diff options
| -rw-r--r-- | src/modules/extra/m_ssl_openssl.cpp | 50 |
1 files changed, 48 insertions, 2 deletions
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 33f848798..518712c00 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -102,10 +102,29 @@ class ModuleSSLOpenSSL : public Module SSL_CTX* ctx; SSL_CTX* clictx; + long ctx_options; + long clictx_options; + std::string sslports; bool use_sha; ServiceProvider iohook; + + static void SetContextOptions(SSL_CTX* ctx, long defoptions, const std::string& ctxname, ConfigTag* tag) + { + long setoptions = tag->getInt(ctxname + "setoptions"); + long clearoptions = tag->getInt(ctxname + "clearoptions"); + ServerInstance->Logs->Log("m_ssl_openssl", DEBUG, "Setting OpenSSL %s context options, default: %ld set: %ld clear: %ld", ctxname.c_str(), defoptions, clearoptions, setoptions); + + // Clear everything + SSL_CTX_clear_options(ctx, SSL_CTX_get_options(ctx)); + + // Set the default options and what is in the conf + SSL_CTX_set_options(ctx, defoptions | setoptions); + long final = SSL_CTX_clear_options(ctx, clearoptions); + ServerInstance->Logs->Log("m_ssl_openssl", DEFAULT, "OpenSSL %s context options: %ld", ctxname.c_str(), final); + } + public: ModuleSSLOpenSSL() : iohook(this, "ssl/openssl", SERVICE_IOHOOK) @@ -128,8 +147,20 @@ class ModuleSSLOpenSSL : public Module SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify); SSL_CTX_set_verify(clictx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify); - const unsigned char session_id[] = "inspircd"; - SSL_CTX_set_session_id_context(ctx, session_id, sizeof(session_id) - 1); + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); + SSL_CTX_set_session_cache_mode(clictx, SSL_SESS_CACHE_OFF); + + long opts = SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE; + // Only turn options on if they exist +#ifdef SSL_OP_SINGLE_ECDH_USE + opts |= SSL_OP_SINGLE_ECDH_USE; +#endif +#ifdef SSL_OP_NO_TICKET + opts |= SSL_OP_NO_TICKET; +#endif + + ctx_options = SSL_CTX_set_options(ctx, opts); + clictx_options = SSL_CTX_set_options(clictx, opts); } void init() @@ -211,10 +242,17 @@ class ModuleSSLOpenSSL : public Module throw ModuleException("Unknown hash type " + hash); use_sha = (hash == "sha1"); + if (conf->getBool("customcontextoptions")) + { + SetContextOptions(ctx, ctx_options, "server", conf); + SetContextOptions(clictx, clictx_options, "client", conf); + } + std::string ciphers = conf->getString("ciphers", ""); if (!ciphers.empty()) { + ERR_clear_error(); if ((!SSL_CTX_set_cipher_list(ctx, ciphers.c_str())) || (!SSL_CTX_set_cipher_list(clictx, ciphers.c_str()))) { ServerInstance->Logs->Log("m_ssl_openssl",DEFAULT, "m_ssl_openssl.so: Can't set cipher list to %s.", ciphers.c_str()); @@ -225,12 +263,14 @@ class ModuleSSLOpenSSL : public Module /* Load our keys and certificates * NOTE: OpenSSL's error logging API sucks, don't blame us for this clusterfuck. */ + ERR_clear_error(); if ((!SSL_CTX_use_certificate_chain_file(ctx, certfile.c_str())) || (!SSL_CTX_use_certificate_chain_file(clictx, certfile.c_str()))) { ServerInstance->Logs->Log("m_ssl_openssl",DEFAULT, "m_ssl_openssl.so: Can't read certificate file %s. %s", certfile.c_str(), strerror(errno)); ERR_print_errors_cb(error_callback, this); } + ERR_clear_error(); if (((!SSL_CTX_use_PrivateKey_file(ctx, keyfile.c_str(), SSL_FILETYPE_PEM))) || (!SSL_CTX_use_PrivateKey_file(clictx, keyfile.c_str(), SSL_FILETYPE_PEM))) { ServerInstance->Logs->Log("m_ssl_openssl",DEFAULT, "m_ssl_openssl.so: Can't read key file %s. %s", keyfile.c_str(), strerror(errno)); @@ -238,6 +278,7 @@ class ModuleSSLOpenSSL : public Module } /* Load the CAs we trust*/ + ERR_clear_error(); if (((!SSL_CTX_load_verify_locations(ctx, cafile.c_str(), 0))) || (!SSL_CTX_load_verify_locations(clictx, cafile.c_str(), 0))) { ServerInstance->Logs->Log("m_ssl_openssl",DEFAULT, "m_ssl_openssl.so: Can't read CA list from %s. This is only a problem if you want to verify client certificates, otherwise it's safe to ignore this message. Error: %s", cafile.c_str(), strerror(errno)); @@ -264,6 +305,8 @@ class ModuleSSLOpenSSL : public Module #else ret = PEM_read_DHparams(dhpfile, NULL, NULL, NULL); #endif + + ERR_clear_error(); if ((SSL_CTX_set_tmp_dh(ctx, ret) < 0) || (SSL_CTX_set_tmp_dh(clictx, ret) < 0)) { ServerInstance->Logs->Log("m_ssl_openssl",DEFAULT, "m_ssl_openssl.so: Couldn't set DH parameters %s. SSL errors follow:", dhfile.c_str()); @@ -426,6 +469,7 @@ class ModuleSSLOpenSSL : public Module if (session->status == ISSL_OPEN) { + ERR_clear_error(); char* buffer = ServerInstance->GetReadBuffer(); size_t bufsiz = ServerInstance->Config->NetBufferSize; int ret = SSL_read(session->sess, buffer, bufsiz); @@ -496,6 +540,7 @@ class ModuleSSLOpenSSL : public Module if (session->status == ISSL_OPEN) { + ERR_clear_error(); int ret = SSL_write(session->sess, buffer.data(), buffer.size()); if (ret == (int)buffer.length()) { @@ -542,6 +587,7 @@ class ModuleSSLOpenSSL : public Module { int ret; + ERR_clear_error(); if (session->outbound) ret = SSL_connect(session->sess); else |