From 9179e51e513587cddd4c4171f0ad74c8f5bf052e Mon Sep 17 00:00:00 2001
From: Attila Molnar <attilamolnar@hush.com>
Date: Fri, 10 Oct 2014 14:10:24 +0200
Subject: m_ssl_openssl Enable single (EC)DH use and disable SSL v2

Options enabled:
- SSL_OP_NO_SSLv2
- SSL_OP_SINGLE_DH_USE
- SSL_OP_SINGLE_ECDH_USE (if it exists)

Partial backport of #856 by @jvehent
---
 src/modules/extra/m_ssl_openssl.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'src/modules')

diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index 0398a33c7..081b0153e 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -130,6 +130,15 @@ class ModuleSSLOpenSSL : public Module
 
 		const unsigned char session_id[] = "inspircd";
 		SSL_CTX_set_session_id_context(ctx, session_id, sizeof(session_id) - 1);
+
+		long opts = SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE;
+		// Only turn options on if they exist
+#ifdef SSL_OP_SINGLE_ECDH_USE
+		opts |= SSL_OP_SINGLE_ECDH_USE;
+#endif
+
+		SSL_CTX_set_options(ctx, opts);
+		SSL_CTX_set_options(clictx, opts);
 	}
 
 	void init()
-- 
cgit v1.2.3