Commit graph

25 commits

Author SHA1 Message Date
Keith Buck
784ce5c1cc Remove SSL_OP_NO_COMPRESSION from openssl initialization.
SSL_OP_NO_COMPRESSION was presumably added in an attempt to prevent
information leakage in a manner similar to recent attacks on HTTPS.
However, assuming that IRC is vulnerable to the same class of attacks is
incorrect: the behavior of the IRC protocol (a single long-running
connection) is not the same as that of HTTPS (multiple ephemeral
connections). HTTPS's use of ephemeral connections means that certain
assumptions can be made about the contents of the compression
algorithm's dictionaries and the content exchanged between the client
and server (e.g. the content being nearly the same for each connection),
which is not true for IRC. Additionally, they rely on the attacker being
able to coerce the client into creating many HTTPS connections (and
resending some secret token belonging to the user, along with
attacker-controlled data) each time, none of which is possible with IRC.
Lastly, since compression is no longer performed, this option will
result in leaking the lengths of messages transmitted to and from the
client. This option does reduce CPU utilization on Charybdis servers but
also increases bandwidth consumed.
2014-02-21 09:17:29 +00:00
Jilles Tjoelker
362ef2d9ee openssl: Improve security using options recommanded by Argure.
Note that these are not available in old versions of OpenSSL (like FreeBSD
9.x base OpenSSL), so allow them to be missing.

A side effect may be slightly higher CPU consumption and network traffic.
2014-01-15 22:25:26 +01:00
Jilles Tjoelker
9799bea4a1 openssl: Use cipher list suggested by Argure. 2014-01-15 22:13:47 +01:00
Jilles Tjoelker
cee842a829 openssl: Fix compiler warning. 2014-01-15 22:09:57 +01:00
Jilles Tjoelker
fabc3174fe openssl: Set some sort of session id context.
Without a session id context and if client certificates are used, OpenSSL
fails the handshake if an attempt is made to reuse an old session. Various
clients could not reconnect after a disconnection because of this.

See https://bugzilla.mozilla.org/show_bug.cgi?id=858394#c34 for a bug
report.
2014-01-15 22:04:12 +01:00
William Pitcock
b6e799f5df libratbox/openssl: check that ECDHE is really available on redhat derivatives (closes #43) 2013-11-30 19:55:01 +00:00
Patrick Godschalk
31d2201519 Have OpenSSL version check use cpp 2013-09-06 20:05:49 +02:00
Patrick Godschalk
81998134b7 Set ECDHE on OpenSSL 1.00+. 2013-09-03 14:16:57 +02:00
Quora Dodrill
97b0e99e2a libratbox/openssl: Fix possible memory leak with SSL certificate fingerprints 2013-08-14 09:54:57 -07:00
Quora Dodrill
f997930e7c Revert "libratbox/openssl: Fix possible memory leak with SSL dertificate fingerprints"
This reverts commit 6ecd598ec0.
2013-08-14 09:54:18 -07:00
Quora Dodrill
6ecd598ec0 libratbox/openssl: Fix possible memory leak with SSL dertificate fingerprints 2013-08-14 09:50:12 -07:00
William Pitcock
aa4737a049 libratbox: make defer_accept optional. 2012-03-17 09:48:25 -05:00
Jilles Tjoelker
e732a57bd1 Cope with OPENSSL_VERSION_NUMBER not being a long.
Contrary to the documentation, this is the case on recent FreeBSD at least.
2011-03-20 18:46:32 +01:00
William Pitcock
07e14084eb libratbox: Use the server SSL certificate on outgoing connections. 2010-12-13 22:58:09 -06:00
Jilles Tjoelker
918d73d562 openssl: Avoid cutting off OpenSSL errors at 119 chars.
ERR_error_string() is just broken, as it returns at most 119 chars
which means error messages are frequently truncated.
Allow for 511 chars using ERR_error_string_n().
2010-05-09 00:30:51 +02:00
Jilles Tjoelker
b2d64e51f0 Fix a memory leak with client certificates. 2010-02-19 16:55:15 +01:00
Jilles Tjoelker
7247337afa Add certfp support to libratbox and ssld.
This lets a user connect with a client certificate, and
passes the certificate's fingerprint to ircd, which
currently just notices it to the user.

A new ssld->ircd message 'F' is used to pass on the
fingerprint.

This is only for OpenSSL for now, not GNUTLS.
2010-01-31 19:04:20 +01:00
Valeriy Yatsko
030272f378 Update libratbox. 2008-12-22 12:49:01 +03:00
Valeriy Yatsko
3202e24921 Copied libratbox and related stuff from shadowircd upstream. 2008-12-03 02:49:39 +03:00
Valery Yatsko
a9fb3ed0f9 libratbox sync - r25796 2008-07-30 02:41:27 +04:00
Valery V Yatsko
c2ac22cc46 sync libratbox - r25599 + charybdis packaging patch 2008-06-25 09:28:30 +04:00
Jilles Tjoelker
2142f6910e Fix a possible crash with SSL connections closing early.
libratbox r25356 (jilles)
2008-05-12 19:54:24 +02:00
Valery Yatsko
73d6283cfc Importing r25217, r25219 and r25221 from ratbox3 2008-04-10 20:37:42 +04:00
Valery Yatsko
715ffadfd9 Importing changes from ircd-ratbox revision r25203, this fixes libratbox/src/openssl.c a bit 2008-04-06 18:28:56 +04:00
William Pitcock
db13786793 Pull in libratbox from ircd-ratbox-3.0.0beta1 and integrate into the build system. 2008-04-01 11:52:26 -05:00