From bca3c1f81306431c7364f622fa336ae7ac1cd9d8 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Fri, 16 Nov 2012 12:22:30 +0100 Subject: [PATCH 3/4] SSL/TLS: Clean up errors introduced while rebasing patches --- man/ngircd.conf.5.tmpl | 25 ++++++++----------------- src/ngircd/conf.c | 4 +++- src/ngircd/conn-ssl.c | 6 ++++-- 3 files changed, 15 insertions(+), 20 deletions(-) diff --git a/man/ngircd.conf.5.tmpl b/man/ngircd.conf.5.tmpl index e59239b..e621558 100644 --- a/man/ngircd.conf.5.tmpl +++ b/man/ngircd.conf.5.tmpl @@ -104,8 +104,6 @@ command. This information is not required by the server but by RFC! \fBInfo\fR (string) Info text of the server. This will be shown by WHOIS and LINKS requests for example. -======= ->>>>>>> SSL/TLS: Add initial certificate support to OpenSSL backend .TP \fBListen\fR (list of strings) A comma separated list of IP address on which the server should listen. @@ -371,11 +369,11 @@ OpenSSL only: Password to decrypt the private key file. Same as \fBPorts\fR , except that ngIRCd will expect incoming connections to be SSL/TLS encrypted. Common port numbers for SSL-encrypted IRC are 6669 and 6697. Default: none. +.TP \fBRequireClientCert\fR Do not accept SSL connections from clients that do not have a valid certificate. Defaults to false. Also see \fBSSLVerify\fR below. -.TP .SH [OPERATOR] .I [Operator] sections are used to define IRC Operators. There may be more than one @@ -442,26 +440,19 @@ You can use the IRC Operator command CONNECT later on to create the link. \fBSSLConnect\fR (boolean) Connect to the remote server using TLS/SSL. Default: false. .TP -<<<<<<< HEAD \fBServiceMask\fR (string) Define a (case insensitive) list of masks matching nicknames that should be treated as IRC services when introduced via this remote server, separated by commas (","). REGULAR SERVERS DON'T NEED this parameter, so leave it empty (which is the default). -======= +.TP \fBSSLVerify\fR -Verify Server Peer Certificate (Default: false). -If this is an active connection (i.e. ngircd connects to the peer), the ssl handshake -is aborted if the certificate of the remote server cannot be validated. -If this is a passive connection (ngircd waits for the remote server to connect) and -\fBfBSSLRequireClientCert\fR is false, the server link will only be established if the -password matches and a valid certificate was received. -.TP -\fBServiceMask\fR -Define a (case insensitive) mask matching nick names that should be treated as -IRC services when introduced via this remote server. REGULAR SERVERS DON'T NEED -this parameter, so leave it empty (which is the default). ->>>>>>> SSL/TLS: Add initial certificate support to OpenSSL backend +Verify Server Peer Certificate (Default: false). If this is an active +connection (i.e. ngircd connects to the peer), the ssl handshake is aborted if +the certificate of the remote server cannot be validated. If this is a passive +connection (ngircd waits for the remote server to connect) and +\fBfBSSLRequireClientCert\fR is false, the server link will only be established +if the password matches and a valid certificate was received. .PP .RS When you are connecting IRC services which mask as a IRC server and which use diff --git a/src/ngircd/conf.c b/src/ngircd/conf.c index 23dcd51..a7dea2a 100644 --- a/src/ngircd/conf.c +++ b/src/ngircd/conf.c @@ -140,6 +140,9 @@ CheckFileReadable(const char *Var, const char *Filename) Filename, Var, strerror(errno)); } +#endif + + /** * Duplicate string and warn on errors. * @@ -1692,7 +1695,6 @@ Handle_SSL(int Line, char *Var, char *Arg) Conf_SSLOptions.RequireClientCert = Check_ArgIsTrue(Arg); return; } -#endif Config_Error_Section(Line, Var, "SSL"); } diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c index 898130e..bab322e 100644 --- a/src/ngircd/conn-ssl.c +++ b/src/ngircd/conn-ssl.c @@ -586,11 +586,13 @@ ConnSSL_Init_SSL(CONNECTION *c) bool -ConnSSL_PrepareConnect(CONNECTION *c, CONF_SERVER *s) +ConnSSL_PrepareConnect(CONNECTION *c, UNUSED CONF_SERVER *s) { bool ret; #ifdef HAVE_LIBGNUTLS - int err = gnutls_init(&c->ssl_state.gnutls_session, GNUTLS_CLIENT); + int err; + + err = gnutls_init(&c->ssl_state.gnutls_session, GNUTLS_CLIENT); if (err) { Log(LOG_ERR, "gnutls_init: %s", gnutls_strerror(err)); return false; -- 1.7.10.2 (Apple Git-33)