diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl index ae1b213..e63393a 100644 --- a/doc/sample-ngircd.conf.tmpl +++ b/doc/sample-ngircd.conf.tmpl @@ -260,6 +260,12 @@ # Additional Listen Ports that expect SSL/TLS encrypted connections ;Ports = 6697, 9999 + # OpenSSL: Select cipher suites used for ssl/tls connections + # more info at 'man 1ssl ciphers' + # Example below disallows besides LowStrength, the Medium Strength Cipher Suites, SSLv2 + # RC-4, which tend to be broken + ;CipherList = !aNULL:!eNULL:!LOW:!SSLv2:!EXPORT:!EXPORT56:!RC4:!MEDIUM:HIGH:@STRENGTH + [Operator] # [Operator] sections are used to define IRC Operators. There may be # more than one [Operator] block, one for each local operator. diff --git a/src/ngircd/conf.c b/src/ngircd/conf.c index b10f490..1de9aa6 100644 --- a/src/ngircd/conf.c +++ b/src/ngircd/conf.c @@ -117,6 +117,9 @@ ConfSSL_Init(void) array_free_wipe(&Conf_SSLOptions.KeyFilePassword); array_free(&Conf_SSLOptions.ListenPorts); + + free(Conf_SSLOptions.CipherList); + Conf_SSLOptions.CipherList = NULL; } /** @@ -443,6 +446,8 @@ Conf_Test( void ) array_free_wipe(&Conf_SSLOptions.KeyFilePassword); printf(" Ports = "); ports_puts(&Conf_SSLOptions.ListenPorts); + printf(" CipherList = %s\n", Conf_SSLOptions.CipherList + ? Conf_SSLOptions.CipherList : ""); puts(""); #endif @@ -1869,6 +1874,11 @@ Handle_SSL(const char *File, int Line, char *Var, char *Arg) ports_parse(&Conf_SSLOptions.ListenPorts, Line, Arg); return; } + if (strcasecmp(Var, "CipherList") == 0) { + assert(Conf_SSLOptions.CipherList == NULL); + Conf_SSLOptions.CipherList = strdup_warn(Arg); + return; + } Config_Error_Section(File, Line, Var, "SSL"); } diff --git a/src/ngircd/conf.h b/src/ngircd/conf.h index 948749d..1409d25 100644 --- a/src/ngircd/conf.h +++ b/src/ngircd/conf.h @@ -75,6 +75,7 @@ struct SSLOptions { char *DHFile; /**< File containing DH parameters */ array ListenPorts; /**< Array of listening SSL ports */ array KeyFilePassword; /**< Key file password */ + char *CipherList; /**< Set SSL cipher list to use (see SSL_CTX_set_cipher_list() ) */ }; #endif diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c index 096ff95..0450130 100644 --- a/src/ngircd/conn-ssl.c +++ b/src/ngircd/conn-ssl.c @@ -303,6 +303,17 @@ ConnSSL_InitLibrary( void ) if (!ConnSSL_LoadServerKey_openssl(newctx)) goto out; + if(Conf_SSLOptions.CipherList != NULL && strlen(Conf_SSLOptions.CipherList) > 0 ){ + if(SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0 ){ + Log(LOG_ERR, "Failed to apply CipherList=%s", Conf_SSLOptions.CipherList); + return false; + } else { + Log(LOG_INFO, "Successfully applied SSL CipherList=%s", Conf_SSLOptions.CipherList); + } + } else { + Log(LOG_INFO, "SSL using default CipherList"); + } + SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2); SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_verify(newctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, Verify_openssl); diff --git a/src/ngircd/ngircd.c b/src/ngircd/ngircd.c index f0cb150..652cf2d 100644 --- a/src/ngircd/ngircd.c +++ b/src/ngircd/ngircd.c @@ -673,9 +673,10 @@ NGIRCd_Init(bool NGIRCd_NoDaemon) } /* SSL initialization */ - if (!ConnSSL_InitLibrary()) - Log(LOG_WARNING, - "Error during SSL initialization, continuing without SSL ..."); + if (!ConnSSL_InitLibrary()) { + Log(LOG_WARNING, "Error during SSL initialization..."); + goto out; + } /* Change root */ if (Conf_Chroot[0]) {