GNUTLS: Provide a default priority string, disable TLSv1.0 in it

The user can still override this choice with the ssl_cipher_list option
in ircd.conf -- this is the only backend that will allow you to do so.
This commit is contained in:
Aaron Jones 2016-12-30 17:39:45 +00:00
parent 1175ff837d
commit 5bcd4c7c60
No known key found for this signature in database
GPG key ID: EC6F86EE9CD840B5
2 changed files with 46 additions and 3 deletions

View file

@ -32,6 +32,7 @@
#include <stdbool.h>
#include <gnutls/gnutls.h>
#include <gnutls/abstract.h>
#include <gnutls/x509.h>
@ -41,6 +42,8 @@
# include <gnutls/crypto.h>
#endif
#include "gnutls_ratbox.h"
typedef enum
{
RB_FD_TLS_DIRECTION_IN = 0,
@ -158,15 +161,16 @@ rb_ssl_init_fd(rb_fde_t *const F, const rb_fd_tls_direction dir)
}
gnutls_init((gnutls_session_t *) F->ssl, init_flags);
gnutls_set_default_priority(SSL_P(F));
gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, server_cert_key);
gnutls_dh_set_prime_bits(SSL_P(F), 2048);
gnutls_priority_set(SSL_P(F), default_priority);
gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) F);
gnutls_transport_set_pull_function(SSL_P(F), rb_sock_net_recv);
gnutls_transport_set_push_function(SSL_P(F), rb_sock_net_xmit);
if (gnutls_priority_set(SSL_P(F), default_priority) != GNUTLS_E_SUCCESS)
gnutls_set_default_priority(SSL_P(F));
if(dir == RB_FD_TLS_DIRECTION_IN)
gnutls_certificate_server_set_request(SSL_P(F), GNUTLS_CERT_REQUEST);
}
@ -483,7 +487,7 @@ rb_init_ssl(void)
int
rb_setup_ssl_server(const char *const certfile, const char *keyfile,
const char *const dhfile, const char *const cipherlist)
const char *const dhfile, const char *cipherlist)
{
if(certfile == NULL)
{
@ -494,6 +498,9 @@ rb_setup_ssl_server(const char *const certfile, const char *keyfile,
if(keyfile == NULL)
keyfile = certfile;
if(cipherlist == NULL)
cipherlist = rb_gnutls_default_priority_str;
gnutls_datum_t *const d_cert = rb_load_file_into_datum_t(certfile);
if(d_cert == NULL)

36
librb/src/gnutls_ratbox.h Normal file
View file

@ -0,0 +1,36 @@
/*
* libratbox: a library used by ircd-ratbox and other things
* gnutls_ratbox.h: embedded data for GNUTLS backend
*
* Copyright (C) 2007-2008 ircd-ratbox development team
* Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
* USA
*
*/
static const char rb_gnutls_default_priority_str[] = ""
"+SECURE256:"
"+SECURE128:"
"!RSA:"
"+NORMAL:"
"!ARCFOUR-128:"
"!3DES-CBC:"
"!MD5:"
"VERS-TLS-ALL:"
"!VERS-TLS1.0:"
"!VERS-SSL3.0:"
"%SAFE_RENEGOTIATION";