1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-05 00:13:14 +02:00
Commit Graph

6641 Commits

Author SHA1 Message Date
Bram Matthys e82dbdce1a Update doc/RELEASE-NOTES.old. Now contains 4.2.0 and 4.2.1 release notes,
I forgot the 4.2.0 one earlier..
2019-01-18 13:20:28 +01:00
Bram Matthys 4681603c52 Fix bug where "link-security" was downgraded to level 1 if using 'spkifp'. 2019-01-18 13:10:51 +01:00
Bram Matthys 778be86c66 Update HELPOP EXTBANS on ~t (timed bans), ~m (msgbypass) and ~T (textban)
since these are loaded by default since UnrealIRCd 4.2.0.
2019-01-14 15:10:23 +01:00
Bram Matthys f4b432ae94 Add RC4 and 3DES to set::ssl::outdated-ciphers, in case anyone uses some
insecure custom ::ciphers setting, this so RC4 and 3DES still get flagged.
2019-01-12 11:29:16 +01:00
Bram Matthys 67d691fce9 * New set::outdated-tls-policy which describes what to do with clients
that use outdated SSL/TLS protocols (eg: TLSv1.0) and ciphers.
  The default settings are to warn in all cases: users connecting,
  opers /OPER'ing up and servers linking in. The user will see a message
  telling them to upgrade their IRC client.
  This should help with migrating such users since in the future, say one
  or two years from now, we would want to change the default to only allow
  TSLv1.2+ with ciphers that provide Forward Secrecy. Instead of rejecting
  clients without any error message, this provides a way to warn them and
  give them some time to upgrade their outdated IRC client.
  https://www.unrealircd.org/docs/Set_block#set::outdated-tls-policy
2019-01-12 11:08:18 +01:00
Bram Matthys 8e7a085474 AppArmor profile in extras/security/apparmor: no changes but make it
clear that this has been tested on Ubuntu 16.04 and Ubuntu 18.04.
2019-01-12 10:52:05 +01:00
Bram Matthys 5fd673d059 Rename PLAINTEXT_POLICY_* to POLICY_ (and similarly, the struct, etc) 2019-01-11 13:27:29 +01:00
Bram Matthys a1d2698ead Provide get_ssl_options_for_client() to get the SSLOptions * for a client. 2019-01-11 13:16:09 +01:00
Bram Matthys b0c8629284 Travis-CI: remove TLS test for libressl-25 (no longer supported)
[skip ci]
2019-01-11 12:34:43 +01:00
Bram Matthys 72a3a445ee Travis-CI: Update OpenSSL and LibreSSL versions
* Remove LibreSSL versions that are no longer supported (2.5.x and 2.6.x).
* Add LibreSSL 2.8.x (current stable) and 2.9.x (current dev)
* OpenSSL releases only had updates in their 'letter suffixes'
2019-01-11 11:54:13 +01:00
Bram Matthys 9668aaaade Travis-CI: Rename .txt files to match $BUILDCONFIG 2019-01-11 11:42:36 +01:00
Bram Matthys dbeb5af2ea Updates to SSL/TLS tests. 2019-01-11 11:30:40 +01:00
Bram Matthys 227abacdb5 Hm? 2019-01-11 10:52:16 +01:00
Bram Matthys 8e1af5f304 Update SSL/TLS tests and put them in extras/tests/tls 2019-01-11 10:45:20 +01:00
Bram Matthys 9873382e6b Add SSL/TLS tests. 2019-01-11 10:06:21 +01:00
Bram Matthys 7d68ea0570 Update default ciphers, or actually only the ones not providing PFS, by
preferring AES-256 over AES-128 (in contrast to the Mozilla "intermediate"
profile which prefers AES-128). Again, this only affects non-PFS cases, as
all modern clients with PFS already had CHACHA20 and AES-256 negotiated.
The portion of non-PFS clients should only be few percent, if any.
I was actually considering removing non-PFS ciphersuites but it seems a bit
early to do so, at least not without more research on affected clients.
2019-01-11 09:19:44 +01:00
Bram Matthys dbbe6e7248 Travis-CI: another attempt 2019-01-10 20:29:11 +01:00
Bram Matthys 981a5d44b2 Travis-CI: install specific bundler (wtf?) 2019-01-06 20:34:16 +01:00
Bram Matthys 2a9b20369b Travis-CI: use Ubuntu 16.04 instead of 14.04
...since 14.04 seems to fail due to an outdated ruby.
2019-01-06 20:14:04 +01:00
Bram Matthys 8c9e4b8668 Poison unused parv[] elements that code should never access.
The last parv[] array element will be NULL. Accessing any elements after
that is undefined, similar to reading past the nul byte of a string.
This poison will help catch such bugs. Without this poison your code
will also crash, now it just crashes more consistently.
2019-01-06 19:21:59 +01:00
Bram Matthys dbf7aeb386 UnrealIRCd 4.2.1.1: compile fix for Debian stretch if you have a version of
libargon2 installed that does not provide Argon2id.
2019-01-03 08:57:59 +01:00
Bram Matthys 4965fc6741 Fix for systems with libargon2 that don't have Argon2id (Debian 9.6).
Apparently Debian stretch has 20160821's version which just falls short.
20161029 already has it included. We'll now use shipped libargon2 for
versions below 20161029. Thanks to vectr0n for reporting the issue.
2019-01-02 19:20:42 +01:00
Bram Matthys c173b17064 Fix SAJOIN, SAPART and SAMODE not working due to operclass.default.conf
using the 'sacmds' permission, when it should actually be 'sacmd'.
Reported by Stanley.
2018-12-28 17:55:32 +01:00
Bram Matthys 5da3ef8889 UnrealIRCd 4.2.1 (will publish tomorrow) 2018-12-26 23:06:33 +01:00
Bram Matthys 8b0cad3845 Fix for 'require authentication' (duh)
.. yeah I and others were still using 'require sasl' :D
2018-12-22 10:36:48 +01:00
Bram Matthys 56568f4033 Update release notes. This may be final for 4.2.1-rc1. 2018-12-22 10:12:53 +01:00
Bram Matthys 43de2dd747 Update release notes 2018-12-21 18:05:06 +01:00
Bram Matthys 73502ca4b6 Update help.conf with new WHO status flag 's' (secure) 2018-12-21 18:03:57 +01:00
Bram Matthys bb7bc90612 Forgot to update c-ares version in extras/curlinstall.... 2018-12-21 15:59:51 +01:00
Bram Matthys ad9a1b0b94 Import settings from UnrealIRCd 4.2.0
[skip ci]
2018-12-21 15:57:08 +01:00
Bram Matthys e30712f3d4 Update Windows libraries and the Windows build command for build tests.
[skip travis ci]
2018-12-21 15:42:32 +01:00
Bram Matthys f3f397b066 Update shipped libs: c-ares to 1.15.0 and PCRE2 to 10.32 2018-12-21 15:32:23 +01:00
Bram Matthys f1844e40a5 Set version to 4.2.1-rc1. The release notes are still likely to change. 2018-12-21 15:24:12 +01:00
Bram Matthys 54c17aa65d Indicate 's' in WHO reply flags if the user is secure (SSL/TLS). 2018-12-21 14:21:19 +01:00
Bram Matthys bb0530f694 In the authprompt documentation point the user to (possibly) tweaking
the set::handshake-timeout setting as well.
2018-12-21 13:24:25 +01:00
Bram Matthys 7755d10829 [authprompt] Suggest /QUOTE AUTH .. instead of /AUTH .. 2018-12-21 07:58:38 +01:00
Bram Matthys 62e30ec342 Fix typo in config warning. 2018-12-21 07:58:12 +01:00
Bram Matthys 267c2f3e56 Make authprompt work for soft KLINE/GLINE and soft-xx ban actions
(in registration phase anyway), as promised earlier in the documentation.
2018-12-19 17:42:13 +01:00
Bram Matthys 7f8172faef Bump fakelag on failed authentication attempt (SASL, real or emulated) 2018-12-19 17:41:28 +01:00
Bram Matthys 7aaf5e9a42 Update release notes regarding a fix from today.
[skip ci]
2018-12-19 17:13:39 +01:00
Bram Matthys 88fadc134d Fix build issue on Windows
[skip travis ci]
2018-12-19 13:58:44 +01:00
Bram Matthys 0ac56e4444 Fix line number in error messages being off, as reported in
https://bugs.unrealircd.org/view.php?id=5169
caused by commit 51ed51dff1
2018-12-19 13:50:09 +01:00
Bram Matthys 56a964bba1 Hide remote includes auth information in error messages. Reported by Jellis
in https://bugs.unrealircd.org/view.php?id=5172
2018-12-19 13:02:36 +01:00
Bram Matthys 6b089dfcd6 The new module is now called authprompt. Also wrote an article:
https://www.unrealircd.org/docs/Authentication
And "require sasl" is now "require authentication"
(the old name will only raise a warning, not cause an error)

Note that authprompt currently only does the "require authentication"
stuff and not yet the soft-xx actions. That will be something for
later this week, but I've already documented it as such (here and
there anyway).
2018-12-17 17:32:43 +01:00
Bram Matthys b1e1b6d9d5 quick fix for build tests, will fix later. 2018-12-16 16:40:35 +01:00
Bram Matthys ce4aeff63f Add saslemulation to Windows makefile.
[skip travis ci]
2018-12-16 15:53:12 +01:00
Bram Matthys 2ed958f2ee Fix typo in modules.optional.conf. 2018-12-16 15:52:04 +01:00
Bram Matthys 9f3e060a3d This is a better one line description. 2018-12-16 13:56:17 +01:00
Bram Matthys 0254894368 Authentication prompt for non-SASL users:
We previously introduced the "require sasl" block which allows you to
force users from certain IP addresses to authenticate with their nickname
and password via SASL. We now offer a new experimental module called
'saslemulation' which will help non-SASL users by showing a notice and
asking them to authenticate to their account via /AUTH <user>:<pass>.
See https://www.unrealircd.org/docs/Set_block#set::sasl-emulation

Note that this is work in progress, although the functionality of
already works. Still need to do some cleaning and expand the scope.
And more testing...
2018-12-16 13:51:22 +01:00
k4bek4be c124f65027 fix IPv6 DNS blacklist (#78)
Fix IPv6 blacklist checking (DNSBL). Patch from k4be.
2018-12-15 19:53:33 +01:00