @@ else $as_echo "no" >&6; } fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_min_proto_version in SSL library" >&5 +$as_echo_n "checking for SSL_CTX_set_min_proto_version in SSL library... " >&6; } +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + +SAVE_LIBS="$LIBS" +LIBS="$LIBS $CRYPTOLIB" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +SSL_CTX *ctx = NULL; SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + has_function=1 +else + has_function=0 +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS="$SAVE_LIBS" +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + +if test $has_function = 1; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define HAS_SSL_CTX_SET_MIN_PROTO_VERSION /**/" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + # Check whether --enable-dynamic-linking was given. if test "${enable_dynamic_linking+set}" = set; then : enableval=$enable_dynamic_linking; enable_dynamic_linking=$enableval diff --git a/configure.ac b/configure.ac index 5c7755ef5..42d9c6e05 100644 --- a/configure.ac +++ b/configure.ac @@ -699,6 +699,7 @@ AC_ARG_WITH(system-argon2, [AS_HELP_STRING([--without-system-argon2], [Use bundl AC_ARG_WITH(system-cares, [AS_HELP_STRING([--without-system-cares], [Use bundled version instead of system c-ares. Normally autodetected via pkg-config.])], [], [with_system_cares=yes]) CHECK_SSL CHECK_SSL_CTX_SET1_CURVES_LIST +CHECK_SSL_CTX_SET_MIN_PROTO_VERSION AC_ARG_ENABLE(dynamic-linking, [AS_HELP_STRING([--disable-dynamic-linking], [Make the IRCd statically link with shared objects rather than dynamically (noone knows if disabling dynamic linking actually does anything or not)])], [enable_dynamic_linking=$enableval], [enable_dynamic_linking="yes"]) AS_IF([test $enable_dynamic_linking = "yes"], diff --git a/include/setup.h.in b/include/setup.h.in index 68c8aefda..73104c792 100644 --- a/include/setup.h.in +++ b/include/setup.h.in @@ -43,6 +43,9 @@ /* Define if ssl library has SSL_CTX_set1_curves_list */ #undef HAS_SSL_CTX_SET1_CURVES_LIST +/* Define if ssl library has SSL_CTX_set_min_proto_version */ +#undef HAS_SSL_CTX_SET_MIN_PROTO_VERSION + /* Define to 1 if you have the `bcmp' function. */ #undef HAVE_BCMP diff --git a/src/ssl.c b/src/ssl.c index a170bdb24..6449feb93 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -257,6 +257,10 @@ static void setup_dh_params(SSL_CTX *ctx) /** Disable SSL/TLS protocols as set by config */ void disable_ssl_protocols(SSL_CTX *ctx, SSLOptions *ssloptions) { +#ifdef HAS_SSL_CTX_SET_MIN_PROTO_VERSION + /* First, we need a starting point... */ + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); +#endif SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); /* always disable SSLv2 */ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); /* always disable SSLv3 */