From 7b092f7aeb441d3abdc38aa7449cfa803f30410a Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Mon, 19 Jun 2017 16:28:50 +0200 Subject: [PATCH] Verify certificate when submitting bug report. --- include/config.h | 5 +++++ src/crashreport.c | 20 ++++++++++++++++++++ src/s_conf.c | 2 +- 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/include/config.h b/include/config.h index d4b27f01d..240ac0800 100644 --- a/include/config.h +++ b/include/config.h @@ -434,6 +434,11 @@ */ #undef EXPERIMENTAL +/* Default SSL/TLS cipherlist. + * This can be changed via set::ssl::options::ciphers in the config file. + */ +#define UNREALIRCD_DEFAULT_CIPHERS "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA" + /* ------------------------- END CONFIGURATION SECTION -------------------- */ #define MOTD MPATH #define RULES RPATH diff --git a/src/crashreport.c b/src/crashreport.c index f8dfc0840..65bd14f4d 100644 --- a/src/crashreport.c +++ b/src/crashreport.c @@ -448,6 +448,8 @@ int getfilesize(char *fname) SSL_CTX *crashreport_init_ssl(void) { SSL_CTX *ctx_client; + X509_VERIFY_PARAM *param = NULL; + char buf[512]; SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); @@ -457,6 +459,24 @@ SSL_CTX *crashreport_init_ssl(void) return NULL; SSL_CTX_set_options(ctx_client, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); + /* Verify peer certificate */ + snprintf(buf, sizeof(buf), "%s/ssl/curl-ca-bundle.crt", CONFDIR); + SSL_CTX_load_verify_locations(ctx_client, buf, NULL); + SSL_CTX_set_verify(ctx_client, SSL_VERIFY_PEER, NULL); + +#if OPENSSL_VERSION_NUMBER > 0x1000200f + /* Enable hostname checks. This is only in OpenSSL 1.0.2+ */ + param = SSL_CTX_get0_param(ctx_client); + X509_VERIFY_PARAM_set1_host(param, CRASH_REPORT_HOST, 0); +#ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS + /* This one requires even a newer version */ + X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); +#endif +#endif + + /* Limit ciphers as well */ + SSL_CTX_set_cipher_list(ctx_client, UNREALIRCD_DEFAULT_CIPHERS); + return ctx_client; } diff --git a/src/s_conf.c b/src/s_conf.c index bce34e93c..8404ed9eb 100644 --- a/src/s_conf.c +++ b/src/s_conf.c @@ -1473,7 +1473,7 @@ void config_setdefaultsettings(aConfiguration *i) i->ssl_options->key_file = strdup(tmp); snprintf(tmp, sizeof(tmp), "%s/ssl/curl-ca-bundle.crt", CONFDIR); i->ssl_options->trusted_ca_file = strdup(tmp); - i->ssl_options->ciphers = strdup("EECDH+CHACHA20 EECDH+AESGCM EECDH+AES AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA"); + i->ssl_options->ciphers = strdup(UNREALIRCD_DEFAULT_CIPHERS); i->ssl_options->protocols = SSL_PROTOCOL_ALL; }