1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-10 14:23:13 +02:00

More ssl -> tls moves. Also recommend to use 'certfp' rather than

the longer 'sslcertfp' or 'tlscertfp', we already support this since
4.0 so... updated the documentation as well.
This commit is contained in:
Bram Matthys
2019-08-12 14:53:29 +02:00
parent 8ff6ad17ee
commit 7fa2b8be05
11 changed files with 121 additions and 113 deletions
+2 -2
View File
@@ -125,8 +125,8 @@ int certificate_verification_active(aClient *acptr)
if (conf->verify_certificate)
return 1; /* yes, verify-certificate is 'yes' */
if ((conf->auth->type == AUTHTYPE_SSL_CLIENTCERT) ||
(conf->auth->type == AUTHTYPE_SSL_CLIENTCERTFP) ||
if ((conf->auth->type == AUTHTYPE_TLS_CLIENTCERT) ||
(conf->auth->type == AUTHTYPE_TLS_CLIENTCERTFP) ||
(conf->auth->type == AUTHTYPE_SPKIFP))
{
/* yes, verified by link::password being a
+1 -1
View File
@@ -1429,7 +1429,7 @@ int _register_user(aClient *cptr, aClient *sptr, char *nick, char *username, cha
if (sptr->local->ssl && !iConf.no_connect_tls_info)
{
sendnotice(sptr, "*** You are connected to %s with %s",
me.name, ssl_get_cipher(sptr->local->ssl));
me.name, tls_get_cipher(sptr->local->ssl));
}
}
+18 -18
View File
@@ -322,7 +322,7 @@ skip_host_check:
{
/* Let's help admins a bit with a good error message in case
* they mix different authentication systems (plaintext password
* vs an "TLS Auth type" like spkifp/sslclientcert/sslclientcertfp).
* vs an "TLS Auth type" like spkifp/tlsclientcert/tlsclientcertfp).
* The 'if' statement below is a bit complex but it consists of 2 things:
* 1. Check if our side expects a plaintext password but we did not receive one
* 2. Check if our side expects a non-plaintext password but we did receive one
@@ -339,14 +339,14 @@ skip_host_check:
sendto_ops_and_log("Link denied for '%s' (Authentication failed [spkifp mismatch]) %s",
servername, inpath);
} else
if (link->auth->type == AUTHTYPE_SSL_CLIENTCERT)
if (link->auth->type == AUTHTYPE_TLS_CLIENTCERT)
{
sendto_ops_and_log("Link denied for '%s' (Authentication failed [sslclientcert mismatch]) %s",
sendto_ops_and_log("Link denied for '%s' (Authentication failed [tlsclientcert mismatch]) %s",
servername, inpath);
} else
if (link->auth->type == AUTHTYPE_SSL_CLIENTCERTFP)
if (link->auth->type == AUTHTYPE_TLS_CLIENTCERTFP)
{
sendto_ops_and_log("Link denied for '%s' (Authentication failed [sslclientcertfp mismatch]) %s",
sendto_ops_and_log("Link denied for '%s' (Authentication failed [tlsclientcertfp mismatch]) %s",
servername, inpath);
} else
{
@@ -360,7 +360,7 @@ skip_host_check:
"Link denied (Authentication failed)");
}
/* Verify the SSL certificate (if requested) */
/* Verify the TLS certificate (if requested) */
if (link->verify_certificate)
{
char *errstr = NULL;
@@ -443,7 +443,7 @@ skip_host_check:
if (IsSecure(cptr) && (iConf.outdated_tls_policy_server == POLICY_DENY) && outdated_tls_client(cptr))
{
sendto_one(cptr, NULL, "ERROR :Server is using an outdated SSL/TLS protocol or cipher (set::outdated-tls-policy::server is 'deny')");
sendto_ops_and_log("Rejected server %s using outdated %s. See https://www.unrealircd.org/docs/FAQ#server-outdated-tls", ssl_get_cipher(cptr->local->ssl), cptr->name);
sendto_ops_and_log("Rejected server %s using outdated %s. See https://www.unrealircd.org/docs/FAQ#server-outdated-tls", tls_get_cipher(cptr->local->ssl), cptr->name);
return exit_client(cptr, sptr, &me, NULL, "Server using outdates SSL/TLS protocol or cipher (set::outdated-tls-policy::server is 'deny')");
}
if (link_out)
@@ -791,15 +791,15 @@ void _introduce_user(aClient *to, aClient *acptr)
void tls_link_notification_verify(aClient *acptr, ConfigItem_link *aconf)
{
char *spki_fp;
char *ssl_fp;
char *tls_fp;
char *errstr = NULL;
int verify_ok;
if (!MyConnect(acptr) || !acptr->local->ssl || !aconf)
return;
if ((aconf->auth->type == AUTHTYPE_SSL_CLIENTCERT) ||
(aconf->auth->type == AUTHTYPE_SSL_CLIENTCERTFP) ||
if ((aconf->auth->type == AUTHTYPE_TLS_CLIENTCERT) ||
(aconf->auth->type == AUTHTYPE_TLS_CLIENTCERTFP) ||
(aconf->auth->type == AUTHTYPE_SPKIFP))
{
/* Link verified by certificate or SPKI */
@@ -812,9 +812,9 @@ void tls_link_notification_verify(aClient *acptr, ConfigItem_link *aconf)
return;
}
ssl_fp = moddata_client_get(acptr, "certfp");
tls_fp = moddata_client_get(acptr, "certfp");
spki_fp = spki_fingerprint(acptr);
if (!ssl_fp || !spki_fp)
if (!tls_fp || !spki_fp)
return; /* wtf ? */
/* Only bother the user if we are linking to UnrealIRCd 4.0.16+,
@@ -943,9 +943,9 @@ int m_server_synch(aClient *cptr, ConfigItem_link *aconf)
{
sendto_server(&me, 0, 0, NULL, ":%s SMO o :(\2link\2) Secure link %s -> %s established (%s)",
me.name,
me.name, inpath, ssl_get_cipher(cptr->local->ssl));
me.name, inpath, tls_get_cipher(cptr->local->ssl));
sendto_realops("(\2link\2) Secure link %s -> %s established (%s)",
me.name, inpath, ssl_get_cipher(cptr->local->ssl));
me.name, inpath, tls_get_cipher(cptr->local->ssl));
tls_link_notification_verify(cptr, aconf);
}
else
@@ -955,19 +955,19 @@ int m_server_synch(aClient *cptr, ConfigItem_link *aconf)
me.name, inpath);
sendto_realops("(\2link\2) Link %s -> %s established",
me.name, inpath);
/* Print out a warning if linking to a non-SSL server unless it's localhost.
* Yeah.. there are still other cases when non-SSL links are fine (eg: local IP
/* Print out a warning if linking to a non-TLS server unless it's localhost.
* Yeah.. there are still other cases when non-TLS links are fine (eg: local IP
* of the same machine), we won't bother with detecting that. -- Syzop
*/
if (!IsLocal(cptr) && (iConf.plaintext_policy_server == POLICY_WARN))
{
sendto_realops("\002WARNING:\002 This link is unencrypted (non-SSL). We highly recommend to use "
sendto_realops("\002WARNING:\002 This link is unencrypted (not SSL/TLS). We highly recommend to use "
"SSL/TLS for server linking. See https://www.unrealircd.org/docs/Linking_servers");
}
if (IsSecure(cptr) && (iConf.outdated_tls_policy_server == POLICY_WARN) && outdated_tls_client(cptr))
{
sendto_realops("\002WARNING:\002 This link is using an outdated SSL/TLS protocol or cipher (%s).",
ssl_get_cipher(cptr->local->ssl));
tls_get_cipher(cptr->local->ssl));
}
}
(void)add_to_client_hash_table(cptr->name, cptr);
+6 -6
View File
@@ -558,7 +558,7 @@ static char *stats_port_helper(ConfigItem_listen *listener)
ircsnprintf(buf, sizeof(buf), "%s%s%s%s",
(listener->options & LISTENER_CLIENTSONLY)? "clientsonly ": "",
(listener->options & LISTENER_SERVERSONLY)? "serversonly ": "",
(listener->options & LISTENER_TLS)? "ssl ": "",
(listener->options & LISTENER_TLS)? "tls ": "",
!(listener->options & LISTENER_TLS)? "plaintext ": "");
return buf;
}
@@ -1109,16 +1109,16 @@ int stats_set(aClient *sptr, char *para)
sendtxtnumeric(sptr, "hide-ban-reason: %d", HIDE_BAN_REASON);
sendtxtnumeric(sptr, "anti-spam-quit-message-time: %s", pretty_time_val(ANTI_SPAM_QUIT_MSG_TIME));
sendtxtnumeric(sptr, "channel-command-prefix: %s", CHANCMDPFX ? CHANCMDPFX : "`");
sendtxtnumeric(sptr, "ssl::certificate: %s", SafePrint(iConf.tls_options->certificate_file));
sendtxtnumeric(sptr, "ssl::key: %s", SafePrint(iConf.tls_options->key_file));
sendtxtnumeric(sptr, "ssl::trusted-ca-file: %s", SafePrint(iConf.tls_options->trusted_ca_file));
sendtxtnumeric(sptr, "ssl::options: %s", iConf.tls_options->options & TLSFLAG_FAILIFNOCERT ? "FAILIFNOCERT" : "");
sendtxtnumeric(sptr, "tls::certificate: %s", SafePrint(iConf.tls_options->certificate_file));
sendtxtnumeric(sptr, "tls::key: %s", SafePrint(iConf.tls_options->key_file));
sendtxtnumeric(sptr, "tls::trusted-ca-file: %s", SafePrint(iConf.tls_options->trusted_ca_file));
sendtxtnumeric(sptr, "tls::options: %s", iConf.tls_options->options & TLSFLAG_FAILIFNOCERT ? "FAILIFNOCERT" : "");
sendtxtnumeric(sptr, "options::show-opermotd: %d", SHOWOPERMOTD);
sendtxtnumeric(sptr, "options::hide-ulines: %d", HIDE_ULINES);
sendtxtnumeric(sptr, "options::identd-check: %d", IDENT_CHECK);
sendtxtnumeric(sptr, "options::fail-oper-warn: %d", FAILOPER_WARN);
sendtxtnumeric(sptr, "options::show-connect-info: %d", SHOWCONNECTINFO);
sendtxtnumeric(sptr, "options::no-connect-tls-info: %d", NOCONNECTSSLINFO);
sendtxtnumeric(sptr, "options::no-connect-tls-info: %d", NOCONNECTTLSLINFO);
sendtxtnumeric(sptr, "options::dont-resolve: %d", DONT_RESOLVE);
sendtxtnumeric(sptr, "options::mkpasswd-for-everyone: %d", MKPASSWD_FOR_EVERYONE);
sendtxtnumeric(sptr, "options::allow-insane-bans: %d", ALLOW_INSANE_BANS);
+73 -66
View File
@@ -157,72 +157,79 @@ CMD_FUNC(m_trace)
class = acptr->local->class ? acptr->local->class->name : "default";
switch (acptr->status)
{
case STAT_CONNECTING:
sendnumeric(sptr, RPL_TRACECONNECTING, class, name);
cnt++;
break;
case STAT_HANDSHAKE:
sendnumeric(sptr, RPL_TRACEHANDSHAKE, class, name);
cnt++;
break;
case STAT_ME:
break;
case STAT_UNKNOWN:
sendnumeric(sptr, RPL_TRACEUNKNOWN, class, name);
cnt++;
break;
case STAT_CLIENT:
/* Only opers see users if there is a wildcard
* but anyone can see all the opers.
*/
if (ValidatePermissionsForPath("client:see:trace:invisible-users",sptr,acptr,NULL,NULL) ||
(!IsInvisible(acptr) && ValidatePermissionsForPath("client:see:trace",sptr,acptr,NULL,NULL)))
{
if (ValidatePermissionsForPath("client:see:trace",sptr,acptr,NULL,NULL) || ValidatePermissionsForPath("client:see:trace:invisible-users",sptr,acptr,NULL,NULL))
sendnumeric(sptr, RPL_TRACEOPERATOR,
class, acptr->name,
GetHost(acptr),
now - acptr->local->lasttime);
else
sendnumeric(sptr, RPL_TRACEUSER,
class, acptr->name,
acptr->user->realhost,
now - acptr->local->lasttime);
cnt++;
}
break;
case STAT_SERVER:
if (acptr->serv->user)
sendnumeric(sptr, RPL_TRACESERVER, class, acptr->fd >= 0 ? link_s[acptr->fd] : -1,
acptr->fd >= 0 ? link_u[acptr->fd] : -1, name, acptr->serv->by,
acptr->serv->user->username,
acptr->serv->user->realhost,
now - acptr->local->lasttime);
else
sendnumeric(sptr, RPL_TRACESERVER, class, acptr->fd >= 0 ? link_s[acptr->fd] : -1,
acptr->fd >= 0 ? link_u[acptr->fd] : -1, name, *(acptr->serv->by) ?
acptr->serv->by : "*", "*", me.name,
now - acptr->local->lasttime);
cnt++;
break;
case STAT_LOG:
sendnumeric(sptr, RPL_TRACELOG, LOGFILE, acptr->local->port);
cnt++;
break;
#ifdef USE_SSL
case STAT_TLS_CONNECT_HANDSHAKE:
sendnumeric(sptr, RPL_TRACENEWTYPE, "SSL-Connect-Handshake", name);
cnt++;
break;
case STAT_TLS_ACCEPT_HANDSHAKE:
sendnumeric(sptr, RPL_TRACENEWTYPE, "SSL-Accept-Handshake", name);
cnt++;
break;
#endif
default: /* ...we actually shouldn't come here... --msa */
sendnumeric(sptr, RPL_TRACENEWTYPE, "<newtype>", name);
cnt++;
break;
case STAT_CONNECTING:
sendnumeric(sptr, RPL_TRACECONNECTING, class, name);
cnt++;
break;
case STAT_HANDSHAKE:
sendnumeric(sptr, RPL_TRACEHANDSHAKE, class, name);
cnt++;
break;
case STAT_ME:
break;
case STAT_UNKNOWN:
sendnumeric(sptr, RPL_TRACEUNKNOWN, class, name);
cnt++;
break;
case STAT_CLIENT:
/* Only opers see users if there is a wildcard
* but anyone can see all the opers.
*/
if (ValidatePermissionsForPath("client:see:trace:invisible-users",sptr,acptr,NULL,NULL) ||
(!IsInvisible(acptr) && ValidatePermissionsForPath("client:see:trace",sptr,acptr,NULL,NULL)))
{
if (ValidatePermissionsForPath("client:see:trace",sptr,acptr,NULL,NULL) || ValidatePermissionsForPath("client:see:trace:invisible-users",sptr,acptr,NULL,NULL))
sendnumeric(sptr, RPL_TRACEOPERATOR,
class, acptr->name,
GetHost(acptr),
now - acptr->local->lasttime);
else
sendnumeric(sptr, RPL_TRACEUSER,
class, acptr->name,
acptr->user->realhost,
now - acptr->local->lasttime);
cnt++;
}
break;
case STAT_SERVER:
if (acptr->serv->user)
sendnumeric(sptr, RPL_TRACESERVER, class, acptr->fd >= 0 ? link_s[acptr->fd] : -1,
acptr->fd >= 0 ? link_u[acptr->fd] : -1, name, acptr->serv->by,
acptr->serv->user->username,
acptr->serv->user->realhost,
now - acptr->local->lasttime);
else
sendnumeric(sptr, RPL_TRACESERVER, class, acptr->fd >= 0 ? link_s[acptr->fd] : -1,
acptr->fd >= 0 ? link_u[acptr->fd] : -1, name, *(acptr->serv->by) ?
acptr->serv->by : "*", "*", me.name,
now - acptr->local->lasttime);
cnt++;
break;
case STAT_LOG:
sendnumeric(sptr, RPL_TRACELOG, LOGFILE, acptr->local->port);
cnt++;
break;
case STAT_TLS_CONNECT_HANDSHAKE:
sendnumeric(sptr, RPL_TRACENEWTYPE, "TLS-Connect-Handshake", name);
cnt++;
break;
case STAT_TLS_ACCEPT_HANDSHAKE:
sendnumeric(sptr, RPL_TRACENEWTYPE, "TLS-Accept-Handshake", name);
cnt++;
break;
default: /* ...we actually shouldn't come here... --msa */
sendnumeric(sptr, RPL_TRACENEWTYPE, "<newtype>", name);
cnt++;
break;
}
}
/*