Made on IRCNow

Commit Diff

Commit:: 84ed46d4c1caaa4ec79a6223c35785afcf1c9d53
From:: Alexander Barton <alex@barton.de>
Date:: Sun Sep 15 13:09:36 2013 UTC
Message:: Cipher list selection for OpenSSL This patch introduces the possibility to arbitrarily select ciphers which should be promoted resp. declined when establishing a SSL connection with a client by implementing the new configuration option "CipherList". By default, OpenSSL would accept low and medium strength and RC-4 ciphers, which nowadays are known to be broken. This patch only implements the feature for OpenSSL. A GnuTLS counterpart has to be implemented in another patch ... Original patch by Bastian <bastian-ngircd@t6l.de>. Closes bug #162.
Actions:: Patch | Tree

commit - 849f85a05c17828c592bed26bd99707f211fad1c
commit + 84ed46d4c1caaa4ec79a6223c35785afcf1c9d53
blob - ae1b213950b8484ed4ab0ac92e9c9c03d86cea47
blob + a4dbf8695987fc2cf117f4d05f1adae33b19654f
--- doc/sample-ngircd.conf.tmpl
+++ doc/sample-ngircd.conf.tmpl
@@ -248,6 +248,13 @@
 	# SSL Server Key Certificate
 	;CertFile = :ETCDIR:/ssl/server-cert.pem
 
+	# Select cipher suites allowed for SSL/TLS connections (OpenSSL only).
+	# This defaults to the empty string, so all supported ciphers are
+	# allowed. Please see 'man 1ssl ciphers' for details.
+	# The example below only allows "high strength" cipher suites, disables
+	# the ones without authentication, and sorts by strength:
+	;CipherList = HIGH:!aNULL:@STRENGTH
+
 	# Diffie-Hellman parameters
 	;DHFile = :ETCDIR:/ssl/dhparams.pem
 
blob - cf926f9a3b80845f1b45715664a66f1709fddb94
blob + 263dec047d5e6ebcbefc85571593e7fe075b22f0
--- man/ngircd.conf.5.tmpl
+++ man/ngircd.conf.5.tmpl
@@ -366,6 +366,13 @@ when it is compiled with support for SSL using OpenSSL
 \fBCertFile\fR (string)
 SSL Certificate file of the private server key.
 .TP
+\fBCipherList\fR (string)
+OpenSSL only: Select cipher suites allowed for SSL/TLS connections. This
+defaults to the empty string, so all supported ciphers are allowed. Please see
+'man 1ssl ciphers' for details. This setting allows only "high strength" cipher
+suites, disables the ones without authentication, and sorts by strength, for
+example: "HIGH:!aNULL:@STRENGTH".
+.TP
 \fBDHFile\fR (string)
 Name of the Diffie-Hellman Parameter file. Can be created with GnuTLS
 "certtool \-\-generate-dh-params" or "openssl dhparam". If this file is not
blob - b10f4905c9ec7befb08b5b5717cc6397cc48bea9
blob + 9ab66e54cf194b3c7afe68c90104d62e309e8ae1
--- src/ngircd/conf.c
+++ src/ngircd/conf.c
@@ -117,6 +117,9 @@ ConfSSL_Init(void)
 	array_free_wipe(&Conf_SSLOptions.KeyFilePassword);
 
 	array_free(&Conf_SSLOptions.ListenPorts);
+
+	free(Conf_SSLOptions.CipherList);
+	Conf_SSLOptions.CipherList = NULL;
 }
 
 /**
@@ -432,6 +435,8 @@ Conf_Test( void )
 	puts("[SSL]");
 	printf("  CertFile = %s\n", Conf_SSLOptions.CertFile
 					? Conf_SSLOptions.CertFile : "");
+	printf("  CipherList = %s\n", Conf_SSLOptions.CipherList
+					? Conf_SSLOptions.CipherList : "");
 	printf("  DHFile = %s\n", Conf_SSLOptions.DHFile
 					? Conf_SSLOptions.DHFile : "");
 	printf("  KeyFile = %s\n", Conf_SSLOptions.KeyFile
@@ -1869,6 +1874,11 @@ Handle_SSL(const char *File, int Line, char *Var, char
 		ports_parse(&Conf_SSLOptions.ListenPorts, Line, Arg);
 		return;
 	}
+	if (strcasecmp(Var, "CipherList") == 0) {
+		assert(Conf_SSLOptions.CipherList == NULL);
+		Conf_SSLOptions.CipherList = strdup_warn(Arg);
+		return;
+	}
 
 	Config_Error_Section(File, Line, Var, "SSL");
 }
blob - 948749de617bc433b6302edac2633eb1fc6e2bbe
blob + 02d23315552b0915020cb8690f1c084e97d69133
--- src/ngircd/conf.h
+++ src/ngircd/conf.h
@@ -75,6 +75,7 @@ struct SSLOptions {
 	char *DHFile;			/**< File containing DH parameters */
 	array ListenPorts;		/**< Array of listening SSL ports */
 	array KeyFilePassword;		/**< Key file password */
+	char *CipherList;		/**< Set SSL cipher list to use */
 };
 #endif
 
blob - 595cb615e6e78ed192f154a016c5ea5d3778e2d2
blob + 059e871ddaa38af341e995f577225fad84940091
--- src/ngircd/conn-ssl.c
+++ src/ngircd/conn-ssl.c
@@ -304,6 +304,19 @@ ConnSSL_InitLibrary( void )
 
 	if (!ConnSSL_LoadServerKey_openssl(newctx))
 		goto out;
+
+	if(Conf_SSLOptions.CipherList && *Conf_SSLOptions.CipherList) {
+		if(SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0 ) {
+			Log(LOG_ERR,
+			    "Failed to apply SSL cipher list \"%s\"!",
+			    Conf_SSLOptions.CipherList);
+			goto out;
+		} else {
+			Log(LOG_INFO,
+			    "Successfully applied SSL cipher list: \"%s\".",
+			    Conf_SSLOptions.CipherList);
+		}
+	}
 
 	SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2);
 	SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
@@ -328,6 +341,14 @@ out:
 		return false;
 	}
 
+	if(Conf_SSLOptions.CipherList != NULL) {
+		Log(LOG_ERR,
+		    "Failed to apply SSL cipher list \"%s\": Not implemented for GnuTLS!",
+		    Conf_SSLOptions.CipherList);
+		array_free(&Conf_SSLOptions.ListenPorts);
+		return false;
+	}
+
 	err = gnutls_global_init();
 	if (err) {
 		Log(LOG_ERR, "Failed to initialize GnuTLS: %s",
@@ -339,6 +360,7 @@ out:
 		array_free(&Conf_SSLOptions.ListenPorts);
 		return false;
 	}
+
 	Log(LOG_INFO, "GnuTLS %s initialized.", gnutls_check_version(NULL));
 	initialized = true;
 	return true;
@@ -368,7 +390,7 @@ ConnSSL_LoadServerKey_gnutls(void)
 
 	if (array_bytes(&Conf_SSLOptions.KeyFilePassword))
 		Log(LOG_WARNING,
-		    "Ignoring KeyFilePassword: Not supported by GnuTLS.");
+		    "Ignoring SSL \"KeyFilePassword\": Not supported by GnuTLS.");
 
 	if (!Load_DH_params())
 		return false;