Ubuntu 20.04 needs this change in order to still allow you to enable

TLSv1.0 or TLSv1.1. Otherwise it is impossible to enable by the application. We are still going to turn off TLSv1.0 and TLSv1.1 by the end of this year by default. Ubuntu 20.04 is just a couple of months too early. See also the various browsers who postponed disabling TLSv1.0/TLSv1.1. Also, regardless of the above, we want the admins running the IRC server be able to control this and not having such a breaking change be dependant on some distro default settings.
2026-06-12 17:14:46 +02:00 · 2020-04-18 12:40:45 +02:00
parent 498f65aaad
commit f419a61f94
5 changed files with 90 additions and 2 deletions
@@ -252,3 +252,23 @@ else
 	AC_MSG_RESULT([no])
 fi
 ])
+
+AC_DEFUN([CHECK_SSL_CTX_SET_SECURITY_LEVEL],
+[
+AC_MSG_CHECKING([for SSL_CTX_set_security_level in SSL library])
+AC_LANG_PUSH(C)
+SAVE_LIBS="$LIBS"
+LIBS="$LIBS $CRYPTOLIB"
+AC_TRY_LINK([#include <openssl/ssl.h>],
+	[SSL_CTX *ctx = NULL; SSL_CTX_set_security_level(ctx, 1);],
+	has_function=1,
+	has_function=0)
+LIBS="$SAVE_LIBS"
+AC_LANG_POP(C)
+if test $has_function = 1; then
+	AC_MSG_RESULT([yes])
+	AC_DEFINE([HAS_SSL_CTX_SET_SECURITY_LEVEL], [], [Define if ssl library has SSL_CTX_set_security_level])
+else
+	AC_MSG_RESULT([no])
+fi
+])
@@ -6383,6 +6383,53 @@ else
 $as_echo "no" >&6; }
 fi

+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_security_level in SSL library" >&5
+$as_echo_n "checking for SSL_CTX_set_security_level in SSL library... " >&6; }
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+SAVE_LIBS="$LIBS"
+LIBS="$LIBS $CRYPTOLIB"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <openssl/ssl.h>
+int
+main ()
+{
+SSL_CTX *ctx = NULL; SSL_CTX_set_security_level(ctx, 1);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  has_function=1
+else
+  has_function=0
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS="$SAVE_LIBS"
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+if test $has_function = 1; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAS_SSL_CTX_SET_SECURITY_LEVEL /**/" >>confdefs.h
+
+else
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
 # Check whether --enable-dynamic-linking was given.
 if test "${enable_dynamic_linking+set}" = set; then :
  enableval=$enable_dynamic_linking; enable_dynamic_linking=$enableval
@@ -497,6 +497,7 @@ AC_ARG_WITH(system-cares, [AS_HELP_STRING([--without-system-cares], [Use bundled
 CHECK_SSL
 CHECK_SSL_CTX_SET1_CURVES_LIST
 CHECK_SSL_CTX_SET_MIN_PROTO_VERSION
+CHECK_SSL_CTX_SET_SECURITY_LEVEL
 AC_ARG_ENABLE(dynamic-linking, [AS_HELP_STRING([--disable-dynamic-linking], [Make the IRCd statically link with shared objects rather than dynamically (noone knows if disabling dynamic linking actually does anything or not)])],
 	[enable_dynamic_linking=$enableval], [enable_dynamic_linking="yes"])
 AS_IF([test $enable_dynamic_linking = "yes"],
@@ -34,6 +34,9 @@
 /* Define if ssl library has SSL_CTX_set_min_proto_version */
 #undef HAS_SSL_CTX_SET_MIN_PROTO_VERSION

+/* Define if ssl library has SSL_CTX_set_security_level */
+#undef HAS_SSL_CTX_SET_SECURITY_LEVEL
+
 /* Define if you have crypt */
 #undef HAVE_CRYPT

@@ -270,8 +270,25 @@ static int setup_dh_params(SSL_CTX *ctx)
 /** Disable SSL/TLS protocols as set by config */
 void disable_ssl_protocols(SSL_CTX *ctx, TLSOptions *tlsoptions)
 {
-	/* OpenSSL has two mechanisms for protocol version control:
-	 *
+	/* OpenSSL has three mechanisms for protocol version control... */
+
+#ifdef HAS_SSL_CTX_SET_SECURITY_LEVEL
+	/* The first one is setting a "security level" as introduced
+	 * by OpenSSL 1.1.0. Some Linux distro's like Ubuntu 20.04
+	 * seemingly compile with -DOPENSSL_TLS_SECURITY_LEVEL=2.
+	 * This means the application (UnrealIRCd) is unable to allow
+	 * TLSv1.0/1.1 even if the application is configured to do so.
+	 * So here we set the level to 1, but -again- ONLY if we are
+	 * configured to allow TLSv1.0 or v1.1, of course.
+	 */
+	if ((tlsoptions->protocols & TLS_PROTOCOL_TLSV1) ||
+	    (tlsoptions->protocols & TLS_PROTOCOL_TLSV1_1))
+	{
+		SSL_CTX_set_security_level(ctx, 1);
+	}
+#endif
+
+	/* The remaining two mechanisms are:
 	 * The old way, which is most flexible, is to use:
 	 * SSL_CTX_set_options(... SSL_OP_NO_<version>) which allows
 	 * you to disable each and every specific SSL/TLS version.