1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-10 11:03:12 +02:00
Commit Graph

121 Commits

Author SHA1 Message Date
Bram Matthys 6d7be72f2b Remove ssl option 'no-self-signed'. Use 'verify-certificate' instead.
Nobody used this option and it only caused the following confusing
(and potentially insecure) behavior:
Previously if you had 'verify-certificate' enabled then the certificate
would be checked, BUT if it was a self-signed certificate (and thus
not passing verify-cert) it was STILL allowed unless you also
specified the 'no-self-signed' option. This might be correct as per
documentation but is way too confusing for the user.
Now you simply have to choose whether you verify the certificate or
not. No special handling for self-signed certificates.
2017-09-01 08:55:01 +02:00
Bram Matthys 455420afc1 SNI-specific sts-policy is now possible. (As recommended by IRCv3 draft spec) 2017-08-09 15:39:52 +02:00
Bram Matthys b2129205f9 Added support for the "Server Name Indication" (SNI) SSL/TLS extension.
See https://www.unrealircd.org/docs/Sni_block
Requested in #4380 by Eman.
2017-08-09 12:00:04 +02:00
Bram Matthys a6f5460ad8 Update OpenFiles upon failed SSL connect to remote server. Reported by Eman (#4948). 2017-05-10 17:03:45 +02:00
Bram Matthys 00142f90e9 Give more clients(/services) a clear hint when they try to connect on an SSL
port but are speaking plaintext (non-SSL).
2017-01-02 16:31:01 +01:00
Bram Matthys aae0971cf4 Add the ability to set specific ssl options in listen blocks and link blocks.
This allows you to for example specify a specific certificate/key on an
serversonly port and in link block (a self-signed 10 year valid certificate)
and use a short-lived (XX day) Let's Encrypt certificate on the other ports.
And several other uses, of course.
2016-12-29 08:37:15 +01:00
Bram Matthys 9a8645973c Added set::ssl::options::no-client-certificate
This is really NOT a recommended setting but may be necessary to work around
some browser issues for wss://.
2016-12-16 17:20:27 +01:00
Bram Matthys 490abc76c1 Fix crash due to commit from yesterday 2016-09-27 07:37:09 +02:00
Bram Matthys 2de0c4ec80 Use server-side cipher selection and set a reasonable default ciphersuite list
taking into account compatibility with older clients. See the wiki/docs article
https://www.unrealircd.org/docs/SSL_Ciphers_and_protocols for more information
2016-09-26 16:03:24 +02:00
Bram Matthys 9203ee1748 set::ssl::server-cipher-list is now called set::ssl::ciphers (old name still works too) 2016-09-26 15:01:54 +02:00
Bram Matthys 4fe7203091 Use cipher list for connections to other servers as well 2016-09-26 14:58:16 +02:00
Bram Matthys 7f703d8991 Add the ability to enable/disable TLS versions via set::ssl::protocols
Accepted values are: All (enable all), TLSv1, TLSv1.1, TLSv1.2
You can use + and - modifiers, in fact you are encouraged to.
Example: set { ssl { protocols "All,-TLSv1,-TLSv1.1"; }; };
This will only allow TLSv1.2 at time of writing, and later whenever
TLSv1.3 is released it will allow TLSv1.2 and TLSv1.3.
Note that 'SSLv2' and 'SSLv3' do not exist, as UnrealIRCd 4.x never
supported these old versions (and never will).
2016-09-26 14:47:45 +02:00
Bram Matthys 8d562ededb Remove support for EGD (Entropy Gathering Daemon). Nobody uses this and it only causes issues with LibreSSL. 2016-04-03 15:15:12 +02:00
Bram Matthys b3c371ddf4 Add './unrealircd reloadtls' to reload SSL/TLS certificates and keys.
Suggested by Bob_Sheep (#4537) to aid the usage of Let's Encrypt.
Note that this is the same as doing '/REHASH -ssl' on IRC.
2016-01-13 11:37:17 +01:00
Bram Matthys 3c2c66b168 Give OpenSSL <1.0.0 users a small hint. 2015-12-13 09:21:18 +01:00
Bram Matthys 9b0bd01749 Fix crash on (outgoing) server linking attempt. 2015-09-04 12:22:39 +02:00
Bram Matthys 452aa02737 SSL: use ECDHE key only once (per session) for better forward security. 2015-08-17 11:43:18 +02:00
Bram Matthys 37a6c078ff Disable SSL tickets to improve forward security. Isn't that useful on IRC anyway (hence session cache was already off). 2015-08-17 11:37:27 +02:00
Bram Matthys 4378667303 SSL: Add support for ECDHE for forward secrecy. 2015-08-17 11:10:25 +02:00
Bram Matthys f0bba94144 Disable SSLv3. 2015-08-16 21:10:53 +02:00
Bram Matthys 13fffa4e1a split all the local client stuff to acptr->local. makes it a lot easier to catch bugs.
If the IRCd crashes then it's likely not by this change but rather an existing issue that was previously gone unnoticed.
2015-07-19 12:48:18 +02:00
Bram Matthys 0698ba296c various stuff 2015-07-16 21:01:50 +02:00
Bram Matthys 9bd211d46e Fix some ununitialized stuff 2015-07-16 10:56:46 +02:00
Bram Matthys f22cef97d4 Why do we have those unnecessary (SSL *) casts everywhere? Poof. Gone. 2015-07-15 15:54:36 +02:00
Bram Matthys dcb4e382a3 Apparently on newer OpenSSL versions (unreleased) you can't access the read buffer. So use this method instead. Ohh.. we are so helpful to our users.. 2015-07-15 15:48:00 +02:00
Bram Matthys 168ff802c4 Show a meaningful error when connecting to an SSL-only port with STARTTLS (iotw: if you forgot ssl in link::outgoing::options). 2015-07-15 15:09:01 +02:00
Bram Matthys f847d2c9e5 hmm. inconsistency. 2015-07-15 14:55:35 +02:00
Bram Matthys f265e9f970 re-indent without chgs 2015-07-15 14:52:22 +02:00
Bram Matthys 5778e53515 Print a helpful error when trying to link using an SSL-only port and the port isn't actually SSL-only (on the other end). 2015-07-15 14:41:40 +02:00
Bram Matthys 1ba5f95ecb For ougoing server links, attempt to upgrade the connection via STARTTLS if not using SSL/TLS already. 2015-07-15 12:09:11 +02:00
Bram Matthys 00dd10c744 transform more failops call 2015-07-09 14:05:06 +02:00
Travis McArthur aea09603a4 Remove USE_SSL macro and associated code
We no longer support non-SSL builds, remove related code
2015-05-20 02:48:34 -04:00
Bram Matthys 8f7886d9c7 init_ctx_client() was accidentally setting options on ctx_server. Reported by Jobe (#4346). 2015-05-18 12:12:24 +02:00
Bram Matthys 94a6305880 Added config_report_ssl_error() which is now used when we failed to (re)initialize
SSL, may print a bit more meaningful errors (though rather long and obscure).
2014-07-20 17:45:58 +02:00
Bram Matthys a51479b614 Win32: Fix SSL error not showing up in dialog box (was logged to ircd.log, though..) 2014-07-20 17:31:15 +02:00
Bram Matthys 7ba2e3214c First attempt at allowing server to boot if SSL is enabled but the
server/client SSL context failed to load (eg: no cert/key file).
2014-07-20 16:50:29 +02:00
Bram Matthys d7c198cc82 Secure server to server links were previously hardcoded at SSLv3. This has
been fixed to be 'SSLv3 or later'.  In practice this means that you will now
see a lot more server-to-server links using TLSv1.2.
2014-01-09 21:39:36 +01:00
Bram Matthys 101d2dd6a3 Big 3.4.x commit containing bug fixes and enhancements. Modularizing
user & channel modes. Fixing Windows build. Etc..
2014-05-11 20:56:02 +02:00
William Pitcock f5cfafb94e - ssl: include prototype for start_of_normal_client_handshake(). 2013-05-24 23:16:37 +00:00
William Pitcock afdf5d780a - Replace ircsprintf() with bounds-checking ircsnprintf(), patch from FalconKirtaran. (#4208) 2013-05-21 06:26:52 +00:00
William Pitcock 61fe014771 - Remove sendto_server_butone() and friends, now everything uses sendto_server(). (#4202)
Patch from FalconKirtaran.
2013-05-20 01:21:45 +00:00
William Pitcock 95370c6420 - ssl: Clean up no longer needed debug messages. 2013-05-06 02:42:26 +00:00
William Pitcock 595afafd28 - Finish up SSL linking support for evented I/O. 2013-05-06 02:39:18 +00:00
William Pitcock 5bbc40438f - Initial work at making SSL connects work with the evented I/O. 2013-05-06 02:14:31 +00:00
William Pitcock 0b5fb5903e - SSL: fix some bitrot left over from evented i/o rewrite 2013-01-14 06:23:53 -06:00
William Pitcock f768abc2c2 - Fix typo in previous patch, pointed out by Wolfwood. (#4147) 2012-12-26 13:18:27 -06:00
William Pitcock 614a006900 - Do not attempt to set up DH params if not requested. 2012-12-01 23:11:44 -06:00
William Pitcock 501d93d6ea - Add support for providing a DH parameters file. (#4147)
DH parameters files must be encoded in PEM format, and the path is
  set using the ssl::dh config setting.  This is based on a patch
  submitted by wolfwood, with some modifications to avoid using stdio
  unnecessarily and to avoid code duplication.
2012-12-01 22:49:19 -06:00
William Pitcock ab5e766d9c - Replace calls to strncpyzt() macro with more secure strlcpy().
This was done using Coccinelle, the semantic patch was:

  @@
  expression src, dst, len;
  @@

  - strncpyzt(src, dst, len);
  + strlcpy(src, dst, len);
2012-11-21 03:22:29 +00:00
William Pitcock 25318ec24b - Port the SSL code over to the evented I/O subsystem. 2012-10-05 14:19:54 +00:00