commit bb20aeb9bcbb27eda540a6df2faf2d07e71d23f3
from: Alexander Barton <alex@barton.de>
date: Fri Sep 21 08:36:09 2012 UTC

Initialize SSL when needed only, and disable SSL on errors

With this patch, the SSL subsystem will only be initialized if at least
one SSL ports is configured; so you won't get "SSL initialization failed"
messages if you didn't configured it at all.

And if SSL initialization fails, no SSL listen ports will be enabled
later which never could establish a working SSL connection at all ...

commit - 1413a4886ffa120e82d4963368e82b4d5ec6eb2d
commit + bb20aeb9bcbb27eda540a6df2faf2d07e71d23f3
blob - 8f7b70afccb0e310793013e0f53ee5f38522a614
blob + 914d01651235ad16af2e81ebb3d9a045e1d39a37
--- src/ngircd/conn-ssl.c
+++ src/ngircd/conn-ssl.c
@@ -241,6 +241,9 @@ void ConnSSL_Free(CONNECTION *c)
 bool
 ConnSSL_InitLibrary( void )
 {
+	if (!array_bytes(&Conf_SSLOptions.ListenPorts))
+		return true;
+
 #ifdef HAVE_LIBSSL
 	SSL_CTX *newctx;
 
@@ -256,12 +259,14 @@ ConnSSL_InitLibrary( void )
 		 * According to OpenSSL RAND_egd(3): "The automatic query of /var/run/egd-pool et al was added in OpenSSL 0.9.7";
 		 * so it makes little sense to deal with PRNGD seeding ourselves.
 		 */
+		array_free(&Conf_SSLOptions.ListenPorts);
 		return false;
 	}
 
 	newctx = SSL_CTX_new(SSLv23_method());
 	if (!newctx) {
 		LogOpenSSLError("SSL_CTX_new()", NULL);
+		array_free(&Conf_SSLOptions.ListenPorts);
 		return false;
 	}
 
@@ -276,6 +281,7 @@ ConnSSL_InitLibrary( void )
 	return true;
 out:
 	SSL_CTX_free(newctx);
+	array_free(&Conf_SSLOptions.ListenPorts);
 	return false;
 #endif
 #ifdef HAVE_LIBGNUTLS
@@ -287,10 +293,13 @@ out:
 	err = gnutls_global_init();
 	if (err) {
 		Log(LOG_ERR, "gnutls_global_init(): %s", gnutls_strerror(err));
+		array_free(&Conf_SSLOptions.ListenPorts);
 		return false;
 	}
-	if (!ConnSSL_LoadServerKey_gnutls())
+	if (!ConnSSL_LoadServerKey_gnutls()) {
+		array_free(&Conf_SSLOptions.ListenPorts);
 		return false;
+	}
 	Log(LOG_INFO, "gnutls %s initialized.", gnutls_check_version(NULL));
 	initialized = true;
 	return true;
@@ -313,7 +322,7 @@ ConnSSL_LoadServerKey_gnutls(void)
 
 	cert_file = Conf_SSLOptions.CertFile ? Conf_SSLOptions.CertFile:Conf_SSLOptions.KeyFile;
 	if (!cert_file) {
-		Log(LOG_NOTICE, "No SSL server key configured, SSL disabled.");
+		Log(LOG_ERR, "No SSL server key configured!");
 		return false;
 	}
 
@@ -344,7 +353,7 @@ ConnSSL_LoadServerKey_openssl(SSL_CTX *ctx)
 
 	assert(ctx);
 	if (!Conf_SSLOptions.KeyFile) {
-		Log(LOG_NOTICE, "No SSL server key configured, SSL disabled.");
+		Log(LOG_ERR, "No SSL server key configured!");
 		return false;
 	}
 
blob - 585e2ac0ae8ad1981c7e0b033855df39c2996659
blob + a4c2fe8aabc07c72ff5fa00b21330ea087612856
--- src/ngircd/ngircd.c
+++ src/ngircd/ngircd.c
@@ -662,7 +662,7 @@ NGIRCd_Init(bool NGIRCd_NoDaemon)
 	/* SSL initialization */
 	if (!ConnSSL_InitLibrary())
 		Log(LOG_WARNING,
-		    "Warning: Error during SSL initialization, continuing ...");
+		    "Error during SSL initialization, continuing without SSL ...");
 
 	/* Change root */
 	if (Conf_Chroot[0]) {