* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
- /* HACK: This prevents OpenSSL on OS X 10.7 and later from spewing deprecation
- * warnings for every single function call. As far as I (SaberUK) know, Apple
- * have no plans to remove OpenSSL so this warning just causes needless spam.
- */
-#ifdef __APPLE__
-# define __AVAILABILITYMACROS__
-# define DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
-#endif
#include "inspircd.h"
#include "iohook.h"
+#include "modules/ssl.h"
+
+// Ignore OpenSSL deprecation warnings on OS X Lion and newer.
+#if defined __APPLE__
+# pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+#endif
+
#include <openssl/ssl.h>
#include <openssl/err.h>
-#include "modules/ssl.h"
#ifdef _WIN32
# pragma comment(lib, "libcrypto.lib")
# pragma comment(lib, "libgcc.lib")
# pragma comment(lib, "libmingwex.lib")
# pragma comment(lib, "gdi32.lib")
-# undef MAX_DESCRIPTORS
-# define MAX_DESCRIPTORS 10000
#endif
-/* $CompileFlags: pkgconfversion("openssl","0.9.7") pkgconfincludes("openssl","/openssl/ssl.h","") -Wno-pedantic */
+/* $CompileFlags: pkgconfversion("openssl","0.9.7") pkgconfincludes("openssl","/openssl/ssl.h","") */
/* $LinkerFlags: rpath("pkg-config --libs openssl") pkgconflibs("openssl","/libssl.so","-lssl -lcrypto") */
enum issl_status { ISSL_NONE, ISSL_HANDSHAKING, ISSL_OPEN };
Context(SSL_CTX* context)
: ctx(context)
{
+ // Sane default options for OpenSSL see https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
+ // and when choosing a cipher, use the server's preferences instead of the client preferences.
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE);
SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);
+
+ const unsigned char session_id[] = "inspircd";
+ SSL_CTX_set_session_id_context(ctx, session_id, sizeof(session_id) - 1);
}
~Context()
certinfo->trusted = false;
}
- certinfo->dn = X509_NAME_oneline(X509_get_subject_name(cert),0,0);
- certinfo->issuer = X509_NAME_oneline(X509_get_issuer_name(cert),0,0);
+ char buf[512];
+ X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
+ certinfo->dn = buf;
+ X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf));
+ certinfo->issuer = buf;
if (!X509_digest(cert, profile->GetDigest(), md, &n))
{
{
typedef std::vector<reference<OpenSSLIOHookProvider> > ProfileList;
- std::string sslports;
ProfileList profiles;
void ReadProfiles()
ReadProfiles();
}
- void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE
- {
- sslports.clear();
-
- ConfigTag* Conf = ServerInstance->Config->ConfValue("openssl");
-
- if (Conf->getBool("showports", true))
- {
- sslports = Conf->getString("advertisedports");
- if (!sslports.empty())
- return;
-
- for (size_t i = 0; i < ServerInstance->ports.size(); i++)
- {
- ListenSocket* port = ServerInstance->ports[i];
- if (port->bind_tag->getString("ssl") != "openssl")
- continue;
-
- const std::string& portid = port->bind_desc;
- ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Enabling SSL for port %s", portid.c_str());
-
- if (port->bind_tag->getString("type", "clients") == "clients" && port->bind_addr != "127.0.0.1")
- {
- /*
- * Found an SSL port for clients that is not bound to 127.0.0.1 and handled by us, display
- * the IP:port in ISUPPORT.
- *
- * We used to advertise all ports seperated by a ';' char that matched the above criteria,
- * but this resulted in too long ISUPPORT lines if there were lots of ports to be displayed.
- * To solve this by default we now only display the first IP:port found and let the user
- * configure the exact value for the 005 token, if necessary.
- */
- sslports = portid;
- break;
- }
- }
- }
- }
-
void OnModuleRehash(User* user, const std::string ¶m) CXX11_OVERRIDE
{
if (param != "ssl")
}
}
- void On005Numeric(std::map<std::string, std::string>& tokens) CXX11_OVERRIDE
- {
- if (!sslports.empty())
- tokens["SSL"] = sslports;
- }
-
void OnUserConnect(LocalUser* user) CXX11_OVERRIDE
{
IOHook* hook = user->eh.GetIOHook();
projects / user / henk / code / inspircd.git / blobdiff