GNUTLS: Provide a default priority string, disable TLSv1.0 in it
The user can still override this choice with the ssl_cipher_list option in ircd.conf -- this is the only backend that will allow you to do so.
This commit is contained in:
Aaron Jones
parent
1175ff837d
commit
5bcd4c7c60
2 changed files with 46 additions and 3 deletions
|
|
@ -32,6 +32,7 @@
|
|||
#include <stdbool.h>
|
||||
|
||||
#include <gnutls/gnutls.h>
|
||||
|
||||
#include <gnutls/abstract.h>
|
||||
#include <gnutls/x509.h>
|
||||
|
||||
|
|
@ -41,6 +42,8 @@
|
|||
# include <gnutls/crypto.h>
|
||||
#endif
|
||||
|
||||
#include "gnutls_ratbox.h"
|
||||
|
||||
typedef enum
|
||||
{
|
||||
RB_FD_TLS_DIRECTION_IN = 0,
|
||||
|
|
@ -158,15 +161,16 @@ rb_ssl_init_fd(rb_fde_t *const F, const rb_fd_tls_direction dir)
|
|||
}
|
||||
|
||||
gnutls_init((gnutls_session_t *) F->ssl, init_flags);
|
||||
gnutls_set_default_priority(SSL_P(F));
|
||||
gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, server_cert_key);
|
||||
gnutls_dh_set_prime_bits(SSL_P(F), 2048);
|
||||
gnutls_priority_set(SSL_P(F), default_priority);
|
||||
|
||||
gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) F);
|
||||
gnutls_transport_set_pull_function(SSL_P(F), rb_sock_net_recv);
|
||||
gnutls_transport_set_push_function(SSL_P(F), rb_sock_net_xmit);
|
||||
|
||||
if (gnutls_priority_set(SSL_P(F), default_priority) != GNUTLS_E_SUCCESS)
|
||||
gnutls_set_default_priority(SSL_P(F));
|
||||
|
||||
if(dir == RB_FD_TLS_DIRECTION_IN)
|
||||
gnutls_certificate_server_set_request(SSL_P(F), GNUTLS_CERT_REQUEST);
|
||||
}
|
||||
|
|
@ -483,7 +487,7 @@ rb_init_ssl(void)
|
|||
|
||||
int
|
||||
rb_setup_ssl_server(const char *const certfile, const char *keyfile,
|
||||
const char *const dhfile, const char *const cipherlist)
|
||||
const char *const dhfile, const char *cipherlist)
|
||||
{
|
||||
if(certfile == NULL)
|
||||
{
|
||||
|
|
@ -494,6 +498,9 @@ rb_setup_ssl_server(const char *const certfile, const char *keyfile,
|
|||
if(keyfile == NULL)
|
||||
keyfile = certfile;
|
||||
|
||||
if(cipherlist == NULL)
|
||||
cipherlist = rb_gnutls_default_priority_str;
|
||||
|
||||
|
||||
gnutls_datum_t *const d_cert = rb_load_file_into_datum_t(certfile);
|
||||
if(d_cert == NULL)
|
||||
|
|
|
|||
36
librb/src/gnutls_ratbox.h
Normal file
36
librb/src/gnutls_ratbox.h
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
/*
|
||||
* libratbox: a library used by ircd-ratbox and other things
|
||||
* gnutls_ratbox.h: embedded data for GNUTLS backend
|
||||
*
|
||||
* Copyright (C) 2007-2008 ircd-ratbox development team
|
||||
* Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
|
||||
* USA
|
||||
*
|
||||
*/
|
||||
|
||||
static const char rb_gnutls_default_priority_str[] = ""
|
||||
"+SECURE256:"
|
||||
"+SECURE128:"
|
||||
"!RSA:"
|
||||
"+NORMAL:"
|
||||
"!ARCFOUR-128:"
|
||||
"!3DES-CBC:"
|
||||
"!MD5:"
|
||||
"VERS-TLS-ALL:"
|
||||
"!VERS-TLS1.0:"
|
||||
"!VERS-SSL3.0:"
|
||||
"%SAFE_RENEGOTIATION";
|
||||
Loading…
Reference in a new issue