From ccebfe6e637b420bef05e8e0faf29bb19f1883d9 Mon Sep 17 00:00:00 2001 From: Matt Schatz Date: Sun, 12 Apr 2020 22:56:10 -0600 Subject: [PATCH] Update user-facing text and comments of SSL to TLS. --- docs/conf/helpop.conf.example | 10 +++--- docs/conf/inspircd.conf.example | 20 +++++------ docs/conf/links.conf.example | 8 ++--- docs/conf/modules.conf.example | 45 +++++++++++++------------ docs/conf/opers.conf.example | 10 +++--- include/base.h | 2 +- include/modules.h | 2 +- include/modules/ssl.h | 40 +++++++++++----------- src/helperfuncs.cpp | 2 +- src/listensocket.cpp | 2 +- src/modules.cpp | 2 +- src/modules/extra/m_ssl_gnutls.cpp | 16 ++++----- src/modules/extra/m_ssl_mbedtls.cpp | 16 ++++----- src/modules/extra/m_ssl_openssl.cpp | 14 ++++---- src/modules/extra/m_sslrehashsignal.cpp | 2 +- src/modules/m_haproxy.cpp | 6 ++-- src/modules/m_ircv3_sts.cpp | 4 +-- src/modules/m_sslinfo.cpp | 16 +++++---- src/modules/m_sslmodes.cpp | 10 +++--- src/modules/m_starttls.cpp | 2 +- 20 files changed, 116 insertions(+), 113 deletions(-) diff --git a/docs/conf/helpop.conf.example b/docs/conf/helpop.conf.example index 7f36006a0..b0de1672c 100644 --- a/docs/conf/helpop.conf.example +++ b/docs/conf/helpop.conf.example @@ -47,7 +47,7 @@ Sends a message to the network service specified in . "> @@ -845,8 +845,8 @@ using their cloak when they quit. (requires the services account module). w Receives wallops messages. x Gives a cloaked hostname (requires the cloaking module). - z Only allow private messages from SSL users (requires the - sslmodes module). + z Only allow private messages from TLS (SSL) users (requires + the sslmodes module). B Marks as a bot (requires the botmode module). D Privdeaf mode. User will not receive any private messages or notices from users (requires the deaf module). @@ -926,7 +926,7 @@ using their cloak when they quit. For example, +w o:R:Brain will op anyone identified to the account 'Brain' on join. (requires the autoop module) - z Blocks non-SSL clients from joining the channel + z Blocks non-TLS (SSL) clients from joining the channel (requires the sslmodes module). A Allows anyone to invite users to the channel @@ -1101,7 +1101,7 @@ Matching extbans: gecosban module). s: Matches users on a matching server (requires the serverban module). - z: Matches users having the given SSL certificate + z: Matches users having the given TLS (SSL) certificate fingerprint (requires the sslmodes module). O: Matches server operators of a matching type, mostly useful as an invite exception (requires the diff --git a/docs/conf/inspircd.conf.example b/docs/conf/inspircd.conf.example index e3d76ff3b..1544666a9 100644 --- a/docs/conf/inspircd.conf.example +++ b/docs/conf/inspircd.conf.example @@ -153,10 +153,10 @@ # to this bind section. type="clients" - # ssl: If you want the port(s) in this bind tag to use SSL, set this to + # ssl: If you want the port(s) in this bind tag to use TLS (SSL), set this to # the name of a custom tag that you have defined or one # of "openssl", "gnutls", "mbedtls" if you have not defined any. See the - # docs page for the SSL module you are using for more details. + # docs page for the TLS (SSL) module you are using for more details. # # You will need to load the ssl_openssl module for OpenSSL, ssl_gnutls # for GnuTLS and ssl_mbedtls for mbedTLS. @@ -211,11 +211,11 @@ # module). # -# You can define a custom tag which defines the SSL configuration -# for this listener. See the docs page for the SSL module you are using for +# You can define a custom tag which defines the TLS (SSL) configuration +# for this listener. See the docs page for the TLS (SSL) module you are using for # more details. # -# Alternatively, you can use one of the default SSL profiles which are created +# Alternatively, you can use one of the default TLS (SSL) profiles which are created # when you have not defined any: # "openssl" (requires the ssl_openssl module) # "gnutls" (requires the ssl_gnutls module) @@ -244,8 +244,8 @@ # Connect blocks are searched twice for each user - once when the TCP # # connection is accepted, and once when the user completes their # # registration. Most of the information (hostname, ident response, # -# password, SSL when using STARTTLS, etc) is only available during # -# the second search, so if you are trying to make a closed server, # +# password, TLS (SSL) when using STARTTLS, etc) is only available # +# during the second search. If you are trying to make a closed server # # you will probably need a connect block just for user registration. # # This can be done by using # @@ -344,10 +344,10 @@ # Requires the ident module to be loaded. #requireident="yes" - # requiressl: Require that users of this block use an SSL connection. - # This can also be set to "trusted", as to only accept certificates + # requiressl: Require that users of this block use a TLS (SSL) connection. + # This can also be set to "trusted", as to only accept client certificates # issued by a certificate authority that you can configure in the - # settings of the SSL module that you're using. + # settings of the TLS (SSL) module that you're using. # Requires the sslinfo module to be loaded. #requiressl="yes" diff --git a/docs/conf/links.conf.example b/docs/conf/links.conf.example index 09b3bb3d5..256ac10f9 100644 --- a/docs/conf/links.conf.example +++ b/docs/conf/links.conf.example @@ -36,10 +36,10 @@ # failover (see above). timeout="5m" - # ssl: If defined, this states the SSL profile that will be used when + # ssl: If defined, this states the TLS (SSL) profile that will be used when # making an outbound connection to the server. Options are the name of an # tag that you have defined or one of "openssl", "gnutls", - # "mbedtls" if you have not defined any. See the docs page for the SSL + # "mbedtls" if you have not defined any. See the docs page for the TLS (SSL) # module you are using for more details. # # You will need to load the ssl_openssl module for OpenSSL, ssl_gnutls @@ -48,9 +48,9 @@ ssl="gnutls" # fingerprint: If defined, this option will force servers to be - # authenticated using SSL certificate fingerprints. See + # authenticated using TLS (SSL) certificate fingerprints. See # https://docs.inspircd.org/3/modules/spanningtree for more information. - # This will require an SSL link for both inbound and outbound connections. + # This will require a TLS (SSL) link for both inbound and outbound connections. #fingerprint="" # bind: Local IP address to bind to. diff --git a/docs/conf/modules.conf.example b/docs/conf/modules.conf.example index c7a3f7dc7..37492ac09 100644 --- a/docs/conf/modules.conf.example +++ b/docs/conf/modules.conf.example @@ -210,7 +210,7 @@ # For example +w o:*!Attila@127.0.0.1 will op anyone matching that mask # on join. This can be combined with extbans, for example +w o:R:Brain # will op anyone identified to the account "Brain". -# Another useful combination is with SSL client certificate +# Another useful combination is with TLS (SSL) client certificate # fingerprints: +w h:z:72db600734bb9546c1bdd02377bc21d2a9690d48 will # give halfop to the user(s) having the given certificate. # @@ -349,7 +349,7 @@ # IRCv3 WebIRC specification at: https://ircv3.net/specs/extensions/webirc.html # # When using this method you must specify a wildcard mask or CIDR range -# to allow gateway connections from and at least one of either a SSL +# to allow gateway connections from and at least one of either a TLS (SSL) # client certificate fingerprint for the gateway or a password to be # sent in the WEBIRC command. # @@ -1951,8 +1951,8 @@ # You must define to the name of your services server so # that InspIRCd knows where to send SASL authentication messages and # when it should enable the SASL capability. -# You can also define to require users to use SSL in -# order to be able to use SASL. +# You can also define to require users to use TLS (SSL) +# in order to be able to use SASL. # @@ -2112,11 +2112,11 @@ # #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# -# SSL mode module: Adds support for SSL-only channels via the '+z' -# channel mode, SSL-only private messages via the '+z' user mode and -# the 'z:' extban which matches SSL client certificate fingerprints. +# SSL mode module: Adds support for TLS (SSL)-only channels via the '+z' +# channel mode, TLS (SSL)-only private messages via the '+z' user mode and +# the 'z:' extban which matches TLS (SSL) client certificate fingerprints. # -# Does not do anything useful without a working SSL module and the +# Does not do anything useful without a working TLS (SSL) module and the # sslinfo module (see below). # # @@ -2125,15 +2125,15 @@ # #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# -# SSL rehash signal module: Allows the SSL modules to be rehashed by +# SSL rehash signal module: Allows the TLS (SSL) modules to be rehashed by # sending SIGUSR1 to a running InspIRCd process. -# This modules is in extras. Re-run configure with: +# This module is in extras. Re-run configure with: # ./configure --enable-extras sslrehashsignal # and run make install, then uncomment this module to enable it. # #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# -# GnuTLS SSL module: Adds support for SSL/TLS connections using GnuTLS, +# GnuTLS SSL module: Adds support for TLS (SSL) connections using GnuTLS, # if enabled. You must answer 'yes' in ./configure when asked or # manually symlink the source for this module from the directory # src/modules/extra, if you want to enable this, or it will not load. @@ -2146,26 +2146,26 @@ #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # SSL info module: Allows users to retrieve information about other -# users' peer SSL certificates and keys via the SSLINFO command. +# users' peer TLS (SSL) certificates and keys via the SSLINFO command. # This can be used by client scripts to validate users. For this to # work, one of ssl_gnutls, ssl_mbedtls or ssl_openssl must be loaded. # This module also adds the " is using a secure connection" -# and " has client certificate fingerprint " -# WHOIS lines, the ability for opers to use SSL cert fingerprints to -# verify their identity and the ability to force opers to use SSL +# and " has TLS (SSL) client certificate fingerprint " +# WHOIS lines, the ability for opers to use TLS (SSL) cert fingerprints to +# verify their identity and the ability to force opers to use TLS (SSL) # connections in order to oper up. It is highly recommended to load -# this module if you use SSL on your network. +# this module if you use TLS (SSL) on your network. # For how to use the oper features, please see the first # example tag in opers.conf.example. # # # -# If you want to prevent users from viewing SSL certificate information +# If you want to prevent users from viewing TLS (SSL) certificate information # and fingerprints of other users, set operonly to yes. # #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# -# mbedTLS SSL module: Adds support for SSL/TLS connections using mbedTLS. +# mbedTLS TLS (SSL) module: Adds support for TLS (SSL) connections using mbedTLS. # # #-#-#-#-#-#-#-#-#-#-#- MBEDTLS CONFIGURATION -#-#-#-#-#-#-#-#-#-#-#-# @@ -2174,7 +2174,7 @@ # https://docs.inspircd.org/3/modules/ssl_mbedtls # #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# -# OpenSSL SSL module: Adds support for SSL/TLS connections using OpenSSL, +# OpenSSL TLS (SSL) module: Adds support for TLS (SSL) connections using OpenSSL, # if enabled. You must answer 'yes' in ./configure when asked or symlink # the source for this module from the directory src/modules/extra, if # you want to enable this, or it will not load. @@ -2246,8 +2246,9 @@ #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # StartTLS module: Implements STARTTLS, which allows clients # -# connected to non SSL enabled ports to enable SSL, if a proper SSL # -# module is loaded (either ssl_gnutls, ssl_mbedtls or ssl_openssl). # +# connected to non TLS (SSL) enabled ports to enable TLS (SSL), if # +# a proper TLS (SSL) module is loaded (either ssl_gnutls, # +# ssl_mbedtls or ssl_openssl). # # #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# @@ -2330,7 +2331,7 @@ #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # WebSocket module: Adds HTML5 WebSocket support. # Specify hook="websocket" in a tag to make that port accept -# WebSocket connections. Compatible with SSL/TLS. +# WebSocket connections. Compatible with TLS (SSL). # Requires SHA-1 hash support available in the sha1 module. # # diff --git a/docs/conf/opers.conf.example b/docs/conf/opers.conf.example index dfde001b5..2c5da870a 100644 --- a/docs/conf/opers.conf.example +++ b/docs/conf/opers.conf.example @@ -116,18 +116,18 @@ # a key fingerprint here. This can be obtained by using the /SSLINFO # command while the module is loaded, and is also noticed on connect. # This enhances security by verifying that the person opering up has - # a matching SSL client certificate, which is very difficult to + # a matching TLS (SSL) client certificate, which is very difficult to # forge (impossible unless preimage attacks on the hash exist). # If the sslinfo module isn't loaded, this option will be ignored. #fingerprint="67cb9dc013248a829bb2171ed11becd4" - # autologin: If an SSL certificate fingerprint for this oper is specified, + # autologin: If a TLS (SSL) client certificate fingerprint for this oper is specified, # you can have the oper block automatically log in. This moves all security - # of the oper block to the protection of the client certificate, so be sure + # of the oper block to the protection of the TLS (SSL) client certificate, so be sure # that the private key is well-protected! Requires the sslinfo module. - #autologin="on" + #autologin="yes" - # sslonly: If on, this oper can only oper up if they're using an SSL connection. + # sslonly: If enabled, this oper can only oper up if they're using a TLS (SSL) connection. # Setting this option adds a decent bit of security. Highly recommended # if the oper is on wifi, or specifically, unsecured wifi. Note that it # is redundant to specify this option if you specify a fingerprint. diff --git a/include/base.h b/include/base.h index deeabf255..41ed723c5 100644 --- a/include/base.h +++ b/include/base.h @@ -239,7 +239,7 @@ enum ServiceType { SERVICE_METADATA, /** is a data processing provider (MD5, SQL) */ SERVICE_DATA, - /** is an I/O hook provider (SSL) */ + /** is an I/O hook provider */ SERVICE_IOHOOK, /** Service managed by a module */ SERVICE_CUSTOM diff --git a/include/modules.h b/include/modules.h index 75bbcb8de..82684cac8 100644 --- a/include/modules.h +++ b/include/modules.h @@ -376,7 +376,7 @@ class CoreExport Module : public classbase, public usecountbase /** Called on rehash. * This method is called when a user initiates a module-specific rehash. This can be used to do - * expensive operations (such as reloading SSL certificates) that are not executed on a normal + * expensive operations (such as reloading TLS (SSL) certificates) that are not executed on a normal * rehash for efficiency. A rehash of this type does not reload the core configuration. * * @param user The user performing the rehash. diff --git a/include/modules/ssl.h b/include/modules/ssl.h index 88a6751e4..01e08b2e2 100644 --- a/include/modules/ssl.h +++ b/include/modules/ssl.h @@ -30,7 +30,7 @@ #include #include "iohook.h" -/** ssl_cert is a class which abstracts SSL certificate +/** ssl_cert is a class which abstracts TLS (SSL) certificate * and key information. * * Because gnutls and openssl represent key information in @@ -153,7 +153,7 @@ class ssl_cert : public refcountbase class SSLIOHook : public IOHook { protected: - /** Peer SSL certificate, set by the SSL module + /** Peer TLS (SSL) certificate, set by the TLS (SSL) module */ reference certificate; @@ -167,7 +167,7 @@ class SSLIOHook : public IOHook if ((sendq.size() <= 1) || (sendq.front().length() >= targetsize)) return; - // Avoid multiple repeated SSL encryption invocations + // Avoid multiple repeated TLS (SSL) encryption invocations // This adds a single copy of the queue, but avoids // much more overhead in terms of system calls invoked // by an IOHook. @@ -198,7 +198,7 @@ class SSLIOHook : public IOHook /** * Get the certificate sent by this peer - * @return The SSL certificate sent by the peer, NULL if no cert was sent + * @return The TLS (SSL) certificate sent by the peer, NULL if no cert was sent */ virtual ssl_cert* GetCertificate() const { @@ -207,7 +207,7 @@ class SSLIOHook : public IOHook /** * Get the fingerprint of the peer's certificate - * @return The fingerprint of the SSL client certificate sent by the peer, + * @return The fingerprint of the TLS (SSL) client certificate sent by the peer, * empty if no cert was sent */ virtual std::string GetFingerprint() const @@ -225,14 +225,14 @@ class SSLIOHook : public IOHook virtual void GetCiphersuite(std::string& out) const = 0; - /** Retrieves the name of the SSL connection which is sent via SNI. + /** Retrieves the name of the TLS (SSL) connection which is sent via SNI. * @param out String that the server name will be appended to. * returns True if the server name was retrieved; otherwise, false. */ virtual bool GetServerName(std::string& out) const = 0; }; -/** Helper functions for obtaining SSL client certificates and key fingerprints +/** Helper functions for obtaining TLS (SSL) client certificates and key fingerprints * from StreamSockets */ class SSLClientCert @@ -240,8 +240,8 @@ class SSLClientCert public: /** * Get the client certificate from a socket - * @param sock The socket to get the certificate from, the socket does not have to use SSL - * @return The SSL client certificate information, NULL if the peer is not using SSL + * @param sock The socket to get the certificate from, the socket does not have to use TLS (SSL) + * @return The TLS (SSL) client certificate information, NULL if the peer is not using TLS (SSL) */ static ssl_cert* GetCertificate(StreamSocket* sock) { @@ -255,9 +255,9 @@ class SSLClientCert /** * Get the fingerprint of a client certificate from a socket * @param sock The socket to get the certificate fingerprint from, the - * socket does not have to use SSL - * @return The key fingerprint from the SSL certificate sent by the peer, - * empty if no cert was sent or the peer is not using SSL + * socket does not have to use TLS (SSL) + * @return The key fingerprint from the TLS (SSL) certificate sent by the peer, + * empty if no cert was sent or the peer is not using TLS (SSL) */ static std::string GetFingerprint(StreamSocket* sock) { @@ -276,22 +276,22 @@ class UserCertificateAPIBase : public DataProvider { } - /** Get the SSL certificate of a user + /** Get the TLS (SSL) certificate of a user * @param user The user whose certificate to get, user may be remote - * @return The SSL certificate of the user or NULL if the user is not using SSL + * @return The TLS (SSL) certificate of the user or NULL if the user is not using TLS (SSL) */ virtual ssl_cert* GetCertificate(User* user) = 0; - /** Set the SSL certificate of a user. + /** Set the TLS (SSL) certificate of a user. * @param user The user whose certificate to set. - * @param cert The SSL certificate to set for the user. + * @param cert The TLS (SSL) certificate to set for the user. */ virtual void SetCertificate(User* user, ssl_cert* cert) = 0; /** Get the key fingerprint from a user's certificate * @param user The user whose key fingerprint to get, user may be remote - * @return The key fingerprint from the user's SSL certificate or an empty string - * if the user is not using SSL or did not provide a client certificate + * @return The key fingerprint from the user's TLS (SSL) certificate or an empty string + * if the user is not using TLS (SSL) or did not provide a client certificate */ std::string GetFingerprint(User* user) { @@ -302,9 +302,9 @@ class UserCertificateAPIBase : public DataProvider } }; -/** API implemented by m_sslinfo that allows modules to retrive the SSL certificate +/** API implemented by m_sslinfo that allows modules to retrive the TLS (SSL) certificate * information of local and remote users. It can also be used to find out whether a - * user is using SSL or not. + * user is using TLS (SSL) or not. */ class UserCertificateAPI : public dynamic_reference { diff --git a/src/helperfuncs.cpp b/src/helperfuncs.cpp index 913bc0861..e019a660b 100644 --- a/src/helperfuncs.cpp +++ b/src/helperfuncs.cpp @@ -536,7 +536,7 @@ unsigned long InspIRCd::GenRandomInt(unsigned long max) return rv % max; } -// This is overridden by a higher-quality algorithm when SSL support is loaded +// This is overridden by a higher-quality algorithm when TLS (SSL) support is loaded void InspIRCd::DefaultGenRandom(char* output, size_t max) { #if defined HAS_ARC4RANDOM_BUF diff --git a/src/listensocket.cpp b/src/listensocket.cpp index 7e73c1926..4bbffe0c0 100644 --- a/src/listensocket.cpp +++ b/src/listensocket.cpp @@ -244,6 +244,6 @@ void ListenSocket::ResetIOHookProvider() if (!provname.empty()) provname.insert(0, "ssl/"); - // SSL should be the last + // TLS (SSL) should be the last iohookprovs.back().SetProvider(provname); } diff --git a/src/modules.cpp b/src/modules.cpp index 2b83bc0d8..36f5409c4 100644 --- a/src/modules.cpp +++ b/src/modules.cpp @@ -397,7 +397,7 @@ void ModuleManager::DoSafeUnload(Module* mod) for (user_hash::const_iterator u = users.begin(); u != users.end(); ) { User* user = u->second; - // The module may quit the user (e.g. SSL mod unloading) and that will remove it from the container + // The module may quit the user (e.g. TLS (SSL) mod unloading) and that will remove it from the container ++u; mod->OnCleanup(ExtensionItem::EXT_USER, user); user->doUnhookExtensions(items); diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp index 4d9216123..6cafcae22 100644 --- a/src/modules/extra/m_ssl_gnutls.cpp +++ b/src/modules/extra/m_ssl_gnutls.cpp @@ -907,7 +907,7 @@ info_done_dealloc: } CloseSession(); - sock->SetError("No SSL session"); + sock->SetError("No TLS (SSL) session"); return -1; } @@ -1291,7 +1291,7 @@ class ModuleSSLGnuTLS : public Module { // First, store all profiles in a new, temporary container. If no problems occur, swap the two // containers; this way if something goes wrong we can go back and continue using the current profiles, - // avoiding unpleasant situations where no new SSL connections are possible. + // avoiding unpleasant situations where no new TLS (SSL) connections are possible. ProfileList newprofiles; ConfigTagList tags = ServerInstance->Config->ConfTags("sslprofile"); @@ -1309,7 +1309,7 @@ class ModuleSSLGnuTLS : public Module } catch (CoreException& ex) { - throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason()); + throw ModuleException("Error while initializing the default TLS (SSL) profile - " + ex.GetReason()); } } @@ -1334,7 +1334,7 @@ class ModuleSSLGnuTLS : public Module } catch (CoreException& ex) { - throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); + throw ModuleException("Error while initializing TLS (SSL) profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); } newprofiles.push_back(prov); @@ -1375,7 +1375,7 @@ class ModuleSSLGnuTLS : public Module try { ReadProfiles(); - ServerInstance->SNO->WriteToSnoMask('a', "SSL module %s rehashed.", MODNAME); + ServerInstance->SNO->WriteToSnoMask('a', "TLS (SSL) module GnuTLS rehashed."); } catch (ModuleException& ex) { @@ -1396,9 +1396,9 @@ class ModuleSSLGnuTLS : public Module if ((user) && (user->eh.GetModHook(this))) { - // User is using SSL, they're a local user, and they're using one of *our* SSL ports. - // Potentially there could be multiple SSL modules loaded at once on different ports. - ServerInstance->Users->QuitUser(user, "SSL module unloading"); + // User is using TLS (SSL), they're a local user, and they're using one of *our* TLS (SSL) ports. + // Potentially there could be multiple TLS (SSL) modules loaded at once on different ports. + ServerInstance->Users->QuitUser(user, "GnuTLS module unloading"); } } } diff --git a/src/modules/extra/m_ssl_mbedtls.cpp b/src/modules/extra/m_ssl_mbedtls.cpp index dded7e171..628230d29 100644 --- a/src/modules/extra/m_ssl_mbedtls.cpp +++ b/src/modules/extra/m_ssl_mbedtls.cpp @@ -586,7 +586,7 @@ class mbedTLSIOHook : public SSLIOHook } CloseSession(); - sock->SetError("No SSL session"); + sock->SetError("No TLS (SSL) session"); return -1; } @@ -865,7 +865,7 @@ class ModuleSSLmbedTLS : public Module { // First, store all profiles in a new, temporary container. If no problems occur, swap the two // containers; this way if something goes wrong we can go back and continue using the current profiles, - // avoiding unpleasant situations where no new SSL connections are possible. + // avoiding unpleasant situations where no new TLS (SSL) connections are possible. ProfileList newprofiles; ConfigTagList tags = ServerInstance->Config->ConfTags("sslprofile"); @@ -883,7 +883,7 @@ class ModuleSSLmbedTLS : public Module } catch (CoreException& ex) { - throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason()); + throw ModuleException("Error while initializing the default TLS (SSL) profile - " + ex.GetReason()); } } @@ -908,7 +908,7 @@ class ModuleSSLmbedTLS : public Module } catch (CoreException& ex) { - throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); + throw ModuleException("Error while initializing TLS (SSL) profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); } newprofiles.push_back(prov); @@ -945,7 +945,7 @@ class ModuleSSLmbedTLS : public Module try { ReadProfiles(); - ServerInstance->SNO->WriteToSnoMask('a', "SSL module %s rehashed.", MODNAME); + ServerInstance->SNO->WriteToSnoMask('a', "TLS (SSL) module mbedTLS rehashed."); } catch (ModuleException& ex) { @@ -961,9 +961,9 @@ class ModuleSSLmbedTLS : public Module LocalUser* user = IS_LOCAL(static_cast(item)); if ((user) && (user->eh.GetModHook(this))) { - // User is using SSL, they're a local user, and they're using our IOHook. - // Potentially there could be multiple SSL modules loaded at once on different ports. - ServerInstance->Users.QuitUser(user, "SSL module unloading"); + // User is using TLS (SSL), they're a local user, and they're using our IOHook. + // Potentially there could be multiple TLS (SSL) modules loaded at once on different ports. + ServerInstance->Users.QuitUser(user, "mbedTLS module unloading"); } } diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 330055e4a..30cabdf27 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -251,7 +251,7 @@ namespace OpenSSL X509_STORE* store = SSL_CTX_get_cert_store(ctx); if (!store) { - throw ModuleException("Unable to get X509_STORE from SSL context; this should never happen"); + throw ModuleException("Unable to get X509_STORE from TLS (SSL) context; this should never happen"); } ERR_clear_error(); if (!X509_STORE_load_locations(store, @@ -987,7 +987,7 @@ class ModuleSSLOpenSSL : public Module } catch (OpenSSL::Exception& ex) { - throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason()); + throw ModuleException("Error while initializing the default TLS (SSL) profile - " + ex.GetReason()); } } @@ -1011,7 +1011,7 @@ class ModuleSSLOpenSSL : public Module } catch (CoreException& ex) { - throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); + throw ModuleException("Error while initializing TLS (SSL) profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); } newprofiles.push_back(prov); @@ -1062,7 +1062,7 @@ class ModuleSSLOpenSSL : public Module try { ReadProfiles(); - ServerInstance->SNO->WriteToSnoMask('a', "SSL module %s rehashed.", MODNAME); + ServerInstance->SNO->WriteToSnoMask('a', "TLS (SSL) module OpenSSL rehashed."); } catch (ModuleException& ex) { @@ -1078,9 +1078,9 @@ class ModuleSSLOpenSSL : public Module if ((user) && (user->eh.GetModHook(this))) { - // User is using SSL, they're a local user, and they're using one of *our* SSL ports. - // Potentially there could be multiple SSL modules loaded at once on different ports. - ServerInstance->Users->QuitUser(user, "SSL module unloading"); + // User is using TLS (SSL), they're a local user, and they're using one of *our* TLS (SSL) ports. + // Potentially there could be multiple TLS (SSL) modules loaded at once on different ports. + ServerInstance->Users->QuitUser(user, "OpenSSL module unloading"); } } } diff --git a/src/modules/extra/m_sslrehashsignal.cpp b/src/modules/extra/m_sslrehashsignal.cpp index c0cf8fada..b70deedfa 100644 --- a/src/modules/extra/m_sslrehashsignal.cpp +++ b/src/modules/extra/m_sslrehashsignal.cpp @@ -45,7 +45,7 @@ class ModuleSSLRehashSignal : public Module if (!signaled) return; - const std::string feedbackmsg = "Got SIGUSR1, reloading SSL credentials"; + const std::string feedbackmsg = "Got SIGUSR1, reloading TLS (SSL) credentials"; ServerInstance->SNO->WriteGlobalSno('a', feedbackmsg); ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, feedbackmsg); diff --git a/src/modules/m_haproxy.cpp b/src/modules/m_haproxy.cpp index f18738779..1a6583e6f 100644 --- a/src/modules/m_haproxy.cpp +++ b/src/modules/m_haproxy.cpp @@ -200,16 +200,16 @@ class HAProxyHook : public IOHookMiddle if (!sslapi) return true; - // If the client is not connecting via SSL the rest of this TLV is irrelevant. + // If the client is not connecting via TLS (SSL) the rest of this TLV is irrelevant. std::string& recvq = GetRecvQ(); if ((recvq[start_index] & PP2_CLIENT_SSL) == 0) return true; // Create a fake ssl_cert for the user. Ideally we should use the user's - // SSL client certificate here but as of 2018-10-16 this is not forwarded + // TLS (SSL) client certificate here but as of 2018-10-16 this is not forwarded // by HAProxy. ssl_cert* cert = new ssl_cert; - cert->error = "HAProxy does not forward client SSL certificates"; + cert->error = "HAProxy does not forward client TLS (SSL) certificates"; cert->invalid = true; cert->revoked = true; cert->trusted = false; diff --git a/src/modules/m_ircv3_sts.cpp b/src/modules/m_ircv3_sts.cpp index 6d616f74e..bca378f24 100644 --- a/src/modules/m_ircv3_sts.cpp +++ b/src/modules/m_ircv3_sts.cpp @@ -128,7 +128,7 @@ class ModuleIRCv3STS : public Module private: STSCap cap; - // The IRCv3 STS specification requires that the server is listening using SSL using a valid certificate. + // The IRCv3 STS specification requires that the server is listening using TLS (SSL) using a valid certificate. bool HasValidSSLPort(unsigned int port) { for (std::vector::const_iterator iter = ServerInstance->ports.begin(); iter != ServerInstance->ports.end(); ++iter) @@ -140,7 +140,7 @@ class ModuleIRCv3STS : public Module if (saport != port) continue; - // Is this listener using SSL? + // Is this listener using TLS (SSL)? if (ls->bind_tag->getString("ssl").empty()) continue; diff --git a/src/modules/m_sslinfo.cpp b/src/modules/m_sslinfo.cpp index 4f784c87c..885ae6f74 100644 --- a/src/modules/m_sslinfo.cpp +++ b/src/modules/m_sslinfo.cpp @@ -138,7 +138,7 @@ class UserCertificateAPIImpl : public UserCertificateAPIBase void SetCertificate(User* user, ssl_cert* cert) CXX11_OVERRIDE { - ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Setting SSL certificate for %s: %s", + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Setting TLS (SSL) client certificate for %s: %s", user->GetFullHost().c_str(), cert->GetMetaLine().c_str()); sslext.set(user, cert); } @@ -165,20 +165,22 @@ class CommandSSLInfo : public Command user->WriteNumeric(Numerics::NoSuchNick(parameters[0])); return CMD_FAILURE; } + bool operonlyfp = ServerInstance->Config->ConfValue("sslinfo")->getBool("operonly"); if (operonlyfp && !user->IsOper() && target != user) { - user->WriteNotice("*** You cannot view SSL certificate information for other users"); + user->WriteNotice("*** You cannot view TLS (SSL) client certificate information for other users"); return CMD_FAILURE; } + ssl_cert* cert = sslapi.GetCertificate(target); if (!cert) { - user->WriteNotice("*** No SSL certificate for this user"); + user->WriteNotice("*** No TLS (SSL) client certificate for this user"); } else if (cert->GetError().length()) { - user->WriteNotice("*** No SSL certificate information for this user (" + cert->GetError() + ")."); + user->WriteNotice("*** No TLS (SSL) client certificate information for this user (" + cert->GetError() + ")."); } else { @@ -226,7 +228,7 @@ class ModuleSSLInfo whois.SendLine(RPL_WHOISSECURE, "is using a secure connection"); bool operonlyfp = ServerInstance->Config->ConfValue("sslinfo")->getBool("operonly"); if ((!operonlyfp || whois.IsSelfWhois() || whois.GetSource()->IsOper()) && !cert->fingerprint.empty()) - whois.SendLine(RPL_WHOISCERTFP, InspIRCd::Format("has client certificate fingerprint %s", cert->fingerprint.c_str())); + whois.SendLine(RPL_WHOISCERTFP, InspIRCd::Format("has TLS (SSL) client certificate fingerprint %s", cert->fingerprint.c_str())); } } @@ -320,12 +322,12 @@ class ModuleSSLInfo if (stdalgo::string::equalsci(requiressl, "trusted")) { ok = (cert && cert->IsCAVerified()); - ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "Class requires a trusted SSL cert. Client %s one.", (ok ? "has" : "does not have")); + ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "Class requires a trusted TLS (SSL) client certificate. Client %s one.", (ok ? "has" : "does not have")); } else if (myclass->config->getBool("requiressl")) { ok = (cert != NULL); - ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "Class requires SSL. Client %s using SSL.", (ok ? "is" : "is not")); + ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "Class requires a secure connection. Client %s on a secure connection.", (ok ? "is" : "is not")); } if (!ok) diff --git a/src/modules/m_sslmodes.cpp b/src/modules/m_sslmodes.cpp index 27f7a4af1..5c7f1fca1 100644 --- a/src/modules/m_sslmodes.cpp +++ b/src/modules/m_sslmodes.cpp @@ -60,7 +60,7 @@ class SSLMode : public ModeHandler { if (!API) { - source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, "Unable to determine whether all members of the channel are connected via SSL"); + source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, "Unable to determine whether all members of the channel are connected via TLS (SSL)"); return MODEACTION_DENY; } @@ -75,7 +75,7 @@ class SSLMode : public ModeHandler if (nonssl) { - source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, InspIRCd::Format("All members of the channel must be connected via SSL (%lu/%lu are non-SSL)", + source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, InspIRCd::Format("All members of the channel must be connected via TLS (SSL) (%lu/%lu are non-TLS (SSL))", nonssl, static_cast(userlist.size()))); return MODEACTION_DENY; } @@ -167,13 +167,13 @@ class ModuleSSLModes { if (!api) { - user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; unable to determine if you are an SSL user (+z is set)"); + user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; unable to determine if you are a TLS (SSL) user (+z is set)"); return MOD_RES_DENY; } if (!api->GetCertificate(user)) { - user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; SSL users only (+z is set)"); + user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; TLS (SSL) users only (+z is set)"); return MOD_RES_DENY; } } @@ -243,7 +243,7 @@ class ModuleSSLModes Version GetVersion() CXX11_OVERRIDE { - return Version("Adds channel mode z (sslonly) which prevents users who are not connecting using TLS (SSL) from joining the channel and user mode z (sslqueries) to prevent messages from non-SSL users.", VF_VENDOR); + return Version("Adds channel mode z (sslonly) which prevents users who are not connecting using TLS (SSL) from joining the channel and user mode z (sslqueries) to prevent messages from non-TLS (SSL) users.", VF_VENDOR); } }; diff --git a/src/modules/m_starttls.cpp b/src/modules/m_starttls.cpp index 5280146cc..35e9985e9 100644 --- a/src/modules/m_starttls.cpp +++ b/src/modules/m_starttls.cpp @@ -65,7 +65,7 @@ class CommandStartTLS : public SplitCommand user->WriteNumeric(RPL_STARTTLS, "STARTTLS successful, go ahead with TLS handshake"); /* We need to flush the write buffer prior to adding the IOHook, - * otherwise we'll be sending this line inside the SSL session - which + * otherwise we'll be sending this line inside the TLS (SSL) session - which * won't start its handshake until the client gets this line. Currently, * we assume the write will not block here; this is usually safe, as * STARTTLS is sent very early on in the registration phase, where the -- 2.39.2