pegasus/unrealircd
1
0
Fork 0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-06-28 10:36:38 +02:00
Code Activity

Require TLSv1.2 or later and require a modern cipher with forward secrecy.

Browse Source 
This also fixes a bug with OpenSSL 3.x where, when the ircd was
configured to still allow old TLSv1.0 / TLSv1.1, it would still
only allow TLSv1.2+.

But, as said, allowing TLSv1.0/TLSv1.1 is now no longer the default.

See release notes for more information or the documentation at
https://www.unrealircd.org/docs/TLS_Ciphers_and_protocols
This commit is contained in:
Bram Matthys
2022-11-27 16:59:22 +01:00
parent cfea8b32f0
commit ee1f8d84a0
4 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
doc/RELEASE-NOTES.md
+12
View File
@@ -15,6 +15,18 @@ If you want a stable IRCd, download 6.0.4 or upgrade to it via `./unrealircd upg
* [JSON-RPC](https://www.unrealircd.org/docs/JSON-RPC) API for UnrealIRCd.
This is work in progress.
### Changes:
* SSL/TLS: By default we now require TLSv1.2 or later and a modern cipher
with forward secrecy. Otherwise the connection is refused.
* Since UnrealIRCd 4.2.2 (March 2019) users see an on-connect notice with
a warning when they use an outdated TLS protocol or cipher that does not
meet these requirements.
* This move also reflects the phase out of TLSv1.2 that happened in
browsers in 2020/2021.
* If you want to revert back to the previous less secure settings, then
look under ''Previous less secure setting'' in
[TLS Ciphers and protocols](https://www.unrealircd.org/docs/TLS_Ciphers_and_protocols).
UnrealIRCd 6.0.4.2
-------------------
Another small update to 6.0.4.x:
include/config.h
+1 -1
View File
@@ -275,7 +275,7 @@
/* Default TLS cipherlist (except for TLS1.3, see further down).
* This can be changed via set::ssl::options::ciphers in the config file.
*/
#define UNREALIRCD_DEFAULT_CIPHERS "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256 EECDH+CHACHA20 EECDH+AESGCM EECDH+AES AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA"
#define UNREALIRCD_DEFAULT_CIPHERS "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES+SHA384 EECDH+AES+SHA256"
/* Default TLS 1.3 ciphersuites.
* This can be changed via set::ssl::options::ciphersuites in the config file.
src/conf.c
+1 -1
View File
@@ -1733,7 +1733,7 @@ void config_setdefaultsettings(Configuration *i)
safe_strdup(i->tls_options->trusted_ca_file, tmp);
safe_strdup(i->tls_options->ciphers, UNREALIRCD_DEFAULT_CIPHERS);
safe_strdup(i->tls_options->ciphersuites, UNREALIRCD_DEFAULT_CIPHERSUITES);
i->tls_options->protocols = TLS_PROTOCOL_ALL;
i->tls_options->protocols = TLS_PROTOCOL_TLSV1_2|TLS_PROTOCOL_TLSV1_3; /* TLSv1.2 & TLSv1.3 */
#ifdef HAS_SSL_CTX_SET1_CURVES_LIST
safe_strdup(i->tls_options->ecdh_curves, UNREALIRCD_DEFAULT_ECDH_CURVES);
#endif
src/tls.c
+1 -1
View File
@@ -215,7 +215,7 @@ void disable_ssl_protocols(SSL_CTX *ctx, TLSOptions *tlsoptions)
if ((tlsoptions->protocols & TLS_PROTOCOL_TLSV1) ||
(tlsoptions->protocols & TLS_PROTOCOL_TLSV1_1))
{
SSL_CTX_set_security_level(ctx, 1);
SSL_CTX_set_security_level(ctx, 0);
}
#endif