GNUTLS: Provide a default priority string, disable TLSv1.0 in it

The user can still override this choice with the ssl_cipher_list option
in ircd.conf -- this is the only backend that will allow you to do so.
This commit is contained in:
Aaron Jones 2016-12-30 17:23:21 +00:00
parent 4574e77f43
commit 6bcfd29624
No known key found for this signature in database
GPG key ID: EC6F86EE9CD840B5
2 changed files with 47 additions and 3 deletions

View file

@ -31,6 +31,8 @@
#include <commio-ssl.h> #include <commio-ssl.h>
#include <gnutls/gnutls.h> #include <gnutls/gnutls.h>
#include <gnutls/abstract.h>
#include <gnutls/x509.h> #include <gnutls/x509.h>
#if (GNUTLS_VERSION_MAJOR < 3) #if (GNUTLS_VERSION_MAJOR < 3)
@ -39,6 +41,8 @@
# include <gnutls/crypto.h> # include <gnutls/crypto.h>
#endif #endif
#include "gnutls_ratbox.h"
typedef enum typedef enum
{ {
RB_FD_TLS_DIRECTION_IN = 0, RB_FD_TLS_DIRECTION_IN = 0,
@ -156,15 +160,16 @@ rb_ssl_init_fd(rb_fde_t *const F, const rb_fd_tls_direction dir)
} }
gnutls_init((gnutls_session_t *) F->ssl, init_flags); gnutls_init((gnutls_session_t *) F->ssl, init_flags);
gnutls_set_default_priority(SSL_P(F));
gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, server_cert_key); gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, server_cert_key);
gnutls_dh_set_prime_bits(SSL_P(F), 2048); gnutls_dh_set_prime_bits(SSL_P(F), 2048);
gnutls_priority_set(SSL_P(F), default_priority);
gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) F); gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) F);
gnutls_transport_set_pull_function(SSL_P(F), rb_sock_net_recv); gnutls_transport_set_pull_function(SSL_P(F), rb_sock_net_recv);
gnutls_transport_set_push_function(SSL_P(F), rb_sock_net_xmit); gnutls_transport_set_push_function(SSL_P(F), rb_sock_net_xmit);
if (gnutls_priority_set(SSL_P(F), default_priority) != GNUTLS_E_SUCCESS)
gnutls_set_default_priority(SSL_P(F));
if(dir == RB_FD_TLS_DIRECTION_IN) if(dir == RB_FD_TLS_DIRECTION_IN)
gnutls_certificate_server_set_request(SSL_P(F), GNUTLS_CERT_REQUEST); gnutls_certificate_server_set_request(SSL_P(F), GNUTLS_CERT_REQUEST);
} }
@ -480,7 +485,7 @@ rb_init_ssl(void)
int int
rb_setup_ssl_server(const char *const certfile, const char *keyfile, rb_setup_ssl_server(const char *const certfile, const char *keyfile,
const char *const dhfile, const char *const cipherlist) const char *const dhfile, const char *cipherlist)
{ {
if(certfile == NULL) if(certfile == NULL)
{ {
@ -491,6 +496,9 @@ rb_setup_ssl_server(const char *const certfile, const char *keyfile,
if(keyfile == NULL) if(keyfile == NULL)
keyfile = certfile; keyfile = certfile;
if(cipherlist == NULL)
cipherlist = rb_gnutls_default_priority_str;
gnutls_datum_t *const d_cert = rb_load_file_into_datum_t(certfile); gnutls_datum_t *const d_cert = rb_load_file_into_datum_t(certfile);
if(d_cert == NULL) if(d_cert == NULL)

View file

@ -0,0 +1,36 @@
/*
* libratbox: a library used by ircd-ratbox and other things
* gnutls_ratbox.h: embedded data for GNUTLS backend
*
* Copyright (C) 2007-2008 ircd-ratbox development team
* Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
* USA
*
*/
static const char rb_gnutls_default_priority_str[] = ""
"+SECURE256:"
"+SECURE128:"
"!RSA:"
"+NORMAL:"
"!ARCFOUR-128:"
"!3DES-CBC:"
"!MD5:"
"VERS-TLS-ALL:"
"!VERS-TLS1.0:"
"!VERS-SSL3.0:"
"%SAFE_RENEGOTIATION";