diff --git a/Changes b/Changes index b639129f8..fe1939f15 100644 --- a/Changes +++ b/Changes @@ -1068,3 +1068,5 @@ seen. gmtime warning still there - Fixed .1081 problem, see bug #0000020 for more information about how it REALLY should be fixed - Fixed a typo reported by Tracer (bug #0000022) +- Made support in *nix for encrypted SSL private keys, + "make encpem" to make an encrypted server key if you already have one diff --git a/Makefile.in b/Makefile.in index 91ba5411d..daeb96869 100644 --- a/Makefile.in +++ b/Makefile.in @@ -223,7 +223,7 @@ install: all $(INSTALL) -m 0700 -d $(IRCDDIR)/modules $(INSTALL) -m 0700 src/modules/*.so $(IRCDDIR)/modules - pem: src/ssl.cnf +pem: src/ssl.cnf @echo "Generating certificate request .. " $(OPENSSLPATH) req -new \ -config src/ssl.cnf -out server.req.pem \ @@ -237,4 +237,15 @@ install: all @echo "Setting o-rwx & g-rwx for files... " chmod o-rwx server.req.pem server.key.pem server.cert.pem chmod g-rwx server.req.pem server.key.pem server.cert.pem - @echo "Done!." + @echo "Done!. If you want to encrypt the private key, run" + @echo "make encpem" + +encpem: server.key.pem + @echo "Encrypting server key .." + $(OPENSSLPATH) rsa -in server.key.pem -out server.key.c.pem -des3 + -@if [ -f server.key.c.pem ] ; then \ + echo "Replacing unencrypted with encrypted .." ; \ + cp server.key.c.pem server.key.pem ; \ + rm -f server.key.c.pem ; \ + fi + diff --git a/src/ircd.c b/src/ircd.c index 86307e51c..50e9d9dd3 100644 --- a/src/ircd.c +++ b/src/ircd.c @@ -1102,6 +1102,10 @@ int InitwIRCD(argc, argv) load_tunefile(); make_umodestr(); make_cmodestr(); +#ifdef USE_SSL + fprintf(stderr, "* Initializing SSL.\n"); + init_ssl(); +#endif fprintf(stderr, "* Dynamic configuration initialized .. booting IRCd.\n"); fprintf(stderr, @@ -1189,9 +1193,6 @@ int InitwIRCD(argc, argv) R_fin_id = strlen(REPORT_FIN_ID); R_fail_id = strlen(REPORT_FAIL_ID); write_pidfile(); -#ifdef USE_SSL - init_ssl(); -#endif Debug((DEBUG_NOTICE, "Server ready...")); #ifdef USE_SYSLOG syslog(LOG_NOTICE, "Server Ready"); diff --git a/src/ssl.c b/src/ssl.c index cb273154e..29024d243 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -29,6 +29,32 @@ SSL_CTX *ctx_client; #define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); } +int ssl_pem_passwd_cb(char *buf, int size, int rwflag, void *password) +{ +#ifndef _WIN32 + char *pass; + static int before = 0; + static char beforebuf[1024]; + if (before) + { + strncpy(buf, (char *)beforebuf, size); + buf[size - 1] = '\0'; + return (strlen(buf)); + } + pass = getpass("Password for SSL private key: "); + if (pass) + { + strncpy(buf, (char *)pass, size); + strncpy(beforebuf, (char *)pass, sizeof(beforebuf)); + beforebuf[sizeof(beforebuf) - 1] = '\0'; + buf[size - 1] = '\0'; + before = 1; + return (strlen(buf)); + } + return 0; +#endif +} + void init_ctx_server(void) { ctx_server = SSL_CTX_new(SSLv23_server_method()); @@ -37,6 +63,9 @@ void init_ctx_server(void) ircd_log(LOG_ERROR, "Failed to do SSL CTX new"); exit(2); } +#ifndef _WIN32 + SSL_CTX_set_default_passwd_cb(ctx_server, ssl_pem_passwd_cb); +#endif if (SSL_CTX_use_certificate_file(ctx_server, CERTF, SSL_FILETYPE_PEM) <= 0) { @@ -64,7 +93,9 @@ void init_ctx_client(void) ircd_log(LOG_ERROR, "Failed to do SSL CTX new client"); exit(2); } - +#ifndef _WIN32 + SSL_CTX_set_default_passwd_cb(ctx_client, ssl_pem_passwd_cb); +#endif if (SSL_CTX_use_certificate_file(ctx_client, CERTF, SSL_FILETYPE_PEM) <= 0) { ircd_log(LOG_ERROR, "Failed to load SSL certificate %s (client)", CERTF);