src/modules/extra/m_ssl_openssl.cpp

   1 /*
   2  * InspIRCd -- Internet Relay Chat Daemon
   3  *
   4  *   Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
   5  *   Copyright (C) 2008 Pippijn van Steenhoven <pip88nl@gmail.com>
   6  *   Copyright (C) 2006-2008 Craig Edwards <craigedwards@brainbox.cc>
   7  *   Copyright (C) 2008 Thomas Stagner <aquanight@inspircd.org>
   8  *   Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>
   9  *   Copyright (C) 2006 Oliver Lupton <oliverlupton@gmail.com>
  10  *
  11  * This file is part of InspIRCd.  InspIRCd is free software: you can
  12  * redistribute it and/or modify it under the terms of the GNU General Public
  13  * License as published by the Free Software Foundation, version 2.
  14  *
  15  * This program is distributed in the hope that it will be useful, but WITHOUT
  16  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  17  * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
  18  * details.
  19  *
  20  * You should have received a copy of the GNU General Public License
  21  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22  */
  23
  24
  25 #include "inspircd.h"
  26 #include "iohook.h"
  27 #include "modules/ssl.h"
  28
  29 // Ignore OpenSSL deprecation warnings on OS X Lion and newer.
  30 #if defined __APPLE__
  31 # pragma GCC diagnostic ignored "-Wdeprecated-declarations"
  32 #endif
  33
  34 #include <openssl/ssl.h>
  35 #include <openssl/err.h>
  36
  37 #ifdef _WIN32
  38 # pragma comment(lib, "libcrypto.lib")
  39 # pragma comment(lib, "libssl.lib")
  40 # pragma comment(lib, "user32.lib")
  41 # pragma comment(lib, "advapi32.lib")
  42 # pragma comment(lib, "libgcc.lib")
  43 # pragma comment(lib, "libmingwex.lib")
  44 # pragma comment(lib, "gdi32.lib")
  45 #endif
  46
  47 /* $CompileFlags: pkgconfversion("openssl","0.9.7") pkgconfincludes("openssl","/openssl/ssl.h","") */
  48 /* $LinkerFlags: rpath("pkg-config --libs openssl") pkgconflibs("openssl","/libssl.so","-lssl -lcrypto") */
  49
  50 enum issl_status { ISSL_NONE, ISSL_HANDSHAKING, ISSL_OPEN };
  51
  52 static bool SelfSigned = false;
  53
  54 char* get_error()
  55 {
  56         return ERR_error_string(ERR_get_error(), NULL);
  57 }
  58
  59 static int OnVerify(int preverify_ok, X509_STORE_CTX* ctx);
  60
  61 namespace OpenSSL
  62 {
  63         class Exception : public ModuleException
  64         {
  65          public:
  66                 Exception(const std::string& reason)
  67                         : ModuleException(reason) { }
  68         };
  69
  70         class DHParams
  71         {
  72                 DH* dh;
  73
  74          public:
  75                 DHParams(const std::string& filename)
  76                 {
  77                         FILE* dhpfile = fopen(filename.c_str(), "r");
  78                         if (dhpfile == NULL)
  79                                 throw Exception("Couldn't open DH file " + filename + ": " + strerror(errno));
  80
  81                         dh = PEM_read_DHparams(dhpfile, NULL, NULL, NULL);
  82                         fclose(dhpfile);
  83                         if (!dh)
  84                                 throw Exception("Couldn't read DH params from file " + filename);
  85                 }
  86
  87                 ~DHParams()
  88                 {
  89                         DH_free(dh);
  90                 }
  91
  92                 DH* get()
  93                 {
  94                         return dh;
  95                 }
  96         };
  97
  98         class Context
  99         {
 100                 SSL_CTX* const ctx;
 101
 102          public:
 103                 Context(SSL_CTX* context)
 104                         : ctx(context)
 105                 {
 106                         SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 107                         SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);
 108
 109                         const unsigned char session_id[] = "inspircd";
 110                         SSL_CTX_set_session_id_context(ctx, session_id, sizeof(session_id) - 1);
 111                 }
 112
 113                 ~Context()
 114                 {
 115                         SSL_CTX_free(ctx);
 116                 }
 117
 118                 bool SetDH(DHParams& dh)
 119                 {
 120                         return (SSL_CTX_set_tmp_dh(ctx, dh.get()) >= 0);
 121                 }
 122
 123                 bool SetCiphers(const std::string& ciphers)
 124                 {
 125                         return SSL_CTX_set_cipher_list(ctx, ciphers.c_str());
 126                 }
 127
 128                 bool SetCerts(const std::string& filename)
 129                 {
 130                         return SSL_CTX_use_certificate_chain_file(ctx, filename.c_str());
 131                 }
 132
 133                 bool SetPrivateKey(const std::string& filename)
 134                 {
 135                         return SSL_CTX_use_PrivateKey_file(ctx, filename.c_str(), SSL_FILETYPE_PEM);
 136                 }
 137
 138                 bool SetCA(const std::string& filename)
 139                 {
 140                         return SSL_CTX_load_verify_locations(ctx, filename.c_str(), 0);
 141                 }
 142
 143                 SSL* CreateSession()
 144                 {
 145                         return SSL_new(ctx);
 146                 }
 147         };
 148
 149         class Profile : public refcountbase
 150         {
 151                 /** Name of this profile
 152                  */
 153                 const std::string name;
 154
 155                 /** DH parameters in use
 156                  */
 157                 DHParams dh;
 158
 159                 /** OpenSSL makes us have two contexts, one for servers and one for clients
 160                  */
 161                 Context ctx;
 162                 Context clictx;
 163
 164                 /** Digest to use when generating fingerprints
 165                  */
 166                 const EVP_MD* digest;
 167
 168                 /** Last error, set by error_callback()
 169                  */
 170                 std::string lasterr;
 171
 172                 static int error_callback(const char* str, size_t len, void* u)
 173                 {
 174                         Profile* profile = reinterpret_cast<Profile*>(u);
 175                         profile->lasterr = std::string(str, len - 1);
 176                         return 0;
 177                 }
 178
 179          public:
 180                 Profile(const std::string& profilename, ConfigTag* tag)
 181                         : name(profilename)
 182                         , dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dh.pem")))
 183                         , ctx(SSL_CTX_new(SSLv23_server_method()))
 184                         , clictx(SSL_CTX_new(SSLv23_client_method()))
 185                 {
 186                         if ((!ctx.SetDH(dh)) || (!clictx.SetDH(dh)))
 187                                 throw Exception("Couldn't set DH parameters");
 188
 189                         std::string hash = tag->getString("hash", "md5");
 190                         digest = EVP_get_digestbyname(hash.c_str());
 191                         if (digest == NULL)
 192                                 throw Exception("Unknown hash type " + hash);
 193
 194                         std::string ciphers = tag->getString("ciphers");
 195                         if (!ciphers.empty())
 196                         {
 197                                 if ((!ctx.SetCiphers(ciphers)) || (!clictx.SetCiphers(ciphers)))
 198                                 {
 199                                         ERR_print_errors_cb(error_callback, this);
 200                                         throw Exception("Can't set cipher list to \"" + ciphers + "\" " + lasterr);
 201                                 }
 202                         }
 203
 204                         /* Load our keys and certificates
 205                          * NOTE: OpenSSL's error logging API sucks, don't blame us for this clusterfuck.
 206                          */
 207                         std::string filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("certfile", "cert.pem"));
 208                         if ((!ctx.SetCerts(filename)) || (!clictx.SetCerts(filename)))
 209                         {
 210                                 ERR_print_errors_cb(error_callback, this);
 211                                 throw Exception("Can't read certificate file: " + lasterr);
 212                         }
 213
 214                         filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("keyfile", "key.pem"));
 215                         if ((!ctx.SetPrivateKey(filename)) || (!clictx.SetPrivateKey(filename)))
 216                         {
 217                                 ERR_print_errors_cb(error_callback, this);
 218                                 throw Exception("Can't read key file: " + lasterr);
 219                         }
 220
 221                         // Load the CAs we trust
 222                         filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("cafile", "ca.pem"));
 223                         if ((!ctx.SetCA(filename)) || (!clictx.SetCA(filename)))
 224                         {
 225                                 ERR_print_errors_cb(error_callback, this);
 226                                 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Can't read CA list from %s. This is only a problem if you want to verify client certificates, otherwise it's safe to ignore this message. Error: %s", filename.c_str(), lasterr.c_str());
 227                         }
 228                 }
 229
 230                 const std::string& GetName() const { return name; }
 231                 SSL* CreateServerSession() { return ctx.CreateSession(); }
 232                 SSL* CreateClientSession() { return clictx.CreateSession(); }
 233                 const EVP_MD* GetDigest() { return digest; }
 234         };
 235 }
 236
 237 static int OnVerify(int preverify_ok, X509_STORE_CTX *ctx)
 238 {
 239         /* XXX: This will allow self signed certificates.
 240          * In the future if we want an option to not allow this,
 241          * we can just return preverify_ok here, and openssl
 242          * will boot off self-signed and invalid peer certs.
 243          */
 244         int ve = X509_STORE_CTX_get_error(ctx);
 245
 246         SelfSigned = (ve == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT);
 247
 248         return 1;
 249 }
 250
 251 class OpenSSLIOHook : public SSLIOHook
 252 {
 253  private:
 254         SSL* sess;
 255         issl_status status;
 256         const bool outbound;
 257         bool data_to_write;
 258         reference<OpenSSL::Profile> profile;
 259
 260         bool Handshake(StreamSocket* user)
 261         {
 262                 int ret;
 263
 264                 if (outbound)
 265                         ret = SSL_connect(sess);
 266                 else
 267                         ret = SSL_accept(sess);
 268
 269                 if (ret < 0)
 270                 {
 271                         int err = SSL_get_error(sess, ret);
 272
 273                         if (err == SSL_ERROR_WANT_READ)
 274                         {
 275                                 SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE);
 276                                 this->status = ISSL_HANDSHAKING;
 277                                 return true;
 278                         }
 279                         else if (err == SSL_ERROR_WANT_WRITE)
 280                         {
 281                                 SocketEngine::ChangeEventMask(user, FD_WANT_NO_READ | FD_WANT_SINGLE_WRITE);
 282                                 this->status = ISSL_HANDSHAKING;
 283                                 return true;
 284                         }
 285                         else
 286                         {
 287                                 CloseSession();
 288                         }
 289
 290                         return false;
 291                 }
 292                 else if (ret > 0)
 293                 {
 294                         // Handshake complete.
 295                         VerifyCertificate();
 296
 297                         status = ISSL_OPEN;
 298
 299                         SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE | FD_ADD_TRIAL_WRITE);
 300
 301                         return true;
 302                 }
 303                 else if (ret == 0)
 304                 {
 305                         CloseSession();
 306                         return true;
 307                 }
 308
 309                 return true;
 310         }
 311
 312         void CloseSession()
 313         {
 314                 if (sess)
 315                 {
 316                         SSL_shutdown(sess);
 317                         SSL_free(sess);
 318                 }
 319                 sess = NULL;
 320                 certificate = NULL;
 321                 status = ISSL_NONE;
 322                 errno = EIO;
 323         }
 324
 325         void VerifyCertificate()
 326         {
 327                 X509* cert;
 328                 ssl_cert* certinfo = new ssl_cert;
 329                 this->certificate = certinfo;
 330                 unsigned int n;
 331                 unsigned char md[EVP_MAX_MD_SIZE];
 332
 333                 cert = SSL_get_peer_certificate(sess);
 334
 335                 if (!cert)
 336                 {
 337                         certinfo->error = "Could not get peer certificate: "+std::string(get_error());
 338                         return;
 339                 }
 340
 341                 certinfo->invalid = (SSL_get_verify_result(sess) != X509_V_OK);
 342
 343                 if (!SelfSigned)
 344                 {
 345                         certinfo->unknownsigner = false;
 346                         certinfo->trusted = true;
 347                 }
 348                 else
 349                 {
 350                         certinfo->unknownsigner = true;
 351                         certinfo->trusted = false;
 352                 }
 353
 354                 char buf[512];
 355                 X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
 356                 certinfo->dn = buf;
 357                 X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf));
 358                 certinfo->issuer = buf;
 359
 360                 if (!X509_digest(cert, profile->GetDigest(), md, &n))
 361                 {
 362                         certinfo->error = "Out of memory generating fingerprint";
 363                 }
 364                 else
 365                 {
 366                         certinfo->fingerprint = BinToHex(md, n);
 367                 }
 368
 369                 if ((ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(cert), ServerInstance->Time()) == -1) || (ASN1_UTCTIME_cmp_time_t(X509_get_notBefore(cert), ServerInstance->Time()) == 0))
 370                 {
 371                         certinfo->error = "Not activated, or expired certificate";
 372                 }
 373
 374                 X509_free(cert);
 375         }
 376
 377  public:
 378         OpenSSLIOHook(IOHookProvider* hookprov, StreamSocket* sock, bool is_outbound, SSL* session, const reference<OpenSSL::Profile>& sslprofile)
 379                 : SSLIOHook(hookprov)
 380                 , sess(session)
 381                 , status(ISSL_NONE)
 382                 , outbound(is_outbound)
 383                 , data_to_write(false)
 384                 , profile(sslprofile)
 385         {
 386                 if (sess == NULL)
 387                         return;
 388                 if (SSL_set_fd(sess, sock->GetFd()) == 0)
 389                         throw ModuleException("Can't set fd with SSL_set_fd: " + ConvToStr(sock->GetFd()));
 390
 391                 sock->AddIOHook(this);
 392                 Handshake(sock);
 393         }
 394
 395         void OnStreamSocketClose(StreamSocket* user) CXX11_OVERRIDE
 396         {
 397                 CloseSession();
 398         }
 399
 400         int OnStreamSocketRead(StreamSocket* user, std::string& recvq) CXX11_OVERRIDE
 401         {
 402                 if (!sess)
 403                 {
 404                         CloseSession();
 405                         return -1;
 406                 }
 407
 408                 if (status == ISSL_HANDSHAKING)
 409                 {
 410                         // The handshake isn't finished and it wants to read, try to finish it.
 411                         if (!Handshake(user))
 412                         {
 413                                 // Couldn't resume handshake.
 414                                 if (status == ISSL_NONE)
 415                                         return -1;
 416                                 return 0;
 417                         }
 418                 }
 419
 420                 // If we resumed the handshake then this->status will be ISSL_OPEN
 421
 422                 if (status == ISSL_OPEN)
 423                 {
 424                         char* buffer = ServerInstance->GetReadBuffer();
 425                         size_t bufsiz = ServerInstance->Config->NetBufferSize;
 426                         int ret = SSL_read(sess, buffer, bufsiz);
 427
 428                         if (ret > 0)
 429                         {
 430                                 recvq.append(buffer, ret);
 431                                 if (data_to_write)
 432                                         SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_SINGLE_WRITE);
 433                                 return 1;
 434                         }
 435                         else if (ret == 0)
 436                         {
 437                                 // Client closed connection.
 438                                 CloseSession();
 439                                 user->SetError("Connection closed");
 440                                 return -1;
 441                         }
 442                         else if (ret < 0)
 443                         {
 444                                 int err = SSL_get_error(sess, ret);
 445
 446                                 if (err == SSL_ERROR_WANT_READ)
 447                                 {
 448                                         SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ);
 449                                         return 0;
 450                                 }
 451                                 else if (err == SSL_ERROR_WANT_WRITE)
 452                                 {
 453                                         SocketEngine::ChangeEventMask(user, FD_WANT_NO_READ | FD_WANT_SINGLE_WRITE);
 454                                         return 0;
 455                                 }
 456                                 else
 457                                 {
 458                                         CloseSession();
 459                                         return -1;
 460                                 }
 461                         }
 462                 }
 463
 464                 return 0;
 465         }
 466
 467         int OnStreamSocketWrite(StreamSocket* user, std::string& buffer) CXX11_OVERRIDE
 468         {
 469                 if (!sess)
 470                 {
 471                         CloseSession();
 472                         return -1;
 473                 }
 474
 475                 data_to_write = true;
 476
 477                 if (status == ISSL_HANDSHAKING)
 478                 {
 479                         if (!Handshake(user))
 480                         {
 481                                 // Couldn't resume handshake.
 482                                 if (status == ISSL_NONE)
 483                                         return -1;
 484                                 return 0;
 485                         }
 486                 }
 487
 488                 if (status == ISSL_OPEN)
 489                 {
 490                         int ret = SSL_write(sess, buffer.data(), buffer.size());
 491                         if (ret == (int)buffer.length())
 492                         {
 493                                 data_to_write = false;
 494                                 SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE);
 495                                 return 1;
 496                         }
 497                         else if (ret > 0)
 498                         {
 499                                 buffer = buffer.substr(ret);
 500                                 SocketEngine::ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
 501                                 return 0;
 502                         }
 503                         else if (ret == 0)
 504                         {
 505                                 CloseSession();
 506                                 return -1;
 507                         }
 508                         else if (ret < 0)
 509                         {
 510                                 int err = SSL_get_error(sess, ret);
 511
 512                                 if (err == SSL_ERROR_WANT_WRITE)
 513                                 {
 514                                         SocketEngine::ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
 515                                         return 0;
 516                                 }
 517                                 else if (err == SSL_ERROR_WANT_READ)
 518                                 {
 519                                         SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ);
 520                                         return 0;
 521                                 }
 522                                 else
 523                                 {
 524                                         CloseSession();
 525                                         return -1;
 526                                 }
 527                         }
 528                 }
 529                 return 0;
 530         }
 531
 532         void TellCiphersAndFingerprint(LocalUser* user)
 533         {
 534                 if (sess)
 535                 {
 536                         std::string text = "*** You are connected using SSL cipher '" + std::string(SSL_get_cipher(sess)) + "'";
 537                         const std::string& fingerprint = certificate->fingerprint;
 538                         if (!fingerprint.empty())
 539                                 text += " and your SSL fingerprint is " + fingerprint;
 540
 541                         user->WriteNotice(text);
 542                 }
 543         }
 544 };
 545
 546 class OpenSSLIOHookProvider : public refcountbase, public IOHookProvider
 547 {
 548         reference<OpenSSL::Profile> profile;
 549
 550  public:
 551         OpenSSLIOHookProvider(Module* mod, reference<OpenSSL::Profile>& prof)
 552                 : IOHookProvider(mod, "ssl/" + prof->GetName(), IOHookProvider::IOH_SSL)
 553                 , profile(prof)
 554         {
 555                 ServerInstance->Modules->AddService(*this);
 556         }
 557
 558         ~OpenSSLIOHookProvider()
 559         {
 560                 ServerInstance->Modules->DelService(*this);
 561         }
 562
 563         void OnAccept(StreamSocket* sock, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server) CXX11_OVERRIDE
 564         {
 565                 new OpenSSLIOHook(this, sock, false, profile->CreateServerSession(), profile);
 566         }
 567
 568         void OnConnect(StreamSocket* sock) CXX11_OVERRIDE
 569         {
 570                 new OpenSSLIOHook(this, sock, true, profile->CreateClientSession(), profile);
 571         }
 572 };
 573
 574 class ModuleSSLOpenSSL : public Module
 575 {
 576         typedef std::vector<reference<OpenSSLIOHookProvider> > ProfileList;
 577
 578         ProfileList profiles;
 579
 580         void ReadProfiles()
 581         {
 582                 ProfileList newprofiles;
 583                 ConfigTagList tags = ServerInstance->Config->ConfTags("sslprofile");
 584                 if (tags.first == tags.second)
 585                 {
 586                         // Create a default profile named "openssl"
 587                         const std::string defname = "openssl";
 588                         ConfigTag* tag = ServerInstance->Config->ConfValue(defname);
 589                         ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "No <sslprofile> tags found, using settings from the <openssl> tag");
 590
 591                         try
 592                         {
 593                                 reference<OpenSSL::Profile> profile(new OpenSSL::Profile(defname, tag));
 594                                 newprofiles.push_back(new OpenSSLIOHookProvider(this, profile));
 595                         }
 596                         catch (OpenSSL::Exception& ex)
 597                         {
 598                                 throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason());
 599                         }
 600                 }
 601
 602                 for (ConfigIter i = tags.first; i != tags.second; ++i)
 603                 {
 604                         ConfigTag* tag = i->second;
 605                         if (tag->getString("provider") != "openssl")
 606                                 continue;
 607
 608                         std::string name = tag->getString("name");
 609                         if (name.empty())
 610                         {
 611                                 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Ignoring <sslprofile> tag without name at " + tag->getTagLocation());
 612                                 continue;
 613                         }
 614
 615                         reference<OpenSSL::Profile> profile;
 616                         try
 617                         {
 618                                 profile = new OpenSSL::Profile(name, tag);
 619                         }
 620                         catch (CoreException& ex)
 621                         {
 622                                 throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason());
 623                         }
 624
 625                         newprofiles.push_back(new OpenSSLIOHookProvider(this, profile));
 626                 }
 627
 628                 profiles.swap(newprofiles);
 629         }
 630
 631  public:
 632         ModuleSSLOpenSSL()
 633         {
 634                 // Initialize OpenSSL
 635                 SSL_library_init();
 636                 SSL_load_error_strings();
 637         }
 638
 639         void init() CXX11_OVERRIDE
 640         {
 641                 ReadProfiles();
 642         }
 643
 644         void OnModuleRehash(User* user, const std::string &param) CXX11_OVERRIDE
 645         {
 646                 if (param != "ssl")
 647                         return;
 648
 649                 try
 650                 {
 651                         ReadProfiles();
 652                 }
 653                 catch (ModuleException& ex)
 654                 {
 655                         ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, ex.GetReason() + " Not applying settings.");
 656                 }
 657         }
 658
 659         void OnUserConnect(LocalUser* user) CXX11_OVERRIDE
 660         {
 661                 IOHook* hook = user->eh.GetIOHook();
 662                 if (hook && hook->prov->creator == this)
 663                         static_cast<OpenSSLIOHook*>(hook)->TellCiphersAndFingerprint(user);
 664         }
 665
 666         void OnCleanup(int target_type, void* item) CXX11_OVERRIDE
 667         {
 668                 if (target_type == TYPE_USER)
 669                 {
 670                         LocalUser* user = IS_LOCAL((User*)item);
 671
 672                         if (user && user->eh.GetIOHook() && user->eh.GetIOHook()->prov->creator == this)
 673                         {
 674                                 // User is using SSL, they're a local user, and they're using one of *our* SSL ports.
 675                                 // Potentially there could be multiple SSL modules loaded at once on different ports.
 676                                 ServerInstance->Users->QuitUser(user, "SSL module unloading");
 677                         }
 678                 }
 679         }
 680
 681         Version GetVersion() CXX11_OVERRIDE
 682         {
 683                 return Version("Provides SSL support for clients", VF_VENDOR);
 684         }
 685 };
 686
 687 MODULE_INIT(ModuleSSLOpenSSL)