+
+ static void SetContextOptions(SSL_CTX* ctx, long defoptions, const std::string& ctxname, ConfigTag* tag)
+ {
+ long setoptions = tag->getInt(ctxname + "setoptions");
+ // User-friendly config options for setting context options
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+ if (tag->getBool("cipherserverpref"))
+ setoptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+#endif
+#ifdef SSL_OP_NO_COMPRESSION
+ if (!tag->getBool("compression", true))
+ setoptions |= SSL_OP_NO_COMPRESSION;
+#endif
+ if (!tag->getBool("sslv3", true))
+ setoptions |= SSL_OP_NO_SSLv3;
+ if (!tag->getBool("tlsv1", true))
+ setoptions |= SSL_OP_NO_TLSv1;
+
+ long clearoptions = tag->getInt(ctxname + "clearoptions");
+ ServerInstance->Logs->Log("m_ssl_openssl", DEBUG, "Setting OpenSSL %s context options, default: %ld set: %ld clear: %ld", ctxname.c_str(), defoptions, setoptions, clearoptions);
+
+ // Clear everything
+ SSL_CTX_clear_options(ctx, SSL_CTX_get_options(ctx));
+
+ // Set the default options and what is in the conf
+ SSL_CTX_set_options(ctx, defoptions | setoptions);
+ long final = SSL_CTX_clear_options(ctx, clearoptions);
+ ServerInstance->Logs->Log("m_ssl_openssl", DEFAULT, "OpenSSL %s context options: %ld", ctxname.c_str(), final);
+ }
+
+#ifdef INSPIRCD_OPENSSL_ENABLE_ECDH
+ void SetupECDH(ConfigTag* tag)
+ {
+ std::string curvename = tag->getString("ecdhcurve", "prime256v1");
+ if (curvename.empty())
+ return;
+
+ int nid = OBJ_sn2nid(curvename.c_str());
+ if (nid == 0)
+ {
+ ServerInstance->Logs->Log("m_ssl_openssl", DEFAULT, "m_ssl_openssl.so: Unknown curve: \"%s\"", curvename.c_str());
+ return;
+ }
+
+ EC_KEY* eckey = EC_KEY_new_by_curve_name(nid);
+ if (!eckey)
+ {
+ ServerInstance->Logs->Log("m_ssl_openssl", DEFAULT, "m_ssl_openssl.so: Unable to create EC key object");
+ return;
+ }
+
+ ERR_clear_error();
+ if (SSL_CTX_set_tmp_ecdh(ctx, eckey) < 0)
+ {
+ ServerInstance->Logs->Log("m_ssl_openssl", DEFAULT, "m_ssl_openssl.so: Couldn't set ECDH parameters");
+ ERR_print_errors_cb(error_callback, this);
+ }
+
+ EC_KEY_free(eckey);
+ }
+#endif
+
+#ifdef INSPIRCD_OPENSSL_ENABLE_RENEGO_DETECTION
+ static void SSLInfoCallback(const SSL* ssl, int where, int rc)
+ {
+ int fd = SSL_get_fd(const_cast<SSL*>(ssl));
+ issl_session& session = opensslmod->sessions[fd];
+
+ if ((where & SSL_CB_HANDSHAKE_START) && (session.status == ISSL_OPEN))
+ {
+ // The other side is trying to renegotiate, kill the connection and change status
+ // to ISSL_NONE so CheckRenego() closes the session
+ session.status = ISSL_NONE;
+ ServerInstance->SE->Shutdown(fd, 2);
+ }
+ }
+
+ bool CheckRenego(StreamSocket* sock, issl_session* session)
+ {
+ if (session->status != ISSL_NONE)
+ return true;
+
+ ServerInstance->Logs->Log("m_ssl_openssl", DEBUG, "Session %p killed, attempted to renegotiate", (void*)session->sess);
+ CloseSession(session);
+ sock->SetError("Renegotiation is not allowed");
+ return false;
+ }
+#endif
+