1f856745e5
4.0.14-rc1
2017-09-08 08:16:21 +02:00
366a494c00
Last update of release notes before -rc1?
2017-09-08 08:15:54 +02:00
2914695681
We can't prevent all user mistakes, but we can at least prevent some..
2017-09-08 07:53:20 +02:00
461ce8016a
Some modes in set::modes-on-connect gave an error. These were
...
old user modes such as +N and +A that were previously forbidden but
may nowadays be (re-)used by 3rd party modules.
Reported by marco500 (#4980 ).
2017-09-08 07:39:56 +02:00
ea974ed018
Update Windows makefile (+SRC/OPENSSL_HOSTNAME_VALIDATION.OBJ)
2017-09-06 16:51:18 +02:00
296decf648
This code can be removed now that we have a working verify_certificate().
...
Also broke LibreSSL (SSL_CTX_get0_param undefined).
2017-09-06 16:49:25 +02:00
a21222a672
Bump MODDATA_MAX_CLIENT from 8 to 12 and move MODDATA_MAX_* to include/config.h
2017-09-06 16:29:48 +02:00
05c6dfbb35
Update release notes
2017-09-06 16:22:13 +02:00
edb144d570
Update cipher suite to include TLSv1.3 ciphers.
...
This so upcoming UnrealIRCd version will work with TLSv1.3 whenever it
becomes an official standard and is included in OpenSSL/LibreSSL.
(Verified to work with openssl git master branch)
2017-09-06 16:09:22 +02:00
a5dbd3aa7c
SSL/TLS: Use SNI in outgoing server link.
2017-09-06 14:32:21 +02:00
b757d2eff0
Show set::sasl-server in '/STATS set'. Suggested by Gottem ( #0004997 ).
2017-09-06 08:44:12 +02:00
08bc61ec00
We now refuse to enable SSL/TLS with weak ciphers: DES, 3DES, RC4.
2017-09-06 08:21:14 +02:00
959195e7d7
Update Windows makefile to match *NIX objects
2017-09-03 16:27:55 +02:00
58ebc9c6be
Move previous release notes (4.0.13) to doc/RELEASE-NOTES.old
2017-09-03 16:23:05 +02:00
788f628403
Update release notes
2017-09-03 16:22:44 +02:00
3510a98e50
Shorten the set::plaintext-policy text. Content was good but it was too long.
2017-09-03 16:10:37 +02:00
8fad7c563d
Add cap/link-security and cap/plaintext-policy modules.
2017-09-03 16:06:39 +02:00
1faa91ed0e
Add helper function plaintextpolicy_valtochar().
2017-09-02 15:49:02 +02:00
78695f3eea
Permit attaching client moddata to servers (and synch properly, if .synch=1)
2017-09-02 15:47:58 +02:00
0da1fdb2d2
Fix possible crash in /STATS due to change from yesterday.
...
Other than that, some minor style and real things.
2017-09-02 08:27:55 +02:00
3ade6c7ecb
:D
2017-09-01 18:15:47 +02:00
199a7e162d
Make new functions more generic and use it from crash reporter so
...
people with older OpenSSL libraries (and LibreSSL) benefit from
the hostname validation code there as well.
2017-09-01 17:28:49 +02:00
aa829bce12
New option link::verify-certificate [yes|no]. This will cause UnrealIRCd
...
to validate the certificate of the link, making sure that:
1) The certificate is issued by a trusted Certificate Authority (CA).
2) The name on the certificate matches the name of the link block.
Some things still need to be done: documentation, more testing, and
using the X509_check_host() function when available.
2017-09-01 17:10:29 +02:00
ac66a0fe12
Add hostname verification code from ssl conservatory & curl
...
(will be used in next commit)
2017-09-01 17:02:36 +02:00
5ff4fb3f87
Remove old code.. this is already set in link->ssl_ctx by init_ctx().
...
(tested)
2017-09-01 09:32:51 +02:00
6d7be72f2b
Remove ssl option 'no-self-signed'. Use 'verify-certificate' instead.
...
Nobody used this option and it only caused the following confusing
(and potentially insecure) behavior:
Previously if you had 'verify-certificate' enabled then the certificate
would be checked, BUT if it was a self-signed certificate (and thus
not passing verify-cert) it was STILL allowed unless you also
specified the 'no-self-signed' option. This might be correct as per
documentation but is way too confusing for the user.
Now you simply have to choose whether you verify the certificate or
not. No special handling for self-signed certificates.
2017-09-01 08:55:01 +02:00
08b621aa08
+Minor issues fixed
2017-08-25 20:38:30 +02:00
5cf28d0d46
It was possible to have a block named 'link irc1.test.net' and then get
...
connected to a server introducing himself as irc2.test.net. This
was rather confusing, of course. Wasn't much of a security issue since
this only happened in outgoing connects and naturally all authentication
need to pass as well.
2017-08-25 20:34:27 +02:00
bfb3e0847b
If you had an unknown link::someunknownitem then UnrealIRCd would not
...
throw an error. Now it does.
2017-08-25 17:48:54 +02:00
74466a4065
Consider any client with the same IP as a listen::ip to be loopback.
...
This is done for users on shared IRCd shells[*] which may be used to (or
forced to) connect services via their alias IP rather than 127.0.0.1
due to bind restrictions. This, in turn, to ease the transition to
set::plaintext-policy::server deny.
[*] Side-note: The UnrealIRCd team recommends using a VPS and not a
shared shell, as the latter is considerably less secure.
2017-08-20 10:35:45 +02:00
d490b0ee3e
"No log { } block found -- using default: errors will be logged to 'ircd.log'"
...
Unfortunately it was then logging to tmp/ircd.log rather than logs/ircd.log
2017-08-19 12:12:06 +02:00
efb344b9b2
duh.
2017-08-19 12:07:54 +02:00
6afbc4ee99
Relative paths for sslclientcerts did not work. This has been fixed
...
so password "ssl/something.crt" { sslclientcert; }; works OK now.
2017-08-19 12:02:25 +02:00
bfa00e95b7
Set default plaintext-policy to be 'warn' for /OPER and 'deny' for
...
server linking. Write some draft release notes for later use.
2017-08-19 11:19:33 +02:00
361a354c4b
If set::plaintext-policy::user is 'deny' and a non-SSL/TLS-user is
...
trying to connect then SASL is not advertised.
2017-08-16 19:45:17 +02:00
d53d46fce4
Add set::plaintext-policy block by which you can warn or deny user connections,
...
ircop /OPER attempts and incoming server linking attempts from connections
that are not encrypted with SSL/TLS.
Documentation: https://www.unrealircd.org/docs/Set_block#set::plaintext-policy
2017-08-16 19:39:28 +02:00
40e3e11b61
UnrealIRCd 4.0.13
2017-08-15 12:12:10 +02:00
0b5e46cd23
Fix extban_conv_param_nuh not marked as extern. Reported by Gottem ( #4975 )
2017-08-15 12:08:11 +02:00
c8a67f9436
Update curl-ca-bundle to Wed Jun 7 03:12:05 2017. Remove CACERT.
2017-08-15 11:48:48 +02:00
c7457434c4
..
2017-08-10 09:37:38 +02:00
77f8b9ed5a
Build fix for cap/sts on Windows
2017-08-10 09:36:18 +02:00
74d5f380dd
A /REHASH from a WebSocket connection would cause a crash (requires
...
IRCOp privileges). This is a rather technical issue, we now simply
reject the rehash. See comments in code for more information.
2017-08-10 09:02:05 +02:00
18202a0f73
Fix "ban too broad" checking. Reported by Gottem in #4961 .
...
* The 'ban too broad' checking was broken. This permitted glines such
as 192.168.0.0/1 being set. Now it rejects CIDR of /15 and lower.
To disable this safety measure you can (still) use:
set { options { allow-insane-bans; }; };
2017-08-10 08:30:54 +02:00
f5b29ed7de
Add modules/cap directory to Windows installer.
2017-08-10 07:54:01 +02:00
8ccf5700f1
Prepare for 4.0.13-rc1
2017-08-10 07:46:17 +02:00
d222a18286
Fix "simple" spamfilters being synched as "posix" during server linking.
...
This was due to lack of TKLEXT2 support in the m_tkl_synch() code.
2017-08-10 07:07:37 +02:00
69a2e7d994
Whoops. This code cleanup screwed up STS. Should work now.
2017-08-09 19:11:28 +02:00
6c539c8566
Bump Websocket module version to 1.0.0
2017-08-09 18:12:03 +02:00
06aa2ad79a
Websocket module: don't send CR/LF in outgoing frames and don't require
...
CR/LF in incoming frames (simply ignore them if they are present).
2017-08-09 18:00:44 +02:00
ab3e65a76f
Load cap/sts module by default (only active if set::ssl::sts-policy is set).
2017-08-09 15:49:03 +02:00
Bram Matthys