Bram Matthys
0da1fdb2d2
Fix possible crash in /STATS due to change from yesterday.
...
Other than that, some minor style and real things.
2017-09-02 08:27:55 +02:00
Bram Matthys
199a7e162d
Make new functions more generic and use it from crash reporter so
...
people with older OpenSSL libraries (and LibreSSL) benefit from
the hostname validation code there as well.
2017-09-01 17:28:49 +02:00
Bram Matthys
aa829bce12
New option link::verify-certificate [yes|no]. This will cause UnrealIRCd
...
to validate the certificate of the link, making sure that:
1) The certificate is issued by a trusted Certificate Authority (CA).
2) The name on the certificate matches the name of the link block.
Some things still need to be done: documentation, more testing, and
using the X509_check_host() function when available.
2017-09-01 17:10:29 +02:00
Bram Matthys
5ff4fb3f87
Remove old code.. this is already set in link->ssl_ctx by init_ctx().
...
(tested)
2017-09-01 09:32:51 +02:00
Bram Matthys
6d7be72f2b
Remove ssl option 'no-self-signed'. Use 'verify-certificate' instead.
...
Nobody used this option and it only caused the following confusing
(and potentially insecure) behavior:
Previously if you had 'verify-certificate' enabled then the certificate
would be checked, BUT if it was a self-signed certificate (and thus
not passing verify-cert) it was STILL allowed unless you also
specified the 'no-self-signed' option. This might be correct as per
documentation but is way too confusing for the user.
Now you simply have to choose whether you verify the certificate or
not. No special handling for self-signed certificates.
2017-09-01 08:55:01 +02:00
Bram Matthys
455420afc1
SNI-specific sts-policy is now possible. (As recommended by IRCv3 draft spec)
2017-08-09 15:39:52 +02:00
Bram Matthys
b2129205f9
Added support for the "Server Name Indication" (SNI) SSL/TLS extension.
...
See https://www.unrealircd.org/docs/Sni_block
Requested in #4380 by Eman.
2017-08-09 12:00:04 +02:00
Bram Matthys
a6f5460ad8
Update OpenFiles upon failed SSL connect to remote server. Reported by Eman ( #4948 ).
2017-05-10 17:03:45 +02:00
Bram Matthys
00142f90e9
Give more clients(/services) a clear hint when they try to connect on an SSL
...
port but are speaking plaintext (non-SSL).
2017-01-02 16:31:01 +01:00
Bram Matthys
aae0971cf4
Add the ability to set specific ssl options in listen blocks and link blocks.
...
This allows you to for example specify a specific certificate/key on an
serversonly port and in link block (a self-signed 10 year valid certificate)
and use a short-lived (XX day) Let's Encrypt certificate on the other ports.
And several other uses, of course.
2016-12-29 08:37:15 +01:00
Bram Matthys
9a8645973c
Added set::ssl::options::no-client-certificate
...
This is really NOT a recommended setting but may be necessary to work around
some browser issues for wss://.
2016-12-16 17:20:27 +01:00
Bram Matthys
490abc76c1
Fix crash due to commit from yesterday
2016-09-27 07:37:09 +02:00
Bram Matthys
2de0c4ec80
Use server-side cipher selection and set a reasonable default ciphersuite list
...
taking into account compatibility with older clients. See the wiki/docs article
https://www.unrealircd.org/docs/SSL_Ciphers_and_protocols for more information
2016-09-26 16:03:24 +02:00
Bram Matthys
9203ee1748
set::ssl::server-cipher-list is now called set::ssl::ciphers (old name still works too)
2016-09-26 15:01:54 +02:00
Bram Matthys
4fe7203091
Use cipher list for connections to other servers as well
2016-09-26 14:58:16 +02:00
Bram Matthys
7f703d8991
Add the ability to enable/disable TLS versions via set::ssl::protocols
...
Accepted values are: All (enable all), TLSv1, TLSv1.1, TLSv1.2
You can use + and - modifiers, in fact you are encouraged to.
Example: set { ssl { protocols "All,-TLSv1,-TLSv1.1"; }; };
This will only allow TLSv1.2 at time of writing, and later whenever
TLSv1.3 is released it will allow TLSv1.2 and TLSv1.3.
Note that 'SSLv2' and 'SSLv3' do not exist, as UnrealIRCd 4.x never
supported these old versions (and never will).
2016-09-26 14:47:45 +02:00
Bram Matthys
8d562ededb
Remove support for EGD (Entropy Gathering Daemon). Nobody uses this and it only causes issues with LibreSSL.
2016-04-03 15:15:12 +02:00
Bram Matthys
b3c371ddf4
Add './unrealircd reloadtls' to reload SSL/TLS certificates and keys.
...
Suggested by Bob_Sheep (#4537 ) to aid the usage of Let's Encrypt.
Note that this is the same as doing '/REHASH -ssl' on IRC.
2016-01-13 11:37:17 +01:00
Bram Matthys
3c2c66b168
Give OpenSSL <1.0.0 users a small hint.
2015-12-13 09:21:18 +01:00
Bram Matthys
9b0bd01749
Fix crash on (outgoing) server linking attempt.
2015-09-04 12:22:39 +02:00
Bram Matthys
452aa02737
SSL: use ECDHE key only once (per session) for better forward security.
2015-08-17 11:43:18 +02:00
Bram Matthys
37a6c078ff
Disable SSL tickets to improve forward security. Isn't that useful on IRC anyway (hence session cache was already off).
2015-08-17 11:37:27 +02:00
Bram Matthys
4378667303
SSL: Add support for ECDHE for forward secrecy.
2015-08-17 11:10:25 +02:00
Bram Matthys
f0bba94144
Disable SSLv3.
2015-08-16 21:10:53 +02:00
Bram Matthys
13fffa4e1a
split all the local client stuff to acptr->local. makes it a lot easier to catch bugs.
...
If the IRCd crashes then it's likely not by this change but rather an existing issue that was previously gone unnoticed.
2015-07-19 12:48:18 +02:00
Bram Matthys
0698ba296c
various stuff
2015-07-16 21:01:50 +02:00
Bram Matthys
9bd211d46e
Fix some ununitialized stuff
2015-07-16 10:56:46 +02:00
Bram Matthys
f22cef97d4
Why do we have those unnecessary (SSL *) casts everywhere? Poof. Gone.
2015-07-15 15:54:36 +02:00
Bram Matthys
dcb4e382a3
Apparently on newer OpenSSL versions (unreleased) you can't access the read buffer. So use this method instead. Ohh.. we are so helpful to our users..
2015-07-15 15:48:00 +02:00
Bram Matthys
168ff802c4
Show a meaningful error when connecting to an SSL-only port with STARTTLS (iotw: if you forgot ssl in link::outgoing::options).
2015-07-15 15:09:01 +02:00
Bram Matthys
f847d2c9e5
hmm. inconsistency.
2015-07-15 14:55:35 +02:00
Bram Matthys
f265e9f970
re-indent without chgs
2015-07-15 14:52:22 +02:00
Bram Matthys
5778e53515
Print a helpful error when trying to link using an SSL-only port and the port isn't actually SSL-only (on the other end).
2015-07-15 14:41:40 +02:00
Bram Matthys
1ba5f95ecb
For ougoing server links, attempt to upgrade the connection via STARTTLS if not using SSL/TLS already.
2015-07-15 12:09:11 +02:00
Bram Matthys
00dd10c744
transform more failops call
2015-07-09 14:05:06 +02:00
Travis McArthur
aea09603a4
Remove USE_SSL macro and associated code
...
We no longer support non-SSL builds, remove related code
2015-05-20 02:48:34 -04:00
Bram Matthys
8f7886d9c7
init_ctx_client() was accidentally setting options on ctx_server. Reported by Jobe ( #4346 ).
2015-05-18 12:12:24 +02:00
Bram Matthys
94a6305880
Added config_report_ssl_error() which is now used when we failed to (re)initialize
...
SSL, may print a bit more meaningful errors (though rather long and obscure).
2014-07-20 17:45:58 +02:00
Bram Matthys
a51479b614
Win32: Fix SSL error not showing up in dialog box (was logged to ircd.log, though..)
2014-07-20 17:31:15 +02:00
Bram Matthys
7ba2e3214c
First attempt at allowing server to boot if SSL is enabled but the
...
server/client SSL context failed to load (eg: no cert/key file).
2014-07-20 16:50:29 +02:00
Bram Matthys
d7c198cc82
Secure server to server links were previously hardcoded at SSLv3. This has
...
been fixed to be 'SSLv3 or later'. In practice this means that you will now
see a lot more server-to-server links using TLSv1.2.
2014-01-09 21:39:36 +01:00
Bram Matthys
101d2dd6a3
Big 3.4.x commit containing bug fixes and enhancements. Modularizing
...
user & channel modes. Fixing Windows build. Etc..
2014-05-11 20:56:02 +02:00
William Pitcock
f5cfafb94e
- ssl: include prototype for start_of_normal_client_handshake().
2013-05-24 23:16:37 +00:00
William Pitcock
afdf5d780a
- Replace ircsprintf() with bounds-checking ircsnprintf(), patch from FalconKirtaran. ( #4208 )
2013-05-21 06:26:52 +00:00
William Pitcock
61fe014771
- Remove sendto_server_butone() and friends, now everything uses sendto_server(). ( #4202 )
...
Patch from FalconKirtaran.
2013-05-20 01:21:45 +00:00
William Pitcock
95370c6420
- ssl: Clean up no longer needed debug messages.
2013-05-06 02:42:26 +00:00
William Pitcock
595afafd28
- Finish up SSL linking support for evented I/O.
2013-05-06 02:39:18 +00:00
William Pitcock
5bbc40438f
- Initial work at making SSL connects work with the evented I/O.
2013-05-06 02:14:31 +00:00
William Pitcock
0b5fb5903e
- SSL: fix some bitrot left over from evented i/o rewrite
2013-01-14 06:23:53 -06:00
William Pitcock
f768abc2c2
- Fix typo in previous patch, pointed out by Wolfwood. ( #4147 )
2012-12-26 13:18:27 -06:00