From 6bcfd29624d34ca007aef6c4c043c51a38b7fcea Mon Sep 17 00:00:00 2001 From: Aaron Jones Date: Fri, 30 Dec 2016 17:23:21 +0000 Subject: [PATCH] GNUTLS: Provide a default priority string, disable TLSv1.0 in it The user can still override this choice with the ssl_cipher_list option in ircd.conf -- this is the only backend that will allow you to do so. --- libratbox/src/gnutls.c | 14 +++++++++++--- libratbox/src/gnutls_ratbox.h | 36 +++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 3 deletions(-) create mode 100644 libratbox/src/gnutls_ratbox.h diff --git a/libratbox/src/gnutls.c b/libratbox/src/gnutls.c index ec2c49fc..874eeba8 100644 --- a/libratbox/src/gnutls.c +++ b/libratbox/src/gnutls.c @@ -31,6 +31,8 @@ #include #include + +#include #include #if (GNUTLS_VERSION_MAJOR < 3) @@ -39,6 +41,8 @@ # include #endif +#include "gnutls_ratbox.h" + typedef enum { RB_FD_TLS_DIRECTION_IN = 0, @@ -156,15 +160,16 @@ rb_ssl_init_fd(rb_fde_t *const F, const rb_fd_tls_direction dir) } gnutls_init((gnutls_session_t *) F->ssl, init_flags); - gnutls_set_default_priority(SSL_P(F)); gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, server_cert_key); gnutls_dh_set_prime_bits(SSL_P(F), 2048); - gnutls_priority_set(SSL_P(F), default_priority); gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) F); gnutls_transport_set_pull_function(SSL_P(F), rb_sock_net_recv); gnutls_transport_set_push_function(SSL_P(F), rb_sock_net_xmit); + if (gnutls_priority_set(SSL_P(F), default_priority) != GNUTLS_E_SUCCESS) + gnutls_set_default_priority(SSL_P(F)); + if(dir == RB_FD_TLS_DIRECTION_IN) gnutls_certificate_server_set_request(SSL_P(F), GNUTLS_CERT_REQUEST); } @@ -480,7 +485,7 @@ rb_init_ssl(void) int rb_setup_ssl_server(const char *const certfile, const char *keyfile, - const char *const dhfile, const char *const cipherlist) + const char *const dhfile, const char *cipherlist) { if(certfile == NULL) { @@ -491,6 +496,9 @@ rb_setup_ssl_server(const char *const certfile, const char *keyfile, if(keyfile == NULL) keyfile = certfile; + if(cipherlist == NULL) + cipherlist = rb_gnutls_default_priority_str; + gnutls_datum_t *const d_cert = rb_load_file_into_datum_t(certfile); if(d_cert == NULL) diff --git a/libratbox/src/gnutls_ratbox.h b/libratbox/src/gnutls_ratbox.h new file mode 100644 index 00000000..6def3086 --- /dev/null +++ b/libratbox/src/gnutls_ratbox.h @@ -0,0 +1,36 @@ +/* + * libratbox: a library used by ircd-ratbox and other things + * gnutls_ratbox.h: embedded data for GNUTLS backend + * + * Copyright (C) 2007-2008 ircd-ratbox development team + * Copyright (C) 2007-2008 Aaron Sethman + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 + * USA + * + */ + +static const char rb_gnutls_default_priority_str[] = "" + "+SECURE256:" + "+SECURE128:" + "!RSA:" + "+NORMAL:" + "!ARCFOUR-128:" + "!3DES-CBC:" + "!MD5:" + "VERS-TLS-ALL:" + "!VERS-TLS1.0:" + "!VERS-SSL3.0:" + "%SAFE_RENEGOTIATION";