1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-04 00:23:14 +02:00

Require TLSv1.2 or later and require a modern cipher with forward secrecy.

This also fixes a bug with OpenSSL 3.x where, when the ircd was
configured to still allow old TLSv1.0 / TLSv1.1, it would still
only allow TLSv1.2+.

But, as said, allowing TLSv1.0/TLSv1.1 is now no longer the default.

See release notes for more information or the documentation at
https://www.unrealircd.org/docs/TLS_Ciphers_and_protocols
This commit is contained in:
Bram Matthys
2022-11-27 16:59:22 +01:00
parent cfea8b32f0
commit ee1f8d84a0
4 changed files with 15 additions and 3 deletions
+1 -1
View File
@@ -1733,7 +1733,7 @@ void config_setdefaultsettings(Configuration *i)
safe_strdup(i->tls_options->trusted_ca_file, tmp);
safe_strdup(i->tls_options->ciphers, UNREALIRCD_DEFAULT_CIPHERS);
safe_strdup(i->tls_options->ciphersuites, UNREALIRCD_DEFAULT_CIPHERSUITES);
i->tls_options->protocols = TLS_PROTOCOL_ALL;
i->tls_options->protocols = TLS_PROTOCOL_TLSV1_2|TLS_PROTOCOL_TLSV1_3; /* TLSv1.2 & TLSv1.3 */
#ifdef HAS_SSL_CTX_SET1_CURVES_LIST
safe_strdup(i->tls_options->ecdh_curves, UNREALIRCD_DEFAULT_ECDH_CURVES);
#endif
+1 -1
View File
@@ -215,7 +215,7 @@ void disable_ssl_protocols(SSL_CTX *ctx, TLSOptions *tlsoptions)
if ((tlsoptions->protocols & TLS_PROTOCOL_TLSV1) ||
(tlsoptions->protocols & TLS_PROTOCOL_TLSV1_1))
{
SSL_CTX_set_security_level(ctx, 1);
SSL_CTX_set_security_level(ctx, 0);
}
#endif