1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-08 09:43:12 +02:00

Verify certificate when submitting bug report.

This commit is contained in:
Bram Matthys
2017-06-19 16:28:50 +02:00
parent 0c1f299b0b
commit 7b092f7aeb
3 changed files with 26 additions and 1 deletions
+5
View File
@@ -434,6 +434,11 @@
*/
#undef EXPERIMENTAL
/* Default SSL/TLS cipherlist.
* This can be changed via set::ssl::options::ciphers in the config file.
*/
#define UNREALIRCD_DEFAULT_CIPHERS "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA"
/* ------------------------- END CONFIGURATION SECTION -------------------- */
#define MOTD MPATH
#define RULES RPATH
+20
View File
@@ -448,6 +448,8 @@ int getfilesize(char *fname)
SSL_CTX *crashreport_init_ssl(void)
{
SSL_CTX *ctx_client;
X509_VERIFY_PARAM *param = NULL;
char buf[512];
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
@@ -457,6 +459,24 @@ SSL_CTX *crashreport_init_ssl(void)
return NULL;
SSL_CTX_set_options(ctx_client, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
/* Verify peer certificate */
snprintf(buf, sizeof(buf), "%s/ssl/curl-ca-bundle.crt", CONFDIR);
SSL_CTX_load_verify_locations(ctx_client, buf, NULL);
SSL_CTX_set_verify(ctx_client, SSL_VERIFY_PEER, NULL);
#if OPENSSL_VERSION_NUMBER > 0x1000200f
/* Enable hostname checks. This is only in OpenSSL 1.0.2+ */
param = SSL_CTX_get0_param(ctx_client);
X509_VERIFY_PARAM_set1_host(param, CRASH_REPORT_HOST, 0);
#ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
/* This one requires even a newer version */
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
#endif
#endif
/* Limit ciphers as well */
SSL_CTX_set_cipher_list(ctx_client, UNREALIRCD_DEFAULT_CIPHERS);
return ctx_client;
}
+1 -1
View File
@@ -1473,7 +1473,7 @@ void config_setdefaultsettings(aConfiguration *i)
i->ssl_options->key_file = strdup(tmp);
snprintf(tmp, sizeof(tmp), "%s/ssl/curl-ca-bundle.crt", CONFDIR);
i->ssl_options->trusted_ca_file = strdup(tmp);
i->ssl_options->ciphers = strdup("EECDH+CHACHA20 EECDH+AESGCM EECDH+AES AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA");
i->ssl_options->ciphers = strdup(UNREALIRCD_DEFAULT_CIPHERS);
i->ssl_options->protocols = SSL_PROTOCOL_ALL;
}